From 8fce51bf831536c8ce6007d466b343360fc98a1d Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Wed, 29 Sep 2021 10:24:16 -0400
Subject: [PATCH 001/210] initial commit for SVCB/HTTPS records

---
 .vscode/c_cpp_properties.json          | 18 +++++++++
 .vscode/settings.json                  |  5 +++
 auxil/highwayhash                      |  2 +-
 doc                                    |  2 +-
 scripts/base/init-bare.zeek            |  6 +++
 scripts/base/protocols/dns/consts.zeek | 11 ++++++
 src/analyzer/protocol/dns/DNS.cc       | 53 ++++++++++++++++++++++++++
 src/analyzer/protocol/dns/DNS.h        | 31 +++++++++++++++
 src/analyzer/protocol/dns/events.bif   | 31 +++++++++++++++
 9 files changed, 157 insertions(+), 2 deletions(-)
 create mode 100644 .vscode/c_cpp_properties.json
 create mode 100644 .vscode/settings.json

diff --git a/.vscode/c_cpp_properties.json b/.vscode/c_cpp_properties.json
new file mode 100644
index 0000000000..e48e2b73cd
--- /dev/null
+++ b/.vscode/c_cpp_properties.json
@@ -0,0 +1,18 @@
+{
+    "configurations": [
+        {
+            "name": "Mac",
+            "includePath": [
+                "${default}",
+                "${workspaceFolder}/**"
+            ],
+            "defines": [],
+            "macFrameworkPath": [],
+            "compilerPath": "/usr/local/bin/gcc-11",
+            "cStandard": "gnu17",
+            "cppStandard": "gnu++17",
+            "intelliSenseMode": "macos-gcc-x64"
+        }
+    ],
+    "version": 4
+}
\ No newline at end of file
diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000000..ed208baa59
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,5 @@
+{
+    "files.associations": {
+        "thread": "cpp"
+    }
+}
\ No newline at end of file
diff --git a/auxil/highwayhash b/auxil/highwayhash
index ca0ff296b1..2361494e04 160000
--- a/auxil/highwayhash
+++ b/auxil/highwayhash
@@ -1 +1 @@
-Subproject commit ca0ff296b116354957276cef2c61be171ac2f897
+Subproject commit 2361494e0400d52eb76d2c6c62db72168ebe69d0
diff --git a/doc b/doc
index fefd7e6ceb..f562d75aef 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit fefd7e6ceb67dd011c268c658171967f1281b970
+Subproject commit f562d75aef2e7c401913de122e4f888d42ae5f8e
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index dc6d8ce802..57ddd514db 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -3884,6 +3884,12 @@ type dns_loc_rr: record {
 	is_query: count;	##< The RR is a query/Response.
 };
 
+type dns_svcb_rr: record {
+	svc_priority: count;  ##< Service priority. (AliasMode? ServiceMode?)
+	target_name: string; ##< Target name, the hostname of the service endpoint.
+	svc_params: table[count] of vector of string; ##< service parameters as key-value pairs
+}
+
 # DNS answer types.
 #
 # .. zeek:see:: dns_answerr
diff --git a/scripts/base/protocols/dns/consts.zeek b/scripts/base/protocols/dns/consts.zeek
index a1e0f53a0b..283c2fc0b7 100644
--- a/scripts/base/protocols/dns/consts.zeek
+++ b/scripts/base/protocols/dns/consts.zeek
@@ -172,4 +172,15 @@ export {
 		[4] = "SHA384",
 	} &default = function(n: count): string { return fmt("digest-%d", n); };
 
+	## SVCB/HTTPS SvcParam keys, 
+	## as defined in https://www.ietf.org/archive/id/draft-ietf-dnsop-svcb-https-07.txt, sec 14.3.2
+	const svcparam_keys = {
+		[0] = "mandatory",
+		[1] = "alpn",
+		[2] = "no-default-alpn",
+		[3] = "port",
+		[4] = "ipv4hint",
+		[5] = "ech",
+		[6] = "ipv6hint",
+	} &default = function(n: count): string { return fmt("key%d", n); };
 }
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index fe5424c00e..72c88cc488 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -345,6 +345,14 @@ bool DNS_Interpreter::ParseAnswer(detail::DNS_MsgInfo* msg, const u_char*& data,
 			status = ParseRR_LOC(msg, data, len, rdlength, msg_start);
 			break;
 
+		case detail::TYPE_SVCB:
+			status = ParseRR_SVCB(msg, data, len, rdlength, msg_start, TYPE_SVCB);
+			break;
+
+		case detail::TYPE_HTTPS:
+			status = ParseRR_SVCB(msg, data, len, rdlength, msg_start, TYPE_HTTPS);
+			break;	
+
 		default:
 
 			if ( dns_unknown_reply && ! msg->skip_event )
@@ -1687,6 +1695,39 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, const u_char*& data,
 	return rdlength == 0;
 	}
 
+bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, 
+								   int rdlength, const u_char* msg_start, const RR_Type& svcb_type)
+	{
+		unsigned short svc_priority = ExtractShort(data, len);
+
+		u_char target_name[513];
+		int name_len = sizeof(target_name) - 1;
+		u_char* name_end = ExtractName(data, len, target_name, name_len, msg_start, false);
+		if ( ! name_end )
+			return false;
+
+		SVCB_DATA svcb_data = {
+			.svc_priority = svc_priority,
+			.target_name = new String(target_name, name_end - target_name, true),
+			.svc_params = nullptr,
+		};
+
+		// TODO: parse svcparams
+
+		switch( svcb_type )
+		{
+			case detail::TYPE_SVCB:
+				analyzer->EnqueueConnEvent(dns_SVCB, analyzer->ConnVal(), msg->BuildHdrVal(),
+		                           msg->BuildAnswerVal(), msg->BuildSVCB_Val(&svcb_data));
+				break;
+			case detail::TYPE_HTTPS:
+				analyzer->EnqueueConnEvent(dns_HTTPS, analyzer->ConnVal(), msg->BuildHdrVal(),
+		                           msg->BuildAnswerVal(), msg->BuildSVCB_Val(&svcb_data));
+				break;
+		}
+		return true;
+	}
+
 void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event,
                                              const u_char*& data, int& len, String* question_name,
                                              String* original_name)
@@ -1987,6 +2028,18 @@ RecordValPtr DNS_MsgInfo::BuildLOC_Val(LOC_DATA* loc)
 	return r;
 	}
 
+RecordValPtr DNS_MsgInfo::BuildSVCB_Val(SVCB_DATA* svcb)
+	{
+	static auto dns_svcb_rr = id::find_type<RecordType>("dns_svcb_rr");
+	auto r = make_intrusive<RecordVal>(dns_svcb_rr);
+
+	r->Assign(0, svcb->svc_priority);
+	r->Assign(1, make_intrusive<StringVal>(svcb->target_name));
+
+	// TODO: assign svcparams
+	return dns_svcb_rr;
+	}
+
 	} // namespace detail
 
 Contents_DNS::Contents_DNS(Connection* conn, bool orig, detail::DNS_Interpreter* arg_interp)
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index c1abaa06e2..0a0476c546 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -71,6 +71,8 @@ enum RR_Type
 	TYPE_DS = 43, ///< Delegation signer (RFC 4034)
 	TYPE_NSEC3 = 50,
 	TYPE_NSEC3PARAM = 51, ///< Contains the NSEC3 parameters (RFC 5155)
+	TYPE_SVCB = 64, ///< SerViCe Binding (RFC draft: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07#section-1.1)
+	TYPE_HTTPS = 65, ///< HTTPS record (HTTPS specific SVCB resource record)
 	// Obsoleted
 	TYPE_SPF = 99, ///< Alternative: storing SPF data in TXT records, using the same format (RFC
 	               ///< 4408). Support for it was discontinued in RFC 7208
@@ -148,6 +150,18 @@ enum DNSSEC_Digest
 	SHA384 = 4,
 	};
 
+///< all keys are defined in RFC draft https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07#section-14.3.2
+enum SVCPARAM_Key
+	{
+		mandatory = 0,
+		alpn = 1,
+		no_default_alpn = 2,
+		port = 3,
+		ipv4hint = 4,
+		ech = 5,
+		ipv6hint = 6,
+	};
+
 struct DNS_RawMsgHdr
 	{
 	unsigned short id;
@@ -269,6 +283,20 @@ struct LOC_DATA
 	unsigned long altitude; // 32
 	};
 
+struct SVCB_DATA
+	{
+	unsigned short svc_priority; // 2
+	String* target_name;
+	SVCPARAM_KV* svc_params;
+	}
+
+struct SVCPARAM_KV
+	{
+		String* key;
+		String* value;
+		SVCPARAM_KV* next;
+	};
+
 class DNS_MsgInfo
 	{
 public:
@@ -288,6 +316,7 @@ public:
 	RecordValPtr BuildDS_Val(struct DS_DATA*);
 	RecordValPtr BuildBINDS_Val(struct BINDS_DATA*);
 	RecordValPtr BuildLOC_Val(struct LOC_DATA*);
+	RecordValPtr BuildSVCB_Val(struct SVCB_DATA*);
 
 	int id;
 	int opcode; ///< query type, see DNS_Opcode
@@ -393,6 +422,8 @@ protected:
 	                   const u_char* msg_start);
 	bool ParseRR_LOC(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
 	                 const u_char* msg_start);
+	bool ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
+	                 const u_char* msg_start, const RR_Type& svcb_type);
 	void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event,
 	                            const u_char*& data, int& len, String* question_name,
 	                            String* original_name);
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index 40c6cf9f66..7e241c4d01 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -721,6 +721,37 @@ event dns_SSHFP%(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fpty
 ## loc: The parsed RDATA of LOC type record.
 event dns_LOC%(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr%);
 
+## Generated for DNS replies of type *SVCB*.
+## See `RFC draft <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
+## for more information about the DNS SVCB/HTTPS resource records.
+## For replies with multiple answers, an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## svcb: The parsed RDATA of SVCB type record.
+event dns_SVCB%(c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr%);
+
+## Generated for DNS replies of type *HTTPS*. 
+## See `RFC draft <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
+## for more information about the DNS SVCB/HTTPS resource records.
+## Since SVCB and HTTPS record share the same wire format layout, the argument https is dns_svcb_rr. 
+## For replies with multiple answers, an individual event of the corresponding type is raised for each.
+##
+## c: The connection, which may be UDP or TCP depending on the type of the
+##    transport-layer session being analyzed.
+##
+## msg: The parsed DNS message header.
+##
+## ans: The type-independent part of the parsed answer record.
+##
+## https: The parsed RDATA of SVCB type record.
+event dns_HTTPS%(c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_rr%);
+
 ## Generated at the end of processing a DNS packet. This event is the last
 ## ``dns_*`` event that will be raised for a DNS query/reply and signals that
 ## all resource records have been passed on.

From 0849332eb959485ba587856671f517a472f2fe52 Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Wed, 29 Sep 2021 13:57:42 -0400
Subject: [PATCH 002/210] fix a few syntax errors

---
 conn.log                                           | 10 ++++++++++
 dns.log                                            | 10 ++++++++++
 packet_filter.log                                  | 10 ++++++++++
 scripts/base/init-bare.zeek                        |  2 +-
 src/analyzer/protocol/dns/DNS.cc                   |  4 ++--
 src/analyzer/protocol/dns/DNS.h                    |  9 +--------
 testing/btest/scripts/base/protocols/dns/svcb.zeek |  9 +++++++++
 weird.log                                          | 10 ++++++++++
 8 files changed, 53 insertions(+), 11 deletions(-)
 create mode 100644 conn.log
 create mode 100644 dns.log
 create mode 100644 packet_filter.log
 create mode 100644 testing/btest/scripts/base/protocols/dns/svcb.zeek
 create mode 100644 weird.log

diff --git a/conn.log b/conn.log
new file mode 100644
index 0000000000..227f0ebcbc
--- /dev/null
+++ b/conn.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	conn
+#open	2021-09-29-11-39-42
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
+#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
+1632928690.500620	CvVbVi3kNVC4LPU90f	192.168.1.99	62978	192.168.1.1	53	udp	dns	0.027648	55	134	SF	-	-	0	Dd	1	83	1	162	-
+#close	2021-09-29-11-39-42
diff --git a/dns.log b/dns.log
new file mode 100644
index 0000000000..f519a96680
--- /dev/null
+++ b/dns.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	dns
+#open	2021-09-29-11-39-42
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
+#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	set[string]	set[string]
+1632928690.500620	CvVbVi3kNVC4LPU90f	192.168.1.99	62978	192.168.1.1	53	udp	62111	-	cloudflare.com	1	C_INTERNET	65	HTTPS	0	NOERROR	F	F	T	F	2	-	-	F	-	-
+#close	2021-09-29-11-39-42
diff --git a/packet_filter.log b/packet_filter.log
new file mode 100644
index 0000000000..908eafb9ea
--- /dev/null
+++ b/packet_filter.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	packet_filter
+#open	2021-09-29-11-39-42
+#fields	ts	node	filter	init	success
+#types	time	string	string	bool	bool
+1632929982.504499	zeek	ip or not ip	T	T
+#close	2021-09-29-11-39-42
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 57ddd514db..2a9331fdc3 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -3888,7 +3888,7 @@ type dns_svcb_rr: record {
 	svc_priority: count;  ##< Service priority. (AliasMode? ServiceMode?)
 	target_name: string; ##< Target name, the hostname of the service endpoint.
 	svc_params: table[count] of vector of string; ##< service parameters as key-value pairs
-}
+};
 
 # DNS answer types.
 #
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 72c88cc488..b48e516707 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1709,7 +1709,7 @@ bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data
 		SVCB_DATA svcb_data = {
 			.svc_priority = svc_priority,
 			.target_name = new String(target_name, name_end - target_name, true),
-			.svc_params = nullptr,
+			.svc_params = Dictionary(),
 		};
 
 		// TODO: parse svcparams
@@ -2037,7 +2037,7 @@ RecordValPtr DNS_MsgInfo::BuildSVCB_Val(SVCB_DATA* svcb)
 	r->Assign(1, make_intrusive<StringVal>(svcb->target_name));
 
 	// TODO: assign svcparams
-	return dns_svcb_rr;
+	return r;
 	}
 
 	} // namespace detail
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index 0a0476c546..cfc7b089c9 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -287,14 +287,7 @@ struct SVCB_DATA
 	{
 	unsigned short svc_priority; // 2
 	String* target_name;
-	SVCPARAM_KV* svc_params;
-	}
-
-struct SVCPARAM_KV
-	{
-		String* key;
-		String* value;
-		SVCPARAM_KV* next;
+	Dictionary svc_params;
 	};
 
 class DNS_MsgInfo
diff --git a/testing/btest/scripts/base/protocols/dns/svcb.zeek b/testing/btest/scripts/base/protocols/dns/svcb.zeek
new file mode 100644
index 0000000000..d7e9fa0590
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/svcb.zeek
@@ -0,0 +1,9 @@
+# @TEST-EXEC: zeek -C -r $TRACES/dns-https.pcap %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load policy/protocols/dns/auth-addl
+
+event dns_HTTPS(c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_rr)
+    {
+    print https;
+    }
\ No newline at end of file
diff --git a/weird.log b/weird.log
new file mode 100644
index 0000000000..ccab363330
--- /dev/null
+++ b/weird.log
@@ -0,0 +1,10 @@
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	weird
+#open	2021-09-29-11-39-42
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
+#types	time	string	addr	port	addr	port	string	string	bool	string	string
+1632928690.528268	CvVbVi3kNVC4LPU90f	192.168.1.99	62978	192.168.1.1	53	DNS_truncated_RR_rdlength_lt_len	-	F	zeek	DNS
+#close	2021-09-29-11-39-42

From 8f7f75fcb4dd1a646264176a803d04ece37b884e Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Wed, 29 Sep 2021 13:59:40 -0400
Subject: [PATCH 003/210] remove test logs

---
 conn.log          | 10 ----------
 dns.log           | 10 ----------
 packet_filter.log | 10 ----------
 weird.log         | 10 ----------
 4 files changed, 40 deletions(-)
 delete mode 100644 conn.log
 delete mode 100644 dns.log
 delete mode 100644 packet_filter.log
 delete mode 100644 weird.log

diff --git a/conn.log b/conn.log
deleted file mode 100644
index 227f0ebcbc..0000000000
--- a/conn.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	conn
-#open	2021-09-29-11-39-42
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	service	duration	orig_bytes	resp_bytes	conn_state	local_orig	local_resp	missed_bytes	history	orig_pkts	orig_ip_bytes	resp_pkts	resp_ip_bytes	tunnel_parents
-#types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
-1632928690.500620	CvVbVi3kNVC4LPU90f	192.168.1.99	62978	192.168.1.1	53	udp	dns	0.027648	55	134	SF	-	-	0	Dd	1	83	1	162	-
-#close	2021-09-29-11-39-42
diff --git a/dns.log b/dns.log
deleted file mode 100644
index f519a96680..0000000000
--- a/dns.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	dns
-#open	2021-09-29-11-39-42
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	trans_id	rtt	query	qclass	qclass_name	qtype	qtype_name	rcode	rcode_name	AA	TC	RD	RA	Z	answers	TTLs	rejected	auth	addl
-#types	time	string	addr	port	addr	port	enum	count	interval	string	count	string	count	string	count	string	bool	bool	bool	bool	count	vector[string]	vector[interval]	bool	set[string]	set[string]
-1632928690.500620	CvVbVi3kNVC4LPU90f	192.168.1.99	62978	192.168.1.1	53	udp	62111	-	cloudflare.com	1	C_INTERNET	65	HTTPS	0	NOERROR	F	F	T	F	2	-	-	F	-	-
-#close	2021-09-29-11-39-42
diff --git a/packet_filter.log b/packet_filter.log
deleted file mode 100644
index 908eafb9ea..0000000000
--- a/packet_filter.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	packet_filter
-#open	2021-09-29-11-39-42
-#fields	ts	node	filter	init	success
-#types	time	string	string	bool	bool
-1632929982.504499	zeek	ip or not ip	T	T
-#close	2021-09-29-11-39-42
diff --git a/weird.log b/weird.log
deleted file mode 100644
index ccab363330..0000000000
--- a/weird.log
+++ /dev/null
@@ -1,10 +0,0 @@
-#separator \x09
-#set_separator	,
-#empty_field	(empty)
-#unset_field	-
-#path	weird
-#open	2021-09-29-11-39-42
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
-#types	time	string	addr	port	addr	port	string	string	bool	string	string
-1632928690.528268	CvVbVi3kNVC4LPU90f	192.168.1.99	62978	192.168.1.1	53	DNS_truncated_RR_rdlength_lt_len	-	F	zeek	DNS
-#close	2021-09-29-11-39-42

From ca4b181d3516f948d85c9492c4301d2cfcc1d1f1 Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Wed, 29 Sep 2021 14:39:24 -0400
Subject: [PATCH 004/210] add a dns https test case

---
 src/analyzer/protocol/dns/DNS.cc                  |  10 ++++++++++
 .../scripts.base.protocols.dns.https/output       |   3 +++
 testing/btest/Traces/dns-https.pcap               | Bin 0 -> 329 bytes
 .../base/protocols/dns/{svcb.zeek => https.zeek}  |   0
 4 files changed, 13 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.https/output
 create mode 100644 testing/btest/Traces/dns-https.pcap
 rename testing/btest/scripts/base/protocols/dns/{svcb.zeek => https.zeek} (100%)

diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index b48e516707..c43888cb18 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1706,6 +1706,15 @@ bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data
 		if ( ! name_end )
 			return false;
 
+		// target name can be root - in this case the alternative endpoint is
+		// qname itself. make sure that we print "." instead of an empty string
+		if ( name_end - target_name == 0 )
+			{
+			target_name[0] = '.';
+			target_name[1] = '\0';
+			name_end = target_name+1;
+			}
+
 		SVCB_DATA svcb_data = {
 			.svc_priority = svc_priority,
 			.target_name = new String(target_name, name_end - target_name, true),
@@ -1724,6 +1733,7 @@ bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data
 				analyzer->EnqueueConnEvent(dns_HTTPS, analyzer->ConnVal(), msg->BuildHdrVal(),
 		                           msg->BuildAnswerVal(), msg->BuildSVCB_Val(&svcb_data));
 				break;
+			default: break; // unreachable. for suppressing compiler warnings.
 		}
 		return true;
 	}
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.https/output b/testing/btest/Baseline/scripts.base.protocols.dns.https/output
new file mode 100644
index 0000000000..c94e491f7a
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.https/output
@@ -0,0 +1,3 @@
+[svc_priority=1, target_name=., svc_params={
+
+}]
\ No newline at end of file
diff --git a/testing/btest/Traces/dns-https.pcap b/testing/btest/Traces/dns-https.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..b2c397e62e6cd614e7efe3af28da6dfd200399ab
GIT binary patch
literal 329
zcmca|c+)~A1{MYcU}0bcayB)GB=#(3XGjFHL3ql<`oO~aCC$&pDw#MKTp1XG112yq
zI0!BaJ+Oi?8HgFbF)^4j*e_B4G@nrcYy<-XBUf@xerZZtPGV6ib8>zz1A`+-MpFQ2
zAQ12{a4~T3Uh$okllJX7*g}2|h7CXo5QbO<u@-FMBDpmVKnth80$B#Kl))5eWuK?S
zr}>QyKx09!#%kdK9*DIJjST)ERg4T0Oc}<k8OFLsmSEBXOqw%g7y$!<BSWC&X@)@S
ZQwBB$1vNHzps5f55=Z3&)xiD2002kTOGN+x

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dns/svcb.zeek b/testing/btest/scripts/base/protocols/dns/https.zeek
similarity index 100%
rename from testing/btest/scripts/base/protocols/dns/svcb.zeek
rename to testing/btest/scripts/base/protocols/dns/https.zeek

From d5a6896171d4ddcd887bc421994b88651cdaac59 Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Wed, 29 Sep 2021 18:06:58 -0400
Subject: [PATCH 005/210] add svcb test case

---
 .../scripts.base.protocols.dns.svcb/output        |   3 +++
 testing/btest/Traces/dns-svcb.pcap                | Bin 0 -> 243 bytes
 .../btest/scripts/base/protocols/dns/svcb.zeek    |   9 +++++++++
 3 files changed, 12 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
 create mode 100644 testing/btest/Traces/dns-svcb.pcap
 create mode 100644 testing/btest/scripts/base/protocols/dns/svcb.zeek

diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output b/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
new file mode 100644
index 0000000000..15683c930c
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
@@ -0,0 +1,3 @@
+[svc_priority=0, target_name=foo.example.com, svc_params={
+
+}]
\ No newline at end of file
diff --git a/testing/btest/Traces/dns-svcb.pcap b/testing/btest/Traces/dns-svcb.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..3060bdaaecd9555329d8972b037ba15951486f73
GIT binary patch
literal 243
zcmca|c+)~A1{MYcfUtL84oTF!#>fx?lmKBSAa-S72-uXyz~CUrz);V?zzD(*&N7%X
z*!=T9nZl^Rzz9?X6k|`VNX#wBNo7vX&jqRm32O>~r5Jb^xEMIrIa%DascE$U*->+y
yks%!@2f|Q0l4mrc+QDE7w8j5l(#aH{1S7;23_CCcfaXOo2s1D+r{(9PNCE(EhB9pc

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/dns/svcb.zeek b/testing/btest/scripts/base/protocols/dns/svcb.zeek
new file mode 100644
index 0000000000..7a036f886b
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/dns/svcb.zeek
@@ -0,0 +1,9 @@
+# @TEST-EXEC: zeek -C -r $TRACES/dns-svcb.pcap %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+@load policy/protocols/dns/auth-addl
+
+event dns_SVCB(c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr)
+    {
+    print svcb;
+    }
\ No newline at end of file

From 33c7fd5fba7fb944743aa731ac2ea4330fd67cc1 Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Wed, 29 Sep 2021 18:17:55 -0400
Subject: [PATCH 006/210] use tabs in init-bare.zeek

---
 scripts/base/init-bare.zeek | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 2a9331fdc3..7454a82ce5 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -3885,9 +3885,9 @@ type dns_loc_rr: record {
 };
 
 type dns_svcb_rr: record {
-	svc_priority: count;  ##< Service priority. (AliasMode? ServiceMode?)
-	target_name: string; ##< Target name, the hostname of the service endpoint.
-	svc_params: table[count] of vector of string; ##< service parameters as key-value pairs
+	svc_priority: count;	##< Service priority. (AliasMode? ServiceMode?)
+	target_name: string;	##< Target name, the hostname of the service endpoint.
+	svc_params: table[count] of vector of string;	##< service parameters as key-value pairs
 };
 
 # DNS answer types.

From b238cf3dcad04ce2bc3cb169d2a336e1349c1932 Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Wed, 29 Sep 2021 18:53:37 -0400
Subject: [PATCH 007/210] lazy commit

---
 scripts/base/init-bare.zeek          |  2 +-
 src/analyzer/protocol/dns/DNS.cc     |  6 +++---
 src/analyzer/protocol/dns/events.bif | 16 ++++++++--------
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 7454a82ce5..89510933c1 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -3887,7 +3887,7 @@ type dns_loc_rr: record {
 type dns_svcb_rr: record {
 	svc_priority: count;	##< Service priority. (AliasMode? ServiceMode?)
 	target_name: string;	##< Target name, the hostname of the service endpoint.
-	svc_params: table[count] of vector of string;	##< service parameters as key-value pairs
+	svc_params: table[count] of vector of string;	##< service parameters as key-value pairs (not used at this point)
 };
 
 # DNS answer types.
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index c43888cb18..cb6b8cb5e8 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1727,11 +1727,11 @@ bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data
 		{
 			case detail::TYPE_SVCB:
 				analyzer->EnqueueConnEvent(dns_SVCB, analyzer->ConnVal(), msg->BuildHdrVal(),
-		                           msg->BuildAnswerVal(), msg->BuildSVCB_Val(&svcb_data));
+		                        	       msg->BuildAnswerVal(), msg->BuildSVCB_Val(&svcb_data));
 				break;
 			case detail::TYPE_HTTPS:
 				analyzer->EnqueueConnEvent(dns_HTTPS, analyzer->ConnVal(), msg->BuildHdrVal(),
-		                           msg->BuildAnswerVal(), msg->BuildSVCB_Val(&svcb_data));
+		                        		  msg->BuildAnswerVal(), msg->BuildSVCB_Val(&svcb_data));
 				break;
 			default: break; // unreachable. for suppressing compiler warnings.
 		}
@@ -2046,7 +2046,7 @@ RecordValPtr DNS_MsgInfo::BuildSVCB_Val(SVCB_DATA* svcb)
 	r->Assign(0, svcb->svc_priority);
 	r->Assign(1, make_intrusive<StringVal>(svcb->target_name));
 
-	// TODO: assign svcparams
+	// TODO: assign values to svcparams
 	return r;
 	}
 
diff --git a/src/analyzer/protocol/dns/events.bif b/src/analyzer/protocol/dns/events.bif
index 7e241c4d01..eed11bc820 100644
--- a/src/analyzer/protocol/dns/events.bif
+++ b/src/analyzer/protocol/dns/events.bif
@@ -721,9 +721,9 @@ event dns_SSHFP%(c: connection, msg: dns_msg, ans: dns_answer, algo: count, fpty
 ## loc: The parsed RDATA of LOC type record.
 event dns_LOC%(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr%);
 
-## Generated for DNS replies of type *SVCB*.
-## See `RFC draft <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
-## for more information about the DNS SVCB/HTTPS resource records.
+## Generated for DNS replies of type *SVCB* (General Purpose Service Endpoints).
+## See `RFC draft for DNS SVCB/HTTPS <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
+## for more information about DNS SVCB/HTTPS resource records.
 ## For replies with multiple answers, an individual event of the corresponding type is raised for each.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -736,10 +736,10 @@ event dns_LOC%(c: connection, msg: dns_msg, ans: dns_answer, loc: dns_loc_rr%);
 ## svcb: The parsed RDATA of SVCB type record.
 event dns_SVCB%(c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr%);
 
-## Generated for DNS replies of type *HTTPS*. 
-## See `RFC draft <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
-## for more information about the DNS SVCB/HTTPS resource records.
-## Since SVCB and HTTPS record share the same wire format layout, the argument https is dns_svcb_rr. 
+## Generated for DNS replies of type *HTTPS* (HTTPS Specific Service Endpoints). 
+## See `RFC draft for DNS SVCB/HTTPS <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07>`__
+## for more information about DNS SVCB/HTTPS resource records.
+## Since SVCB and HTTPS records share the same wire format layout, the argument https is dns_svcb_rr. 
 ## For replies with multiple answers, an individual event of the corresponding type is raised for each.
 ##
 ## c: The connection, which may be UDP or TCP depending on the type of the
@@ -749,7 +749,7 @@ event dns_SVCB%(c: connection, msg: dns_msg, ans: dns_answer, svcb: dns_svcb_rr%
 ##
 ## ans: The type-independent part of the parsed answer record.
 ##
-## https: The parsed RDATA of SVCB type record.
+## https: The parsed RDATA of HTTPS type record.
 event dns_HTTPS%(c: connection, msg: dns_msg, ans: dns_answer, https: dns_svcb_rr%);
 
 ## Generated at the end of processing a DNS packet. This event is the last

From ac1ea204fec06dfb2a0796718aefc1ec98f94dc9 Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Wed, 29 Sep 2021 20:02:29 -0400
Subject: [PATCH 008/210] newlines at the end of test outputs

---
 testing/btest/Baseline/scripts.base.protocols.dns.https/output | 2 +-
 testing/btest/Baseline/scripts.base.protocols.dns.svcb/output  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.https/output b/testing/btest/Baseline/scripts.base.protocols.dns.https/output
index c94e491f7a..739d29b9e8 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.https/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.https/output
@@ -1,3 +1,3 @@
 [svc_priority=1, target_name=., svc_params={
 
-}]
\ No newline at end of file
+}]
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output b/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
index 15683c930c..d6fcb527e3 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
@@ -1,3 +1,3 @@
 [svc_priority=0, target_name=foo.example.com, svc_params={
 
-}]
\ No newline at end of file
+}]

From c957e3e91e4024d109d9f10f0e7b6731a76016b4 Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Tue, 12 Oct 2021 20:36:35 -0400
Subject: [PATCH 009/210] address code reviews (formatting and type and
 intrusiveptr)

---
 .vscode/c_cpp_properties.json          | 18 ----------------
 .vscode/settings.json                  |  5 -----
 auxil/package-manager                  |  2 +-
 scripts/base/init-bare.zeek            |  2 +-
 scripts/base/protocols/dns/consts.zeek |  2 +-
 src/analyzer/protocol/dns/DNS.cc       | 29 +++++++++++++++++---------
 src/analyzer/protocol/dns/DNS.h        | 21 +++++++++----------
 7 files changed, 32 insertions(+), 47 deletions(-)
 delete mode 100644 .vscode/c_cpp_properties.json
 delete mode 100644 .vscode/settings.json

diff --git a/.vscode/c_cpp_properties.json b/.vscode/c_cpp_properties.json
deleted file mode 100644
index e48e2b73cd..0000000000
--- a/.vscode/c_cpp_properties.json
+++ /dev/null
@@ -1,18 +0,0 @@
-{
-    "configurations": [
-        {
-            "name": "Mac",
-            "includePath": [
-                "${default}",
-                "${workspaceFolder}/**"
-            ],
-            "defines": [],
-            "macFrameworkPath": [],
-            "compilerPath": "/usr/local/bin/gcc-11",
-            "cStandard": "gnu17",
-            "cppStandard": "gnu++17",
-            "intelliSenseMode": "macos-gcc-x64"
-        }
-    ],
-    "version": 4
-}
\ No newline at end of file
diff --git a/.vscode/settings.json b/.vscode/settings.json
deleted file mode 100644
index ed208baa59..0000000000
--- a/.vscode/settings.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-    "files.associations": {
-        "thread": "cpp"
-    }
-}
\ No newline at end of file
diff --git a/auxil/package-manager b/auxil/package-manager
index feffa1d51e..9ccb796814 160000
--- a/auxil/package-manager
+++ b/auxil/package-manager
@@ -1 +1 @@
-Subproject commit feffa1d51e4e5494fef7daf2bd044138cb04f621
+Subproject commit 9ccb7968149ebf91a0c15ff04aca13e558a8b465
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 89510933c1..aa98ecfe13 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -3885,7 +3885,7 @@ type dns_loc_rr: record {
 };
 
 type dns_svcb_rr: record {
-	svc_priority: count;	##< Service priority. (AliasMode? ServiceMode?)
+	svc_priority: count;	##< Service priority for the current record, 0 indicates that this record is in AliasMode and cannot carry svc_params; otherwise this is in ServiceMode, and may include svc_params
 	target_name: string;	##< Target name, the hostname of the service endpoint.
 	svc_params: table[count] of vector of string;	##< service parameters as key-value pairs (not used at this point)
 };
diff --git a/scripts/base/protocols/dns/consts.zeek b/scripts/base/protocols/dns/consts.zeek
index 283c2fc0b7..c780e6ffb4 100644
--- a/scripts/base/protocols/dns/consts.zeek
+++ b/scripts/base/protocols/dns/consts.zeek
@@ -182,5 +182,5 @@ export {
 		[4] = "ipv4hint",
 		[5] = "ech",
 		[6] = "ipv6hint",
-	} &default = function(n: count): string { return fmt("key%d", n); };
+	} &default = function(n: count): string { return fmt("key-%d", n); };
 }
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index cb6b8cb5e8..789169261a 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1698,7 +1698,12 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, const u_char*& data,
 bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, 
 								   int rdlength, const u_char* msg_start, const RR_Type& svcb_type)
 	{
-		unsigned short svc_priority = ExtractShort(data, len);
+		// the smallest SVCB/HTTPS rr is 3 bytes:
+		// the first 2 bytes are for the svc priority, and the third byte is root (0x0)
+		if ( len < 3 )
+			return false;
+
+		uint16_t svc_priority = ExtractShort(data, len);
 
 		u_char target_name[513];
 		int name_len = sizeof(target_name) - 1;
@@ -1717,24 +1722,28 @@ bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data
 
 		SVCB_DATA svcb_data = {
 			.svc_priority = svc_priority,
-			.target_name = new String(target_name, name_end - target_name, true),
-			.svc_params = Dictionary(),
+			.target_name = make_intrusive<StringVal>(new String(target_name, name_end - target_name, true)),
 		};
 
 		// TODO: parse svcparams
+		// we consume all the remaining raw data (svc params) but do nothing.
+		// this should be removed if the svc param parser is ready
+		String* unparsed_data = ExtractStream(data, len, rdlength);
+		delete unparsed_data;
+
 
 		switch( svcb_type )
-		{
+			{
 			case detail::TYPE_SVCB:
 				analyzer->EnqueueConnEvent(dns_SVCB, analyzer->ConnVal(), msg->BuildHdrVal(),
-		                        	       msg->BuildAnswerVal(), msg->BuildSVCB_Val(&svcb_data));
+										msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
 				break;
 			case detail::TYPE_HTTPS:
 				analyzer->EnqueueConnEvent(dns_HTTPS, analyzer->ConnVal(), msg->BuildHdrVal(),
-		                        		  msg->BuildAnswerVal(), msg->BuildSVCB_Val(&svcb_data));
+										msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
 				break;
 			default: break; // unreachable. for suppressing compiler warnings.
-		}
+			}
 		return true;
 	}
 
@@ -2038,13 +2047,13 @@ RecordValPtr DNS_MsgInfo::BuildLOC_Val(LOC_DATA* loc)
 	return r;
 	}
 
-RecordValPtr DNS_MsgInfo::BuildSVCB_Val(SVCB_DATA* svcb)
+RecordValPtr DNS_MsgInfo::BuildSVCB_Val(const SVCB_DATA& svcb)
 	{
 	static auto dns_svcb_rr = id::find_type<RecordType>("dns_svcb_rr");
 	auto r = make_intrusive<RecordVal>(dns_svcb_rr);
 
-	r->Assign(0, svcb->svc_priority);
-	r->Assign(1, make_intrusive<StringVal>(svcb->target_name));
+	r->Assign(0, svcb.svc_priority);
+	r->Assign(1, svcb.target_name);
 
 	// TODO: assign values to svcparams
 	return r;
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index cfc7b089c9..f6f9a75f9a 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -153,13 +153,13 @@ enum DNSSEC_Digest
 ///< all keys are defined in RFC draft https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07#section-14.3.2
 enum SVCPARAM_Key
 	{
-		mandatory = 0,
-		alpn = 1,
-		no_default_alpn = 2,
-		port = 3,
-		ipv4hint = 4,
-		ech = 5,
-		ipv6hint = 6,
+	mandatory = 0,
+	alpn = 1,
+	no_default_alpn = 2,
+	port = 3,
+	ipv4hint = 4,
+	ech = 5,
+	ipv6hint = 6,
 	};
 
 struct DNS_RawMsgHdr
@@ -285,9 +285,8 @@ struct LOC_DATA
 
 struct SVCB_DATA
 	{
-	unsigned short svc_priority; // 2
-	String* target_name;
-	Dictionary svc_params;
+	uint16_t svc_priority; // 2
+	StringValPtr target_name;
 	};
 
 class DNS_MsgInfo
@@ -309,7 +308,7 @@ public:
 	RecordValPtr BuildDS_Val(struct DS_DATA*);
 	RecordValPtr BuildBINDS_Val(struct BINDS_DATA*);
 	RecordValPtr BuildLOC_Val(struct LOC_DATA*);
-	RecordValPtr BuildSVCB_Val(struct SVCB_DATA*);
+	RecordValPtr BuildSVCB_Val(const struct SVCB_DATA&);
 
 	int id;
 	int opcode; ///< query type, see DNS_Opcode

From 605d4024e41e3b191ff2659a32f634f1a9083acd Mon Sep 17 00:00:00 2001
From: FlyingWithJerome <jxm959@case.edu>
Date: Tue, 12 Oct 2021 21:40:56 -0400
Subject: [PATCH 010/210] remove excussive fields in dns_svcb_rr

---
 scripts/base/init-bare.zeek                   |  1 -
 src/analyzer/protocol/dns/DNS.cc              | 80 +++++++++----------
 .../scripts.base.protocols.dns.https/output   |  4 +-
 .../scripts.base.protocols.dns.svcb/output    |  4 +-
 4 files changed, 42 insertions(+), 47 deletions(-)

diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index aa98ecfe13..ec13e3da90 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -3887,7 +3887,6 @@ type dns_loc_rr: record {
 type dns_svcb_rr: record {
 	svc_priority: count;	##< Service priority for the current record, 0 indicates that this record is in AliasMode and cannot carry svc_params; otherwise this is in ServiceMode, and may include svc_params
 	target_name: string;	##< Target name, the hostname of the service endpoint.
-	svc_params: table[count] of vector of string;	##< service parameters as key-value pairs (not used at this point)
 };
 
 # DNS answer types.
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index 789169261a..868a26adde 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1698,53 +1698,53 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, const u_char*& data,
 bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, 
 								   int rdlength, const u_char* msg_start, const RR_Type& svcb_type)
 	{
-		// the smallest SVCB/HTTPS rr is 3 bytes:
-		// the first 2 bytes are for the svc priority, and the third byte is root (0x0)
-		if ( len < 3 )
-			return false;
+	// the smallest SVCB/HTTPS rr is 3 bytes:
+	// the first 2 bytes are for the svc priority, and the third byte is root (0x0)
+	if ( len < 3 )
+		return false;
 
-		uint16_t svc_priority = ExtractShort(data, len);
+	uint16_t svc_priority = ExtractShort(data, len);
 
-		u_char target_name[513];
-		int name_len = sizeof(target_name) - 1;
-		u_char* name_end = ExtractName(data, len, target_name, name_len, msg_start, false);
-		if ( ! name_end )
-			return false;
+	u_char target_name[513];
+	int name_len = sizeof(target_name) - 1;
+	u_char* name_end = ExtractName(data, len, target_name, name_len, msg_start, false);
+	if ( ! name_end )
+		return false;
 
-		// target name can be root - in this case the alternative endpoint is
-		// qname itself. make sure that we print "." instead of an empty string
-		if ( name_end - target_name == 0 )
-			{
-			target_name[0] = '.';
-			target_name[1] = '\0';
-			name_end = target_name+1;
-			}
+	// target name can be root - in this case the alternative endpoint is
+	// qname itself. make sure that we print "." instead of an empty string
+	if ( name_end - target_name == 0 )
+		{
+		target_name[0] = '.';
+		target_name[1] = '\0';
+		name_end = target_name+1;
+		}
 
-		SVCB_DATA svcb_data = {
-			.svc_priority = svc_priority,
-			.target_name = make_intrusive<StringVal>(new String(target_name, name_end - target_name, true)),
-		};
+	SVCB_DATA svcb_data = {
+		.svc_priority = svc_priority,
+		.target_name = make_intrusive<StringVal>(new String(target_name, name_end - target_name, true)),
+	};
 
-		// TODO: parse svcparams
-		// we consume all the remaining raw data (svc params) but do nothing.
-		// this should be removed if the svc param parser is ready
-		String* unparsed_data = ExtractStream(data, len, rdlength);
-		delete unparsed_data;
+	// TODO: parse svcparams
+	// we consume all the remaining raw data (svc params) but do nothing.
+	// this should be removed if the svc param parser is ready
+	String* unparsed_data = ExtractStream(data, len, rdlength);
+	delete unparsed_data;
 
 
-		switch( svcb_type )
-			{
-			case detail::TYPE_SVCB:
-				analyzer->EnqueueConnEvent(dns_SVCB, analyzer->ConnVal(), msg->BuildHdrVal(),
-										msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
-				break;
-			case detail::TYPE_HTTPS:
-				analyzer->EnqueueConnEvent(dns_HTTPS, analyzer->ConnVal(), msg->BuildHdrVal(),
-										msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
-				break;
-			default: break; // unreachable. for suppressing compiler warnings.
-			}
-		return true;
+	switch( svcb_type )
+		{
+		case detail::TYPE_SVCB:
+			analyzer->EnqueueConnEvent(dns_SVCB, analyzer->ConnVal(), msg->BuildHdrVal(),
+									msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
+			break;
+		case detail::TYPE_HTTPS:
+			analyzer->EnqueueConnEvent(dns_HTTPS, analyzer->ConnVal(), msg->BuildHdrVal(),
+									msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
+			break;
+		default: break; // unreachable. for suppressing compiler warnings.
+		}
+	return true;
 	}
 
 void DNS_Interpreter::SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event,
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.https/output b/testing/btest/Baseline/scripts.base.protocols.dns.https/output
index 739d29b9e8..5f4d11d5dd 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.https/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.https/output
@@ -1,3 +1 @@
-[svc_priority=1, target_name=., svc_params={
-
-}]
+[svc_priority=1, target_name=.]
diff --git a/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output b/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
index d6fcb527e3..233b838420 100644
--- a/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
+++ b/testing/btest/Baseline/scripts.base.protocols.dns.svcb/output
@@ -1,3 +1 @@
-[svc_priority=0, target_name=foo.example.com, svc_params={
-
-}]
+[svc_priority=0, target_name=foo.example.com]

From dc6e21d6aec362790bceb8698a36f22247d24fff Mon Sep 17 00:00:00 2001
From: Arne Welzel <arne.welzel@corelight.com>
Date: Thu, 14 Oct 2021 10:54:14 +0200
Subject: [PATCH 011/210] logging/writers/ascii: shadow files: Add fsync()
 before rename()

We're using shadow files for log rotation on systems with ext4 running
Linux 4.19. We've observed zero-length shadow files in the logger's working
directory after a power-outage. This leads to a broken/stuck logger
process due to empty shadow files being considered invalid and the
process exiting:

    error: failed to process leftover log 'conn.log.gz': Found leftover log, 'conn.log.gz', but the associated shadow  file, '.shadow.conn.log.gz', required to process it is invalid

PR #1137 introduced atomic renaming of shadow files and was supposed to
handle this. However, after more investigation, the rename() has to be
preceded by an fsync() in order to avoid zero-length files in the presence
of hard-crashes or power-failures. This is generally operating system
and filesystem dependent, but should not hurt to add. The performance impact
can likely be neglected due to the low frequency and limited number of
log streams.

This has happened to others, too. Some references around this issue:

* https://stackoverflow.com/questions/7433057/is-rename-without-fsync-safe
* https://unix.stackexchange.com/questions/464382/which-filesystems-require-fsync-for-crash-safety-when-replacing-an-existing-fi
* https://bugzilla.kernel.org/show_bug.cgi?id=15910

Reproducer

This issue was reproduced artificially on Linux using the sysrq-trigger
functionality to hard-reset the system shortly after a .shadow file was
renamed to it's final destination with the following script watching for
.shadow.conn.log.gz:

    #!/bin/bash
    set -eu
    dir=/data/logger-01/

    # Allow everything via /proc/sysrq-trigger
    echo "1" > /proc/sys/kernel/sysrq

    inotifywait -m -e MOVED_TO --format '%e %w%f' "${dir}" | while read -r line; do
        if echo "${line}" | grep -q '^MOVED_TO .*/.shadow.conn.log.gz$'; then
            echo "RESET: $line"
            sleep 4
            # Trigger a hard-reset without sync/unmount
            echo "b" > /proc/sysrq-trigger
        fi
    done

This quite reliably (4 out of 4 times) yielded a system with zero-length
shadow files and a broken logger after it came back online:

    $ ls -lha /data/logger-01/.shadow.*
    -rw-r--r-- 1 bro bro 0 Oct 14 02:26 .shadow.conn.log.gz
    -rw-r--r-- 1 bro bro 0 Oct 14 02:26 .shadow.dns.log.gz
    -rw-r--r-- 1 bro bro 0 Oct 14 02:26 .shadow.files.log.gz

After this change while running the reproducer, the shadow files always
contained content after a hard-reset.

Rework with util::safe_fsync helper
---
 src/logging/writers/ascii/Ascii.cc |  4 +++-
 src/util.cc                        | 18 ++++++++++++++++++
 src/util.h                         |  4 ++++
 3 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc
index a53464f925..fe39b86c76 100644
--- a/src/logging/writers/ascii/Ascii.cc
+++ b/src/logging/writers/ascii/Ascii.cc
@@ -465,7 +465,7 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const threading::Fiel
 
 			if ( sfd < 0 )
 				{
-				Error(Fmt("cannot open %s: %s", sfname.data(), Strerror(errno)));
+				Error(Fmt("cannot open %s: %s", tmp_sfname.data(), Strerror(errno)));
 				return false;
 				}
 
@@ -479,6 +479,8 @@ bool Ascii::DoInit(const WriterInfo& info, int num_fields, const threading::Fiel
 
 			util::safe_write(sfd, "\n", 1);
 
+			util::safe_fsync(sfd);
+
 			util::safe_close(sfd);
 
 			if ( rename(tmp_sfname.data(), sfname.data()) == -1 )
diff --git a/src/util.cc b/src/util.cc
index cfa612a864..51527303c0 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -2162,6 +2162,24 @@ bool safe_pwrite(int fd, const unsigned char* data, size_t len, size_t offset)
 	return true;
 	}
 
+void safe_fsync(int fd)
+	{
+	int r;
+
+	do
+		{
+		r = fsync(fd);
+		} while ( r < 0 && errno == EINTR );
+
+	if ( r < 0 )
+		{
+		char buf[128];
+		zeek_strerror_r(errno, buf, sizeof(buf));
+		fprintf(stderr, "safe_fsync error %d: %s\n", errno, buf);
+		abort();
+		}
+	}
+
 void safe_close(int fd)
 	{
 	/*
diff --git a/src/util.h b/src/util.h
index fa07f585a7..851191246a 100644
--- a/src/util.h
+++ b/src/util.h
@@ -461,6 +461,10 @@ extern bool safe_write(int fd, const char* data, int len);
 // Same as safe_write(), but for pwrite().
 extern bool safe_pwrite(int fd, const unsigned char* data, size_t len, size_t offset);
 
+// Like fsync() but handles interrupted system calls by retrying and
+// aborts on unrecoverable errors.
+extern void safe_fsync(int fd);
+
 // Wraps close(2) to emit error messages and abort on unrecoverable errors.
 extern void safe_close(int fd);
 

From 5d3568d08d1f63ac1758c2243e161bdac2874648 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 14 Oct 2021 11:57:48 -0700
Subject: [PATCH 012/210] Bump zeek-aux submodule to pull in update-changes
 tweak [nomail] [skip ci]

---
 auxil/zeek-aux | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index 296383d577..00ec86d2da 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit 296383d577a3f089c4f491061a985293cf6736e6
+Subproject commit 00ec86d2dad3c2d23438431a3ccb07e11dc59543

From 59013dedcf09b57d8b8eb38f2aff609ebeaec44e Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 14 Oct 2021 11:49:30 -0700
Subject: [PATCH 013/210] Fix typo in typedef changes that broke tests on
 32-bit Debian 9

---
 src/analyzer/Analyzer.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index 26bce61413..ec79400531 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -58,7 +58,7 @@ class OutputHandler;
 // causing a crash.
 using analyzer_list = std::list<Analyzer*>;
 using ID = uint32_t;
-using analyzer_timer_func = void (Analyzer::*)(double_t);
+using analyzer_timer_func = void (Analyzer::*)(double t);
 
 /**
  * Class to receive processed output from an anlyzer.

From 237a21c3bf2f7bc4da147ca12e96ab771d384c0e Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Wed, 20 Oct 2021 00:44:09 +0000
Subject: [PATCH 014/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index fefd7e6ceb..e2f2af92c5 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit fefd7e6ceb67dd011c268c658171967f1281b970
+Subproject commit e2f2af92c55df3a27c31d8af79cb7a244af912b6

From a6378531dbc5c357926d98fe785bb719cc70e1b4 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 20 Oct 2021 09:55:11 -0700
Subject: [PATCH 015/210] Remove trailing whitespace from script files

---
 .../frameworks/cluster/nodes/manager.zeek     |  2 +-
 scripts/base/frameworks/cluster/pools.zeek    |  4 +-
 scripts/base/frameworks/dpd/main.zeek         |  2 +-
 .../base/frameworks/files/magic/general.sig   |  3 +-
 .../base/frameworks/files/magic/office.sig    |  5 +-
 scripts/base/frameworks/files/main.zeek       |  8 +--
 scripts/base/frameworks/intel/main.zeek       | 10 +--
 .../base/frameworks/netcontrol/plugin.zeek    |  2 +-
 .../frameworks/netcontrol/plugins/debug.zeek  |  6 +-
 .../netcontrol/plugins/packetfilter.zeek      |  3 +-
 scripts/base/frameworks/netcontrol/types.zeek |  2 +-
 .../notice/actions/add-geodata.zeek           | 10 +--
 .../notice/actions/email_admin.zeek           |  4 +-
 scripts/base/frameworks/openflow/cluster.zeek |  4 +-
 scripts/base/frameworks/signatures/main.zeek  | 25 ++++---
 scripts/base/frameworks/software/main.zeek    | 68 +++++++++----------
 scripts/base/frameworks/sumstats/cluster.zeek |  2 +-
 scripts/base/frameworks/sumstats/main.zeek    |  3 +-
 .../frameworks/sumstats/plugins/sample.zeek   |  2 +-
 .../frameworks/sumstats/plugins/unique.zeek   |  2 +-
 scripts/base/protocols/conn/contents.zeek     |  8 +--
 scripts/base/protocols/conn/inactivity.zeek   |  6 +-
 scripts/base/protocols/dce-rpc/main.zeek      |  2 +-
 scripts/base/protocols/dhcp/main.zeek         |  2 +-
 scripts/base/protocols/dns/main.zeek          |  8 +--
 scripts/base/protocols/ftp/files.zeek         |  6 +-
 .../base/protocols/ftp/utils-commands.zeek    | 20 +++---
 scripts/base/protocols/http/entities.zeek     |  4 +-
 scripts/base/protocols/http/utils.zeek        |  8 +--
 scripts/base/protocols/irc/files.zeek         |  2 +-
 scripts/base/protocols/irc/main.zeek          | 16 ++---
 scripts/base/protocols/krb/main.zeek          | 10 +--
 scripts/base/protocols/ntlm/main.zeek         |  2 +-
 scripts/base/protocols/radius/main.zeek       |  4 +-
 scripts/base/protocols/rdp/main.zeek          | 22 +++---
 scripts/base/protocols/smb/consts.zeek        | 62 ++++++++---------
 scripts/base/protocols/smb/files.zeek         |  2 +-
 scripts/base/protocols/smb/main.zeek          | 26 +++----
 scripts/base/protocols/smb/smb1-main.zeek     | 38 +++++------
 scripts/base/protocols/smb/smb2-main.zeek     | 10 +--
 scripts/base/protocols/syslog/consts.zeek     |  2 +-
 scripts/base/protocols/syslog/main.zeek       |  4 +-
 scripts/base/utils/conn-ids.zeek              |  8 +--
 scripts/base/utils/directions-and-hosts.zeek  |  2 +-
 scripts/base/utils/numbers.zeek               |  5 +-
 scripts/base/utils/patterns.zeek              |  2 +-
 scripts/base/utils/strings.zeek               |  2 +-
 scripts/base/utils/thresholds.zeek            |  8 +--
 scripts/policy/files/unified2/main.zeek       |  3 +-
 .../policy/frameworks/control/controller.zeek |  4 +-
 .../dpd/packet-segment-logging.zeek           |  2 +-
 .../policy/frameworks/files/detect-MHR.zeek   |  2 +-
 .../files/entropy-test-all-files.zeek         |  5 +-
 .../frameworks/intel/seen/file-hashes.zeek    |  2 +-
 .../policy/frameworks/intel/whitelist.zeek    |  3 +-
 .../frameworks/software/version-changes.zeek  |  4 +-
 .../policy/integration/barnyard2/main.zeek    | 18 ++---
 .../policy/integration/barnyard2/types.zeek   |  2 +-
 scripts/policy/misc/trim-trace-file.zeek      |  7 +-
 .../policy/protocols/conn/known-hosts.zeek    | 10 +--
 .../policy/protocols/conn/known-services.zeek |  3 +-
 .../protocols/dns/detect-external-names.zeek  | 10 +--
 scripts/policy/protocols/ftp/detect.zeek      |  6 +-
 .../policy/protocols/http/detect-webapps.zeek |  2 +-
 .../policy/protocols/http/header-names.zeek   |  6 +-
 .../protocols/http/var-extraction-uri.zeek    |  2 +-
 .../policy/protocols/modbus/track-memmap.zeek |  6 +-
 scripts/policy/protocols/smb/log-cmds.zeek    |  2 +-
 scripts/policy/protocols/smtp/blocklists.zeek | 16 ++---
 .../smtp/detect-suspicious-orig.zeek          |  2 +-
 scripts/policy/protocols/smtp/software.zeek   | 23 +++----
 .../protocols/ssh/interesting-hostnames.zeek  | 11 ++-
 scripts/policy/protocols/ssh/software.zeek    |  2 +-
 .../policy/protocols/ssl/expiring-certs.zeek  |  2 +-
 scripts/policy/protocols/ssl/known-certs.zeek | 16 ++---
 scripts/policy/tuning/__load__.zeek           |  2 +-
 .../tuning/defaults/packet-fragments.zeek     |  2 +-
 scripts/policy/tuning/defaults/warnings.zeek  |  2 +-
 78 files changed, 310 insertions(+), 325 deletions(-)

diff --git a/scripts/base/frameworks/cluster/nodes/manager.zeek b/scripts/base/frameworks/cluster/nodes/manager.zeek
index 53e3e52298..7504575dfc 100644
--- a/scripts/base/frameworks/cluster/nodes/manager.zeek
+++ b/scripts/base/frameworks/cluster/nodes/manager.zeek
@@ -2,7 +2,7 @@
 ##!
 ##! The manager is passive (the workers connect to us), and once connected
 ##! the manager registers for the events on the workers that are needed
-##! to get the desired data from the workers.  This script will be 
+##! to get the desired data from the workers.  This script will be
 ##! automatically loaded if necessary based on the type of node being started.
 
 ##! This is where the cluster manager sets it's specific settings for other
diff --git a/scripts/base/frameworks/cluster/pools.zeek b/scripts/base/frameworks/cluster/pools.zeek
index 1be7b336d8..8b2b9dee62 100644
--- a/scripts/base/frameworks/cluster/pools.zeek
+++ b/scripts/base/frameworks/cluster/pools.zeek
@@ -364,7 +364,7 @@ event zeek_init() &priority=-5
 	if ( manager_is_logger )
 		{
 		local mgr = nodes_with_type(Cluster::MANAGER);
-		
+
 		if ( |mgr| > 0 )
 			{
 			local eln = pool_eligibility[Cluster::LOGGER]$eligible_nodes;
@@ -438,7 +438,7 @@ event zeek_init() &priority=-5
 
 		pet = pool_eligibility[pool$spec$node_type];
 		local nodes_to_init = |pet$eligible_nodes|;
-		
+
 		if ( pool$spec?$max_nodes &&
 			 pool$spec$max_nodes < |pet$eligible_nodes| )
 			nodes_to_init = pool$spec$max_nodes;
diff --git a/scripts/base/frameworks/dpd/main.zeek b/scripts/base/frameworks/dpd/main.zeek
index 9424db3d5a..16e37dafdd 100644
--- a/scripts/base/frameworks/dpd/main.zeek
+++ b/scripts/base/frameworks/dpd/main.zeek
@@ -35,7 +35,7 @@ export {
 	## Number of protocol violations to tolerate before disabling an analyzer.
 	option max_violations: table[Analyzer::Tag] of count = table() &default = 5;
 
-	## Analyzers which you don't want to throw 
+	## Analyzers which you don't want to throw
 	option ignore_violations: set[Analyzer::Tag] = set();
 
 	## Ignore violations which go this many bytes into the connection.
diff --git a/scripts/base/frameworks/files/magic/general.sig b/scripts/base/frameworks/files/magic/general.sig
index d34c3d043d..f0e41018f6 100644
--- a/scripts/base/frameworks/files/magic/general.sig
+++ b/scripts/base/frameworks/files/magic/general.sig
@@ -252,7 +252,7 @@ signature file-mpqgame {
 	file-magic /^MPQ\x1a/
 }
 
-# Blizzard CASC Format game file 
+# Blizzard CASC Format game file
 signature file-blizgame {
 	file-mime "application/x-blizgame", 100
 	file-magic /^BLTE/
@@ -302,4 +302,3 @@ signature file-iso9660 {
         file-mime "application/x-iso9660-image", 99
         file-magic /CD001/
 }
-
diff --git a/scripts/base/frameworks/files/magic/office.sig b/scripts/base/frameworks/files/magic/office.sig
index 3b3a264c24..b9563c0407 100644
--- a/scripts/base/frameworks/files/magic/office.sig
+++ b/scripts/base/frameworks/files/magic/office.sig
@@ -1,7 +1,6 @@
-
 # This signature is non-specific and terrible but after
-# searching for a long time there doesn't seem to be a 
-# better option.  
+# searching for a long time there doesn't seem to be a
+# better option.
 signature file-msword {
 	file-magic /^\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1/
 	file-mime "application/msword", 50
diff --git a/scripts/base/frameworks/files/main.zeek b/scripts/base/frameworks/files/main.zeek
index 10cc81ba56..5f799a26c4 100644
--- a/scripts/base/frameworks/files/main.zeek
+++ b/scripts/base/frameworks/files/main.zeek
@@ -104,7 +104,7 @@ export {
 		missing_bytes: count &log &default=0;
 
 		## The number of bytes in the file stream that were not delivered to
-		## stream file analyzers.  This could be overlapping bytes or 
+		## stream file analyzers.  This could be overlapping bytes or
 		## bytes that couldn't be reassembled.
 		overflow_bytes: count &log &default=0;
 
@@ -150,7 +150,7 @@ export {
 	## f: the file.
 	global enable_reassembly: function(f: fa_file);
 
-	## Disables the file reassembler on this file.  If the file is not 
+	## Disables the file reassembler on this file.  If the file is not
 	## transferred out of order this will have no effect.
 	##
 	## f: the file.
@@ -266,7 +266,7 @@ export {
 	};
 
 	## Register callbacks for protocols that work with the Files framework.
-	## The callbacks must uniquely identify a file and each protocol can 
+	## The callbacks must uniquely identify a file and each protocol can
 	## only have a single callback registered for it.
 	##
 	## tag: Tag for the protocol analyzer having a callback being registered.
@@ -280,7 +280,7 @@ export {
 	## manipulation when they are being added to a file before the core code
 	## takes over.  This is unlikely to be interesting for users and should
 	## only be called by file analyzer authors but is *not required*.
-	## 
+	##
 	## tag: Tag for the file analyzer.
 	##
 	## callback: Function to execute when the given file analyzer is being added.
diff --git a/scripts/base/frameworks/intel/main.zeek b/scripts/base/frameworks/intel/main.zeek
index d88d0eb225..8464e7ebfe 100644
--- a/scripts/base/frameworks/intel/main.zeek
+++ b/scripts/base/frameworks/intel/main.zeek
@@ -49,7 +49,7 @@ export {
 		## A URL for more information about the data.
 		url:         string      &optional;
 	};
-	
+
 	## Represents a piece of intelligence.
 	type Item: record {
 		## The intelligence indicator.
@@ -57,12 +57,12 @@ export {
 
 		## The type of data that the indicator field represents.
 		indicator_type: Type;
-		
+
 		## Metadata for the item. Typically represents more deeply
 		## descriptive data for a piece of intelligence.
 		meta:           MetaData;
 	};
-	
+
 	## Enum to represent where data came from when it was discovered.
 	## The convention is to prefix the name with ``IN_``.
 	type Where: enum {
@@ -158,8 +158,8 @@ export {
 	global extend_match: hook(info: Info, s: Seen, items: set[Item]);
 
 	## The expiration timeout for intelligence items. Once an item expires, the
-	## :zeek:id:`Intel::item_expired` hook is called. Reinsertion of an item 
-	## resets the timeout. A negative value disables expiration of intelligence 
+	## :zeek:id:`Intel::item_expired` hook is called. Reinsertion of an item
+	## resets the timeout. A negative value disables expiration of intelligence
 	## items.
 	const item_expiration = -1 min &redef;
 
diff --git a/scripts/base/frameworks/netcontrol/plugin.zeek b/scripts/base/frameworks/netcontrol/plugin.zeek
index 36d5a76173..8ecbef7911 100644
--- a/scripts/base/frameworks/netcontrol/plugin.zeek
+++ b/scripts/base/frameworks/netcontrol/plugin.zeek
@@ -41,7 +41,7 @@ export {
 		name: function(state: PluginState) : string;
 
 		## If true, plugin can expire rules itself. If false, the NetControl
-		## framework will manage rule expiration. 
+		## framework will manage rule expiration.
 		can_expire: bool;
 
 		## One-time initialization function called when plugin gets registered, and
diff --git a/scripts/base/frameworks/netcontrol/plugins/debug.zeek b/scripts/base/frameworks/netcontrol/plugins/debug.zeek
index 479d934b6c..f159cda73f 100644
--- a/scripts/base/frameworks/netcontrol/plugins/debug.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/debug.zeek
@@ -46,7 +46,7 @@ function debug_add_rule(p: PluginState, r: Rule) : bool
 	local s = fmt("add_rule: %s", r);
 	debug_log(p, s);
 
-	if ( do_something(p) ) 
+	if ( do_something(p) )
 		{
 		event NetControl::rule_added(r, p);
 		return T;
@@ -76,12 +76,10 @@ global debug_plugin = Plugin(
 function create_debug(do_something: bool) : PluginState
 	{
 	local p: PluginState = [$plugin=debug_plugin];
-	
+
 	# FIXME: Why's the default not working?
 	p$config = table();
 	p$config["all"] = (do_something ? "1" : "0");
 
 	return p;
 	}
-
-
diff --git a/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek b/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
index 3648ed3955..ec3cc24247 100644
--- a/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
+++ b/scripts/base/frameworks/netcontrol/plugins/packetfilter.zeek
@@ -1,7 +1,7 @@
 ##! NetControl plugin for the process-level PacketFilter that comes with
 ##! Zeek. Since the PacketFilter in Zeek is quite limited in scope
 ##! and can only add/remove filters for addresses, this is quite
-##! limited in scope at the moment. 
+##! limited in scope at the moment.
 
 @load ../plugin
 
@@ -110,4 +110,3 @@ function create_packetfilter() : PluginState
 
 	return p;
 	}
-
diff --git a/scripts/base/frameworks/netcontrol/types.zeek b/scripts/base/frameworks/netcontrol/types.zeek
index beac2302f6..731e8c38b0 100644
--- a/scripts/base/frameworks/netcontrol/types.zeek
+++ b/scripts/base/frameworks/netcontrol/types.zeek
@@ -1,7 +1,7 @@
 ##! This file defines the types that are used by the NetControl framework.
 ##!
 ##! The most important type defined in this file is :zeek:see:`NetControl::Rule`,
-##! which is used to describe all rules that can be expressed by the NetControl framework. 
+##! which is used to describe all rules that can be expressed by the NetControl framework.
 
 module NetControl;
 
diff --git a/scripts/base/frameworks/notice/actions/add-geodata.zeek b/scripts/base/frameworks/notice/actions/add-geodata.zeek
index 04cc10209d..6f07a9dd31 100644
--- a/scripts/base/frameworks/notice/actions/add-geodata.zeek
+++ b/scripts/base/frameworks/notice/actions/add-geodata.zeek
@@ -1,6 +1,6 @@
 ##! This script adds geographic location data to notices for the "remote"
-##! host in a connection.  It does make the assumption that one of the 
-##! addresses in a connection is "local" and one is "remote" which is 
+##! host in a connection.  It does make the assumption that one of the
+##! addresses in a connection is "local" and one is "remote" which is
 ##! probably a safe assumption to make in most cases.  If both addresses
 ##! are remote, it will use the $src address.
 
@@ -17,13 +17,13 @@ export {
 		## in order for this to work.
 		ACTION_ADD_GEODATA
 	};
-	
+
 	redef record Info += {
 		## If GeoIP support is built in, notices can have geographic
 		## information attached to them.
 		remote_location: geo_location  &log &optional;
 	};
-	
+
 	## Notice types which should have the "remote" location looked up.
 	## If GeoIP support is not built in, this does nothing.
 	option lookup_location_types: set[Notice::Type] = {};
@@ -35,7 +35,7 @@ hook policy(n: Notice::Info) &priority=10
 		add n$actions[ACTION_ADD_GEODATA];
 	}
 
-# This is handled at a high priority in case other notice handlers 
+# This is handled at a high priority in case other notice handlers
 # want to use the data.
 hook notice(n: Notice::Info) &priority=10
 	{
diff --git a/scripts/base/frameworks/notice/actions/email_admin.zeek b/scripts/base/frameworks/notice/actions/email_admin.zeek
index 6ba5937bb7..71c26afef4 100644
--- a/scripts/base/frameworks/notice/actions/email_admin.zeek
+++ b/scripts/base/frameworks/notice/actions/email_admin.zeek
@@ -10,9 +10,9 @@ module Notice;
 
 export {
 	redef enum Action += {
-		## Indicate that the generated email should be addressed to the 
+		## Indicate that the generated email should be addressed to the
 		## appropriate email addresses as found by the
-		## :zeek:id:`Site::get_emails` function based on the relevant 
+		## :zeek:id:`Site::get_emails` function based on the relevant
 		## address or addresses indicated in the notice.
 		ACTION_EMAIL_ADMIN
 	};
diff --git a/scripts/base/frameworks/openflow/cluster.zeek b/scripts/base/frameworks/openflow/cluster.zeek
index 6ff005b877..0ab56ca293 100644
--- a/scripts/base/frameworks/openflow/cluster.zeek
+++ b/scripts/base/frameworks/openflow/cluster.zeek
@@ -112,12 +112,12 @@ function lookup_controller(name: string): vector of Controller
 	if ( Cluster::local_node_type() != Cluster::MANAGER )
 		return vector();
 
-	# I am not quite sure if we can actually get away with this - in the 
+	# I am not quite sure if we can actually get away with this - in the
 	# current state, this means that the individual nodes cannot lookup
 	# a controller by name.
 	#
 	# This means that there can be no reactions to things on the actual
-	# worker nodes - because they cannot look up a name. On the other hand - 
+	# worker nodes - because they cannot look up a name. On the other hand -
 	# currently we also do not even send the events to the worker nodes (at least
 	# not if we are using broker). Because of that I am not really feeling that
 	# badly about it...
diff --git a/scripts/base/frameworks/signatures/main.zeek b/scripts/base/frameworks/signatures/main.zeek
index b235cba312..a610afccf5 100644
--- a/scripts/base/frameworks/signatures/main.zeek
+++ b/scripts/base/frameworks/signatures/main.zeek
@@ -60,7 +60,7 @@ export {
 		SIG_ALARM_PER_ORIG,
 		## Alarm once and then never again.
 		SIG_ALARM_ONCE,
-		## Count signatures per responder host and alarm with the 
+		## Count signatures per responder host and alarm with the
 		## :zeek:enum:`Signatures::Count_Signature` notice if a threshold
 		## defined by :zeek:id:`Signatures::count_thresholds` is reached.
 		SIG_COUNT_PER_RESP,
@@ -100,15 +100,15 @@ export {
 		## Number of hosts, from a summary count.
 		host_count: count        &log &optional;
 	};
-	
-	## Actions for a signature.  
+
+	## Actions for a signature.
 	const actions: table[string] of Action =  {
 		["unspecified"] = SIG_IGNORE, # place-holder
 	} &redef &default = SIG_ALARM;
 
 	## Signature IDs that should always be ignored.
 	option ignored_ids = /NO_DEFAULT_MATCHES/;
-	
+
 	## Generate a notice if, for a pair [orig, signature], the number of
 	## different responders has reached one of the thresholds.
 	const horiz_scan_thresholds = { 5, 10, 50, 100, 500, 1000 } &redef;
@@ -120,7 +120,7 @@ export {
 	## Generate a notice if a :zeek:enum:`Signatures::SIG_COUNT_PER_RESP`
 	## signature is triggered as often as given by one of these thresholds.
 	const count_thresholds = { 5, 10, 50, 100, 500, 1000, 10000, 1000000, } &redef;
-	
+
 	## The interval between when :zeek:enum:`Signatures::Signature_Summary`
 	## notices are generated.
 	option summary_interval = 1 day;
@@ -147,7 +147,7 @@ event zeek_init() &priority=5
 	{
 	Log::create_stream(Signatures::LOG, [$columns=Info, $ev=log_signature, $path="signatures", $policy=log_policy]);
 	}
-		
+
 # Returns true if the given signature has already been triggered for the given
 # [orig, resp] pair.
 function has_signature_matched(id: string, orig: addr, resp: addr): bool
@@ -173,7 +173,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 	# Trim the matched data down to something reasonable
 	if ( |data| > 140 )
 		data = fmt("%s...", sub_bytes(data, 0, 140));
-	
+
 	local src_addr: addr;
 	local src_port: port;
 	local dst_addr: addr;
@@ -212,7 +212,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 	local notice = F;
 	if ( action == SIG_ALARM )
 		notice = T;
-	
+
 	if ( action == SIG_COUNT_PER_RESP )
 		{
 		local dst = state$conn$id$resp_h;
@@ -252,7 +252,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 		        $conn=state$conn, $src=src_addr,
 		        $dst=dst_addr, $msg=fmt("%s: %s", src_addr, msg),
 		        $sub=data]);
-	
+
 	if ( action == SIG_FILE_BUT_NO_SCAN || action == SIG_SUMMARY )
 		return;
 
@@ -279,7 +279,7 @@ event signature_match(state: signature_state, msg: string, data: string)
 			fmt("%s has triggered signature %s on %d hosts",
 				orig, sig_id, hcount);
 
-		Log::write(Signatures::LOG, 
+		Log::write(Signatures::LOG,
 			[$ts=network_time(), $note=Multiple_Sig_Responders,
 		     $src_addr=orig, $sig_id=sig_id, $event_msg=msg,
 		     $host_count=hcount, $sub_msg=horz_scan_msg]);
@@ -296,9 +296,9 @@ event signature_match(state: signature_state, msg: string, data: string)
 			fmt("%s has triggered %d different signatures on host %s",
 				orig, vcount, resp);
 
-		Log::write(Signatures::LOG, 
+		Log::write(Signatures::LOG,
 		           [$ts=network_time(),
-		            $note=Multiple_Signatures, 
+		            $note=Multiple_Signatures,
 		            $src_addr=orig,
 		            $dst_addr=resp, $sig_id=sig_id, $sig_count=vcount,
 		            $event_msg=fmt("%s different signatures triggered", vcount),
@@ -311,4 +311,3 @@ event signature_match(state: signature_state, msg: string, data: string)
 		last_vthresh[orig] = vcount;
 		}
 	}
-
diff --git a/scripts/base/frameworks/software/main.zeek b/scripts/base/frameworks/software/main.zeek
index 5704ee98b9..9fed88668b 100644
--- a/scripts/base/frameworks/software/main.zeek
+++ b/scripts/base/frameworks/software/main.zeek
@@ -13,18 +13,18 @@ module Software;
 export {
 	## The software logging stream identifier.
 	redef enum Log::ID += { LOG };
-	
+
 	## A default logging policy hook for the stream.
 	global log_policy: Log::PolicyHook;
 
 	## Scripts detecting new types of software need to redef this enum to add
-	## their own specific software types which would then be used when they 
+	## their own specific software types which would then be used when they
 	## create :zeek:type:`Software::Info` records.
 	type Type: enum {
 		## A placeholder type for when the type of software is not known.
 		UNKNOWN,
 	};
-	
+
 	## A structure to represent the numeric version of software.
 	type Version: record {
 		## Major version number.
@@ -38,7 +38,7 @@ export {
 		## Additional version string (e.g. "beta42").
 		addl:   string &optional;
 	} &log;
-	
+
 	## The record type that is used for representing and logging software.
 	type Info: record {
 		## The time at which the software was detected.
@@ -58,9 +58,9 @@ export {
 		## parsing doesn't always work reliably in all cases and this
 		## acts as a fallback in the logs.
 		unparsed_version: string &log &optional;
-		
+
 		## This can indicate that this software being detected should
-		## definitely be sent onward to the logging framework.  By 
+		## definitely be sent onward to the logging framework.  By
 		## default, only software that is "interesting" due to a change
 		## in version or it being currently unknown is sent to the
 		## logging framework.  This can be set to T to force the record
@@ -68,7 +68,7 @@ export {
 		## tracking needs to happen in a specific way to the software.
 		force_log:        bool &default=F;
 	};
-	
+
 	## Hosts whose software should be detected and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	option asset_tracking = LOCAL_HOSTS;
@@ -78,21 +78,21 @@ export {
 	## id: The connection id where the software was discovered.
 	##
 	## info: A record representing the software discovered.
-	## 
+	##
 	## Returns: T if the software was logged, F otherwise.
 	global found: function(id: conn_id, info: Info): bool;
-	
+
 	## Compare two version records.
-	## 
+	##
 	## Returns:  -1 for v1 < v2, 0 for v1 == v2, 1 for v1 > v2.
 	##           If the numerical version numbers match, the *addl* string
 	##           is compared lexicographically.
 	global cmp_versions: function(v1: Version, v2: Version): int;
-	
-	## Sometimes software will expose itself on the network with 
-	## slight naming variations.  This table provides a mechanism 
-	## for a piece of software to be renamed to a single name 
-	## even if it exposes itself with an alternate name.  The 
+
+	## Sometimes software will expose itself on the network with
+	## slight naming variations.  This table provides a mechanism
+	## for a piece of software to be renamed to a single name
+	## even if it exposes itself with an alternate name.  The
 	## yielded string is the name that will be logged and generally
 	## used for everything.
 	global alternate_names: table[string] of string {
@@ -100,17 +100,17 @@ export {
 	} &default=function(a: string): string { return a; };
 
 	## Type to represent a collection of :zeek:type:`Software::Info` records.
-	## It's indexed with the name of a piece of software such as "Firefox" 
+	## It's indexed with the name of a piece of software such as "Firefox"
 	## and it yields a :zeek:type:`Software::Info` record with more
 	## information about the software.
 	type SoftwareSet: table[string] of Info;
-	
+
 	## The set of software associated with an address.  Data expires from
-	## this table after one day by default so that a detected piece of 
+	## this table after one day by default so that a detected piece of
 	## software will be logged once each day.  In a cluster, this table is
 	## uniformly distributed among proxy nodes.
 	global tracked: table[addr] of SoftwareSet &create_expire=1day;
-	
+
 	## This event can be handled to access the :zeek:type:`Software::Info`
 	## record as it is sent on to the logging framework.
 	global log_software: event(rec: Info);
@@ -128,7 +128,7 @@ event zeek_init() &priority=5
 	{
 	Log::create_stream(Software::LOG, [$columns=Info, $ev=log_software, $path="software", $policy=log_policy]);
 	}
-	
+
 type Description: record {
 	name:             string;
 	version:          Version;
@@ -138,13 +138,13 @@ type Description: record {
 # Defining this here because of a circular dependency between two functions.
 global parse_mozilla: function(unparsed_version: string): Description;
 
-# Don't even try to understand this now, just make sure the tests are 
+# Don't even try to understand this now, just make sure the tests are
 # working.
 function parse(unparsed_version: string): Description
 	{
 	local software_name = "<parse error>";
 	local v: Version;
-	
+
 	# Parse browser-alike versions separately
 	if ( /^(Mozilla|Opera)\/[0-9]+\./ in unparsed_version )
 		{
@@ -220,10 +220,10 @@ function parse(unparsed_version: string): Description
 						{
 						v$addl = strip(version_parts[2]);
 						}
-						
+
 					}
 				}
-			
+
 			if ( 3 in version_numbers && version_numbers[3] != "" )
 				v$minor3 = extract_count(version_numbers[3]);
 			if ( 2 in version_numbers && version_numbers[2] != "" )
@@ -234,7 +234,7 @@ function parse(unparsed_version: string): Description
 				v$major = extract_count(version_numbers[0]);
 			}
 		}
-	
+
 	return [$version=v, $unparsed_version=unparsed_version, $name=alternate_names[software_name]];
 	}
 
@@ -245,7 +245,7 @@ function parse_with_cache(unparsed_version: string): Description
 	{
 	if (unparsed_version in parse_cache)
 		return parse_cache[unparsed_version];
-	
+
 	local res = parse(unparsed_version);
 	parse_cache[unparsed_version] = res;
 	return res;
@@ -256,7 +256,7 @@ function parse_mozilla(unparsed_version: string): Description
 	local software_name = "<unknown browser>";
 	local v: Version;
 	local parts: string_vec;
-	
+
 	if ( /Opera [0-9\.]*$/ in unparsed_version )
 		{
 		software_name = "Opera";
@@ -349,7 +349,7 @@ function parse_mozilla(unparsed_version: string): Description
 		if ( 2 in parts )
 			v = parse(parts[2])$version;
 		}
-	
+
 	else if ( /AdobeAIR\/[0-9\.]*/ in unparsed_version )
 		{
 		software_name = "AdobeAIR";
@@ -392,7 +392,7 @@ function cmp_versions(v1: Version, v2: Version): int
 		else
 			return v1?$major ? 1 : -1;
 		}
-		
+
 	if ( v1?$minor && v2?$minor )
 		{
 		if ( v1$minor < v2$minor )
@@ -407,7 +407,7 @@ function cmp_versions(v1: Version, v2: Version): int
 		else
 			return v1?$minor ? 1 : -1;
 		}
-		
+
 	if ( v1?$minor2 && v2?$minor2 )
 		{
 		if ( v1$minor2 < v2$minor2 )
@@ -462,7 +462,7 @@ function software_endpoint_name(id: conn_id, host: addr): string
 # Convert a version into a string "a.b.c-x".
 function software_fmt_version(v: Version): string
 	{
-	return fmt("%s%s%s%s%s", 
+	return fmt("%s%s%s%s%s",
 	           v?$major ? fmt("%d", v$major) : "0",
 	           v?$minor ? fmt(".%d", v$minor) : "",
 	           v?$minor2 ? fmt(".%d", v$minor2) : "",
@@ -510,10 +510,10 @@ event Software::register(info: Info)
 		local changed = cmp_versions(old$version, info$version) != 0;
 
 		if ( changed )
-			event Software::version_change(old, info);	
+			event Software::version_change(old, info);
 		else if ( ! info$force_log )
 			# If the version hasn't changed, then we're just redetecting the
-			# same thing, then we don't care. 
+			# same thing, then we don't care.
 			return;
 		}
 
@@ -526,7 +526,7 @@ function found(id: conn_id, info: Info): bool
 	if ( ! info$force_log && ! addr_matches_host(info$host, asset_tracking) )
 		return F;
 
-	if ( ! info?$ts ) 
+	if ( ! info?$ts )
 		info$ts = network_time();
 
 	if ( info?$version )
diff --git a/scripts/base/frameworks/sumstats/cluster.zeek b/scripts/base/frameworks/sumstats/cluster.zeek
index 2296a4e38c..f055355170 100644
--- a/scripts/base/frameworks/sumstats/cluster.zeek
+++ b/scripts/base/frameworks/sumstats/cluster.zeek
@@ -220,7 +220,7 @@ event zeek_init() &priority=100
 # This variable is maintained by manager nodes as they collect and aggregate
 # results.
 # Index on a uid.
-global stats_keys: table[string] of set[Key] &read_expire=1min 
+global stats_keys: table[string] of set[Key] &read_expire=1min
 	&expire_func=function(s: table[string] of set[Key], idx: string): interval
 		{
 		Reporter::warning(fmt("SumStat key request for the %s SumStat uid took longer than 1 minute and was automatically cancelled.", idx));
diff --git a/scripts/base/frameworks/sumstats/main.zeek b/scripts/base/frameworks/sumstats/main.zeek
index 930125f6c8..8f8638b57b 100644
--- a/scripts/base/frameworks/sumstats/main.zeek
+++ b/scripts/base/frameworks/sumstats/main.zeek
@@ -510,7 +510,7 @@ function check_thresholds(ss: SumStat, key: Key, result: Result, modify_pct: dou
 		return F;
 
 	# Add in the extra ResultVals to make threshold_vals easier to write.
-	# This length comparison should work because we just need to make 
+	# This length comparison should work because we just need to make
 	# sure that we have the same number of reducers and results.
 	if ( |ss$reducers| != |result| )
 		{
@@ -568,4 +568,3 @@ function threshold_crossed(ss: SumStat, key: Key, result: Result)
 
 	ss$threshold_crossed(key, result);
 	}
-
diff --git a/scripts/base/frameworks/sumstats/plugins/sample.zeek b/scripts/base/frameworks/sumstats/plugins/sample.zeek
index 2f96c5eb30..d5d236f43f 100644
--- a/scripts/base/frameworks/sumstats/plugins/sample.zeek
+++ b/scripts/base/frameworks/sumstats/plugins/sample.zeek
@@ -95,7 +95,7 @@ hook compose_resultvals_hook(result: ResultVal, rv1: ResultVal, rv2: ResultVal)
 		{
 		local other_vector: vector of Observation;
 		local othercount: count;
-		
+
 		if ( rv1$sample_elements > rv2$sample_elements )
 			{
 			result$samples = copy(rv1$samples);
diff --git a/scripts/base/frameworks/sumstats/plugins/unique.zeek b/scripts/base/frameworks/sumstats/plugins/unique.zeek
index 5fcaa1dc3c..069522effb 100644
--- a/scripts/base/frameworks/sumstats/plugins/unique.zeek
+++ b/scripts/base/frameworks/sumstats/plugins/unique.zeek
@@ -46,7 +46,7 @@ hook register_observe_plugins()
 
 		if ( ! r?$unique_max || |rv$unique_vals| <= r$unique_max )
 			add rv$unique_vals[obs];
-			
+
 		rv$unique = |rv$unique_vals|;
 		});
 	}
diff --git a/scripts/base/protocols/conn/contents.zeek b/scripts/base/protocols/conn/contents.zeek
index ea689c6350..f3e64b00b1 100644
--- a/scripts/base/protocols/conn/contents.zeek
+++ b/scripts/base/protocols/conn/contents.zeek
@@ -1,5 +1,5 @@
-##! This script can be used to extract either the originator's data or the 
-##! responders data or both.  By default nothing is extracted, and in order 
+##! This script can be used to extract either the originator's data or the
+##! responders data or both.  By default nothing is extracted, and in order
 ##! to actually extract data the ``c$extract_orig`` and/or the
 ##! ``c$extract_resp`` variable must be set to ``T``.  One way to achieve this
 ##! would be to handle the :zeek:id:`connection_established` event elsewhere
@@ -19,7 +19,7 @@ export {
 	## The prefix given to files containing extracted connections as they
 	## are opened on disk.
 	option extraction_prefix = "contents";
-	
+
 	## If this variable is set to ``T``, then all contents of all
 	## connections will be extracted.
 	option default_extract = F;
@@ -38,7 +38,7 @@ event connection_established(c: connection) &priority=-5
 		local orig_f = open(orig_file);
 		set_contents_file(c$id, CONTENTS_ORIG, orig_f);
 		}
-		
+
 	if ( c$extract_resp )
 		{
 		local resp_file = generate_extraction_filename(extraction_prefix, c, "resp.dat");
diff --git a/scripts/base/protocols/conn/inactivity.zeek b/scripts/base/protocols/conn/inactivity.zeek
index b438a05b61..90c51c3909 100644
--- a/scripts/base/protocols/conn/inactivity.zeek
+++ b/scripts/base/protocols/conn/inactivity.zeek
@@ -10,14 +10,14 @@ export {
 		# For interactive services, allow longer periods of inactivity.
 		[[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs,
 	};
-	
+
 	## Define inactivity timeouts based on common protocol ports.
 	option port_inactivity_timeouts: table[port] of interval = {
 		[[21/tcp, 22/tcp, 23/tcp, 513/tcp]] = 1 hrs,
 	};
-	
+
 }
-	
+
 event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
 	{
 	if ( atype in analyzer_inactivity_timeouts )
diff --git a/scripts/base/protocols/dce-rpc/main.zeek b/scripts/base/protocols/dce-rpc/main.zeek
index 2f69b33a7f..6092029e59 100644
--- a/scripts/base/protocols/dce-rpc/main.zeek
+++ b/scripts/base/protocols/dce-rpc/main.zeek
@@ -17,7 +17,7 @@ export {
 		## The connection's 4-tuple of endpoint addresses/ports.
 		id         : conn_id  &log;
 		## Round trip time from the request to the response.
-		## If either the request or response wasn't seen, 
+		## If either the request or response wasn't seen,
 		## this will be null.
 		rtt        : interval &log &optional;
 
diff --git a/scripts/base/protocols/dhcp/main.zeek b/scripts/base/protocols/dhcp/main.zeek
index b7a8f15649..d6a6807540 100644
--- a/scripts/base/protocols/dhcp/main.zeek
+++ b/scripts/base/protocols/dhcp/main.zeek
@@ -78,7 +78,7 @@ export {
 		## The DHCP message types seen by this DHCP transaction
 		msg_types:      vector of string &log &default=string_vec();
 
-		## Duration of the DHCP "session" representing the 
+		## Duration of the DHCP "session" representing the
 		## time from the first message to the last.
 		duration:       interval    &log &default=0secs;
 
diff --git a/scripts/base/protocols/dns/main.zeek b/scripts/base/protocols/dns/main.zeek
index 85c90efadc..fa22cdba13 100644
--- a/scripts/base/protocols/dns/main.zeek
+++ b/scripts/base/protocols/dns/main.zeek
@@ -375,7 +375,7 @@ hook DNS::do_reply(c: connection, msg: dns_msg, ans: dns_answer, reply: string)
 		if ( ! c$dns?$rtt )
 			{
 			c$dns$rtt = network_time() - c$dns$ts;
-			# This could mean that only a reply was seen since 
+			# This could mean that only a reply was seen since
 			# we assume there must be some passage of time between
 			# request and response.
 			if ( c$dns$rtt == 0secs )
@@ -547,9 +547,9 @@ event dns_SRV_reply(c: connection, msg: dns_msg, ans: dns_answer, target: string
 #
 #	}
 # event dns_EDNS_ecs(c: connection, msg: dns_msg, opt: dns_edns_ecs)
-# 	{
-#		
-# 	}
+#	{
+#
+#	}
 #
 #event dns_TSIG_addl(c: connection, msg: dns_msg, ans: dns_tsig_additional)
 #	{
diff --git a/scripts/base/protocols/ftp/files.zeek b/scripts/base/protocols/ftp/files.zeek
index f2c2625bdb..e7a200f927 100644
--- a/scripts/base/protocols/ftp/files.zeek
+++ b/scripts/base/protocols/ftp/files.zeek
@@ -18,14 +18,14 @@ export {
 	## Describe the file being transferred.
 	global describe_file: function(f: fa_file): string;
 
-	redef record fa_file += { 
+	redef record fa_file += {
 		ftp: FTP::Info &optional;
 	};
 }
 
 function get_file_handle(c: connection, is_orig: bool): string
 	{
-	if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) 
+	if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected )
 		return "";
 
 	return cat(Analyzer::ANALYZER_FTP_DATA, c$start_time, c$id, is_orig);
@@ -54,7 +54,7 @@ event zeek_init() &priority=5
 
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
-	if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected ) 
+	if ( [c$id$resp_h, c$id$resp_p] !in ftp_data_expected )
 		return;
 
 	local ftp = ftp_data_expected[c$id$resp_h, c$id$resp_p];
diff --git a/scripts/base/protocols/ftp/utils-commands.zeek b/scripts/base/protocols/ftp/utils-commands.zeek
index 43519b8422..5b75bd5032 100644
--- a/scripts/base/protocols/ftp/utils-commands.zeek
+++ b/scripts/base/protocols/ftp/utils-commands.zeek
@@ -11,12 +11,12 @@ export {
 		## Counter to track how many commands have been executed.
 		seq:  count &default=0;
 	};
-	
+
 	## Structure for tracking pending commands in the event that the client
-	## sends a large number of commands before the server has a chance to 
+	## sends a large number of commands before the server has a chance to
 	## reply.
 	type PendingCmds: table[count] of CmdArg;
-	
+
 	## Possible response codes for a wide variety of FTP commands.
 	option cmd_reply_code: set[string, count] = {
 		# According to RFC 959
@@ -65,7 +65,7 @@ export {
 		["MDTM", [213, 500, 501, 550]],           # RFC3659
 		["MLST", [150, 226, 250, 500, 501, 550]], # RFC3659
 		["MLSD", [150, 226, 250, 500, 501, 550]], # RFC3659
-		
+
 		["CLNT", [200, 500]],           # No RFC (indicate client software)
 		["MACB", [200, 500, 550]],      # No RFC (test for MacBinary support)
 
@@ -79,11 +79,11 @@ function add_pending_cmd(pc: PendingCmds, cmd: string, arg: string): CmdArg
 	{
 	local ca = [$cmd = cmd, $arg = arg, $seq=|pc|+1, $ts=network_time()];
 	pc[ca$seq] = ca;
-	
+
 	return ca;
 	}
 
-# Determine which is the best command to match with based on the 
+# Determine which is the best command to match with based on the
 # response code and message.
 function get_pending_cmd(pc: PendingCmds, reply_code: count, reply_msg: string): CmdArg
 	{
@@ -94,18 +94,18 @@ function get_pending_cmd(pc: PendingCmds, reply_code: count, reply_msg: string):
 	for ( cmd_seq, cmd in pc )
 		{
 		local score: int = 0;
-		
+
 		# if the command is compatible with the reply code
 		# code 500 (syntax error) is compatible with all commands
 		if ( reply_code == 500 || [cmd$cmd, reply_code] in cmd_reply_code )
 			score = score + 100;
-		
+
 		# if the command or the command arg appears in the reply message
 		if ( strstr(reply_msg, cmd$cmd) > 0 )
 			score = score + 20;
 		if ( strstr(reply_msg, cmd$arg) > 0 )
 			score = score + 10;
-		
+
 		if ( score > best_score ||
 		     ( score == best_score && best_seq > cmd_seq ) ) # break tie with sequence number
 			{
@@ -132,7 +132,7 @@ function remove_pending_cmd(pc: PendingCmds, ca: CmdArg): bool
 	else
 		return F;
 	}
-	
+
 function pop_pending_cmd(pc: PendingCmds, reply_code: count, reply_msg: string): CmdArg
 	{
 	local ca = get_pending_cmd(pc, reply_code, reply_msg);
diff --git a/scripts/base/protocols/http/entities.zeek b/scripts/base/protocols/http/entities.zeek
index 0a72c6b76e..b0689c5478 100644
--- a/scripts/base/protocols/http/entities.zeek
+++ b/scripts/base/protocols/http/entities.zeek
@@ -97,7 +97,7 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
-	if ( f$source == "HTTP" && c?$http ) 
+	if ( f$source == "HTTP" && c?$http )
 		{
 		f$http = c$http;
 
@@ -199,6 +199,6 @@ event file_sniff(f: fa_file, meta: fa_metadata) &priority=5
 
 event http_end_entity(c: connection, is_orig: bool) &priority=5
 	{
-	if ( c?$http && c$http?$current_entity ) 
+	if ( c?$http && c$http?$current_entity )
 		delete c$http$current_entity;
 	}
diff --git a/scripts/base/protocols/http/utils.zeek b/scripts/base/protocols/http/utils.zeek
index dcdbe4bc8e..5f4da1b77c 100644
--- a/scripts/base/protocols/http/utils.zeek
+++ b/scripts/base/protocols/http/utils.zeek
@@ -16,7 +16,7 @@ export {
 	##
 	## Returns: A vector of strings containing the keys.
 	global extract_keys: function(data: string, kv_splitter: pattern): string_vec;
-	
+
 	## Creates a URL from an :zeek:type:`HTTP::Info` record.  This should
 	## handle edge cases such as proxied requests appropriately.
 	##
@@ -24,7 +24,7 @@ export {
 	##
 	## Returns: A URL, not prefixed by ``"http://"``.
 	global build_url: function(rec: Info): string;
-	
+
 	## Creates a URL from an :zeek:type:`HTTP::Info` record.  This should
 	## handle edge cases such as proxied requests appropriately.
 	##
@@ -41,7 +41,7 @@ export {
 function extract_keys(data: string, kv_splitter: pattern): string_vec
 	{
 	local key_vec: vector of string = vector();
-	
+
 	local parts = split_string(data, kv_splitter);
 	for ( part_index in parts )
 		{
@@ -64,7 +64,7 @@ function build_url(rec: Info): string
 		host = fmt("%s:%d", host, resp_p);
 	return fmt("%s%s", host, uri);
 	}
-	
+
 function build_url_http(rec: Info): string
 	{
 	return fmt("http://%s", build_url(rec));
diff --git a/scripts/base/protocols/irc/files.zeek b/scripts/base/protocols/irc/files.zeek
index 59b178f4df..33128f57a6 100644
--- a/scripts/base/protocols/irc/files.zeek
+++ b/scripts/base/protocols/irc/files.zeek
@@ -31,7 +31,7 @@ event zeek_init() &priority=5
 
 event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priority=5
 	{
-	if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers ) 
+	if ( [c$id$resp_h, c$id$resp_p] !in dcc_expected_transfers )
 		return;
 
 	local irc = dcc_expected_transfers[c$id$resp_h, c$id$resp_p];
diff --git a/scripts/base/protocols/irc/main.zeek b/scripts/base/protocols/irc/main.zeek
index ae15098282..de4d2296ea 100644
--- a/scripts/base/protocols/irc/main.zeek
+++ b/scripts/base/protocols/irc/main.zeek
@@ -1,11 +1,11 @@
 ##! Implements the core IRC analysis support.  The logging model is to log
-##! IRC commands along with the associated response and some additional 
+##! IRC commands along with the associated response and some additional
 ##! metadata about the connection if it's available.
 
 module IRC;
 
 export {
-	
+
 	redef enum Log::ID += { LOG };
 
 	global log_policy: Log::PolicyHook;
@@ -21,7 +21,7 @@ export {
 		nick:     string      &log &optional;
 		## Username given for the connection.
 		user:     string      &log &optional;
-		
+
 		## Command given by the client.
 		command:  string      &log &optional;
 		## Value for the command given by the client.
@@ -29,8 +29,8 @@ export {
 		## Any additional data for the command.
 		addl:     string      &log &optional;
 	};
-	
-	## Event that can be handled to access the IRC record as it is sent on 
+
+	## Event that can be handled to access the IRC record as it is sent on
 	## to the logging framework.
 	global irc_log: event(rec: Info);
 }
@@ -48,7 +48,7 @@ event zeek_init() &priority=5
 	Log::create_stream(IRC::LOG, [$columns=Info, $ev=irc_log, $path="irc", $policy=log_policy]);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, ports);
 	}
-	
+
 function new_session(c: connection): Info
 	{
 	local info: Info;
@@ -57,12 +57,12 @@ function new_session(c: connection): Info
 	info$id = c$id;
 	return info;
 	}
-	
+
 function set_session(c: connection)
 	{
 	if ( ! c?$irc )
 		c$irc = new_session(c);
-		
+
 	c$irc$ts=network_time();
 	}
 
diff --git a/scripts/base/protocols/krb/main.zeek b/scripts/base/protocols/krb/main.zeek
index d8fbbd12fc..16cdfac6f1 100644
--- a/scripts/base/protocols/krb/main.zeek
+++ b/scripts/base/protocols/krb/main.zeek
@@ -95,7 +95,7 @@ function set_session(c: connection): bool
 		             $id  = c$id);
 		Conn::register_removal_hook(c, finalize_krb);
 		}
-	
+
 	return c$krb$logged;
 	}
 
@@ -115,7 +115,7 @@ event krb_error(c: connection, msg: Error_Msg) &priority=5
 
 	if ( msg?$error_text && msg$error_text in ignored_errors )
 		{
-		if ( c?$krb ) 
+		if ( c?$krb )
 			delete c$krb;
 
 		return;
@@ -174,7 +174,7 @@ event krb_as_response(c: connection, msg: KDC_Response) &priority=5
 
 	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
 		{
-		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", 
+		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "",
 	                                msg?$client_realm ? msg$client_realm : "");
 		}
 
@@ -202,7 +202,7 @@ event krb_tgs_request(c: connection, msg: KDC_Request) &priority=5
 	c$krb$request_type = "TGS";
 	if ( msg?$service_name )
 		c$krb$service = msg$service_name;
-	if ( msg?$from ) 
+	if ( msg?$from )
 		c$krb$from = msg$from;
 	if ( msg?$till )
 		c$krb$till = msg$till;
@@ -221,7 +221,7 @@ event krb_tgs_response(c: connection, msg: KDC_Response) &priority=5
 
 	if ( ! c$krb?$client && ( msg?$client_name || msg?$client_realm ) )
 		{
-		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "", 
+		c$krb$client = fmt("%s/%s", msg?$client_name ? msg$client_name : "",
 	                                msg?$client_realm ? msg$client_realm : "");
 		}
 
diff --git a/scripts/base/protocols/ntlm/main.zeek b/scripts/base/protocols/ntlm/main.zeek
index 1aca98791e..17d8b85486 100644
--- a/scripts/base/protocols/ntlm/main.zeek
+++ b/scripts/base/protocols/ntlm/main.zeek
@@ -33,7 +33,7 @@ export {
 		## Indicate whether or not the authentication was successful.
 		success    : bool     &log &optional;
 
-		## Internally used field to indicate if the login attempt 
+		## Internally used field to indicate if the login attempt
 		## has already been logged.
 		done: bool  &default=F;
 	};
diff --git a/scripts/base/protocols/radius/main.zeek b/scripts/base/protocols/radius/main.zeek
index f5c1f2cbc3..dc692cac2f 100644
--- a/scripts/base/protocols/radius/main.zeek
+++ b/scripts/base/protocols/radius/main.zeek
@@ -24,7 +24,7 @@ export {
 		mac          : string   &log &optional;
 		## The address given to the network access server, if
 		## present.  This is only a hint from the RADIUS server
-		## and the network access server is not required to honor 
+		## and the network access server is not required to honor
 		## the address.
 		framed_addr  : addr     &log &optional;
 		## Address (IPv4, IPv6, or FQDN) of the initiator end of the tunnel,
@@ -33,7 +33,7 @@ export {
 		tunnel_client: string   &log &optional;
 		## Connect info, if present.
 		connect_info : string   &log &optional;
-		## Reply message from the server challenge. This is 
+		## Reply message from the server challenge. This is
 		## frequently shown to the user authenticating.
 		reply_msg    : string   &log &optional;
 		## Successful or failed authentication.
diff --git a/scripts/base/protocols/rdp/main.zeek b/scripts/base/protocols/rdp/main.zeek
index 51c94d326a..53cc6ea812 100644
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@@ -41,15 +41,15 @@ export {
 		desktop_width:         count   &log &optional;
 		## Desktop height of the client machine.
 		desktop_height:        count   &log &optional;
-		## The color depth requested by the client in 
+		## The color depth requested by the client in
 		## the high_color_depth field.
 		requested_color_depth: string  &log &optional;
 
 		## If the connection is being encrypted with native
-		## RDP encryption, this is the type of cert 
+		## RDP encryption, this is the type of cert
 		## being used.
 		cert_type:             string  &log &optional;
-		## The number of certs seen.  X.509 can transfer an 
+		## The number of certs seen.  X.509 can transfer an
 		## entire certificate chain.
 		cert_count:            count   &log &default=0;
 		## Indicates if the provided certificate or certificate
@@ -57,7 +57,7 @@ export {
 		cert_permanent:        bool    &log &optional;
 		## Encryption level of the connection.
 		encryption_level:      string  &log &optional;
-		## Encryption method of the connection. 
+		## Encryption method of the connection.
 		encryption_method:     string  &log &optional;
 		};
 
@@ -65,7 +65,7 @@ export {
 	## continuing to process encrypted traffic.
 	option disable_analyzer_after_detection = F;
 
-	## The amount of time to monitor an RDP session from when it is first 
+	## The amount of time to monitor an RDP session from when it is first
 	## identified. When this interval is reached, the session is logged.
 	option rdp_check_interval = 10secs;
 
@@ -113,7 +113,7 @@ function write_log(c: connection)
 	info$done = T;
 
 	# Verify that the RDP session contains
-	# RDP data before writing it to the log. 
+	# RDP data before writing it to the log.
 	if ( info?$cookie || info?$keyboard_layout || info?$result )
 		Log::write(RDP::LOG, info);
 	}
@@ -124,16 +124,16 @@ event check_record(c: connection)
 	if ( c$rdp$done )
 		return;
 
-	# If the value rdp_check_interval has passed since the 
-	# RDP session was started, then log the record. 
+	# If the value rdp_check_interval has passed since the
+	# RDP session was started, then log the record.
 	local diff = network_time() - c$rdp$ts;
 	if ( diff > rdp_check_interval )
 		{
 		write_log(c);
 
 		# Remove the analyzer if it is still attached.
-		if ( disable_analyzer_after_detection && 
-		     connection_exists(c$id) && 
+		if ( disable_analyzer_after_detection &&
+		     connection_exists(c$id) &&
 		     c$rdp?$analyzer_id )
 			{
 			disable_analyzer(c$id, c$rdp$analyzer_id);
@@ -240,7 +240,7 @@ event rdp_server_certificate(c: connection, cert_type: count, permanently_issued
 	# now so we manually count this one.
 	if ( c$rdp$cert_type == "RSA" )
 		++c$rdp$cert_count;
-	
+
 	c$rdp$cert_permanent = permanently_issued;
 	}
 
diff --git a/scripts/base/protocols/smb/consts.zeek b/scripts/base/protocols/smb/consts.zeek
index 32a03dd17d..9b68419baa 100644
--- a/scripts/base/protocols/smb/consts.zeek
+++ b/scripts/base/protocols/smb/consts.zeek
@@ -107,13 +107,13 @@ export {
 	} &redef &default=function(i: count):string { return fmt("unknown-wksta-command-%d", i); };
 
 	type rpc_cmd_table: table[count] of string;
-	
+
 	## The subcommands for RPC endpoints.
 	const rpc_sub_cmds: table[string] of rpc_cmd_table = {
 		["4b324fc8-1670-01d3-1278-5a47bf6ee188"] = srv_cmds,
-		["6bffd098-a112-3610-9833-46c3f87e345a"] = wksta_cmds,	
+		["6bffd098-a112-3610-9833-46c3f87e345a"] = wksta_cmds,
 	} &redef &default=function(i: string):rpc_cmd_table { return table() &default=function(j: string):string { return fmt("unknown-uuid-%s", j); }; };
-	
+
 }
 
 module SMB1;
@@ -195,37 +195,37 @@ export {
 	} &default=function(i: count):string { return fmt("unknown-%d", i); };
 
 	const trans2_sub_commands: table[count] of string = {
-		[0x00] = "OPEN2",	
-		[0x01] = "FIND_FIRST2",	
-		[0x02] = "FIND_NEXT2",	
-		[0x03] = "QUERY_FS_INFORMATION",	
-		[0x04] = "SET_FS_INFORMATION",	
-		[0x05] = "QUERY_PATH_INFORMATION",	
-		[0x06] = "SET_PATH_INFORMATION",	
-		[0x07] = "QUERY_FILE_INFORMATION",	
-		[0x08] = "SET_FILE_INFORMATION",	
-		[0x09] = "FSCTL",	
-		[0x0A] = "IOCTL",	
-		[0x0B] = "FIND_NOTIFY_FIRST",	
-		[0x0C] = "FIND_NOTIFY_NEXT",	
-		[0x0D] = "CREATE_DIRECTORY",	
-		[0x0E] = "SESSION_SETUP",	
-		[0x10] = "GET_DFS_REFERRAL",	
-		[0x11] = "REPORT_DFS_INCONSISTENCY",	
+		[0x00] = "OPEN2",
+		[0x01] = "FIND_FIRST2",
+		[0x02] = "FIND_NEXT2",
+		[0x03] = "QUERY_FS_INFORMATION",
+		[0x04] = "SET_FS_INFORMATION",
+		[0x05] = "QUERY_PATH_INFORMATION",
+		[0x06] = "SET_PATH_INFORMATION",
+		[0x07] = "QUERY_FILE_INFORMATION",
+		[0x08] = "SET_FILE_INFORMATION",
+		[0x09] = "FSCTL",
+		[0x0A] = "IOCTL",
+		[0x0B] = "FIND_NOTIFY_FIRST",
+		[0x0C] = "FIND_NOTIFY_NEXT",
+		[0x0D] = "CREATE_DIRECTORY",
+		[0x0E] = "SESSION_SETUP",
+		[0x10] = "GET_DFS_REFERRAL",
+		[0x11] = "REPORT_DFS_INCONSISTENCY",
 	} &default=function(i: count):string { return fmt("unknown-trans2-sub-cmd-%d", i); };
 
 	const trans_sub_commands: table[count] of string = {
-		[0x01] = "SET_NMPIPE_STATE",	
-		[0x11] = "RAW_READ_NMPIPE",	
-		[0x21] = "QUERY_NMPIPE_STATE",	
-		[0x22] = "QUERY_NMPIPE_INFO",	
-		[0x23] = "PEEK_NMPIPE",	
-		[0x26] = "TRANSACT_NMPIPE",	
-		[0x31] = "RAW_WRITE_NMPIPE",	
-		[0x36] = "READ_NMPIPE",	
-		[0x37] = "WRITE_NMPIPE",	
-		[0x53] = "WAIT_NMPIPE",	
-		[0x54] = "CALL_NMPIPE",	
+		[0x01] = "SET_NMPIPE_STATE",
+		[0x11] = "RAW_READ_NMPIPE",
+		[0x21] = "QUERY_NMPIPE_STATE",
+		[0x22] = "QUERY_NMPIPE_INFO",
+		[0x23] = "PEEK_NMPIPE",
+		[0x26] = "TRANSACT_NMPIPE",
+		[0x31] = "RAW_WRITE_NMPIPE",
+		[0x36] = "READ_NMPIPE",
+		[0x37] = "WRITE_NMPIPE",
+		[0x53] = "WAIT_NMPIPE",
+		[0x54] = "CALL_NMPIPE",
 	} &default=function(i: count):string { return fmt("unknown-trans-sub-cmd-%d", i); };
 }
 
diff --git a/scripts/base/protocols/smb/files.zeek b/scripts/base/protocols/smb/files.zeek
index e3b387b771..a47874d480 100644
--- a/scripts/base/protocols/smb/files.zeek
+++ b/scripts/base/protocols/smb/files.zeek
@@ -14,7 +14,7 @@ export {
 function get_file_handle(c: connection, is_orig: bool): string
 	{
 	if ( ! (c$smb_state?$current_file &&
-	        (c$smb_state$current_file?$name || 
+	        (c$smb_state$current_file?$name ||
 	         c$smb_state$current_file?$path)) )
 		{
 		# TODO - figure out what are the cases where this happens.
diff --git a/scripts/base/protocols/smb/main.zeek b/scripts/base/protocols/smb/main.zeek
index cfccde16ac..703a76903d 100644
--- a/scripts/base/protocols/smb/main.zeek
+++ b/scripts/base/protocols/smb/main.zeek
@@ -5,7 +5,7 @@
 module SMB;
 
 export {
-	redef enum Log::ID += { 
+	redef enum Log::ID += {
 		AUTH_LOG,
 		MAPPING_LOG,
 		FILES_LOG
@@ -13,7 +13,7 @@ export {
 
 	global log_policy_files: Log::PolicyHook;
 	global log_policy_mapping: Log::PolicyHook;
-	
+
 	## Abstracted actions for SMB file actions.
 	type Action: enum {
 		FILE_READ,
@@ -55,7 +55,7 @@ export {
 		id				: conn_id &log;
 		## Unique ID of the file.
 		fuid			: string  &log &optional;
-		
+
 		## Action this log record represents.
 		action			: Action  &log &optional;
 		## Path pulled from the tree this file was transferred to or from.
@@ -99,14 +99,14 @@ export {
 		uid				: string &log;
 		## ID of the connection the request was sent over.
 		id				: conn_id &log;
-		
+
 		## The command sent by the client.
 		command			: string &log;
 		## The subcommand sent by the client, if present.
 		sub_command		: string &log &optional;
 		## Command argument sent by the client, if any.
 		argument		: string &log &optional;
-		
+
 		## Server reply to the client's command.
 		status			: string &log &optional;
 		## Round trip time from the request to the response.
@@ -116,13 +116,13 @@ export {
 
 		## Authenticated username, if available.
 		username		: string &log &optional;
-		
+
 		## If this is related to a tree, this is the tree
 		## that was used for the current command.
 		tree			: string &log &optional;
 		## The type of tree (disk share, printer share, named pipe, etc.).
 		tree_service	: string &log &optional;
-		
+
 		## If the command referenced a file, store it here.
 		referenced_file	: FileInfo &log &optional;
 		## If the command referenced a tree, store it here.
@@ -138,7 +138,7 @@ export {
 		current_file   : FileInfo    &optional;
 		## A reference to the current tree.
 		current_tree   : TreeInfo    &optional;
-		
+
 		## Indexed on MID to map responses to requests.
 		pending_cmds : table[count] of CmdInfo   &optional;
 		## File map to retrieve file information based on the file ID.
@@ -161,7 +161,7 @@ export {
 	redef record connection += {
 		smb_state : State &optional;
 	};
-	
+
 	## This is an internally used function.
 	const set_current_file: function(smb_state: State, file_id: count) &redef;
 
@@ -195,7 +195,7 @@ function set_current_file(smb_state: State, file_id: count)
 		smb_state$fid_map[file_id] = smb_state$current_cmd$referenced_file;
 		smb_state$fid_map[file_id]$fid = file_id;
 		}
-	
+
 	smb_state$current_cmd$referenced_file = smb_state$fid_map[file_id];
 	smb_state$current_file = smb_state$current_cmd$referenced_file;
 	}
@@ -203,7 +203,7 @@ function set_current_file(smb_state: State, file_id: count)
 function write_file_log(state: State)
 	{
 	local f = state$current_file;
-	if ( f?$name && 
+	if ( f?$name &&
 	     f$action in logged_file_actions )
 		{
 		# Everything in this if statement is to avoid overlogging
@@ -225,7 +225,7 @@ function write_file_log(state: State)
 			else
 				add state$recent_files[file_ident];
 			}
-		
+
 		Log::write(FILES_LOG, f);
 		}
 	}
@@ -240,7 +240,7 @@ event file_state_remove(f: fa_file) &priority=-5
 	{
 	if ( f$source != "SMB" )
 		return;
-	
+
 	for ( id, c in f$conns )
 		{
 		if ( c?$smb_state && c$smb_state?$current_file)
diff --git a/scripts/base/protocols/smb/smb1-main.zeek b/scripts/base/protocols/smb/smb1-main.zeek
index 9dabdd1c36..a6bfcc8035 100644
--- a/scripts/base/protocols/smb/smb1-main.zeek
+++ b/scripts/base/protocols/smb/smb1-main.zeek
@@ -39,12 +39,12 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
 		{
 		smb_state$current_cmd$tree = smb_state$current_tree$path;
 		}
-		
+
 	if ( smb_state$current_tree?$service )
 		{
 		smb_state$current_cmd$tree_service = smb_state$current_tree$service;
 		}
-	
+
 	if ( mid !in smb_state$pending_cmds )
 		{
 		local tmp_cmd = SMB::CmdInfo($uid=c$uid, $id=c$id, $version="SMB1", $command = SMB1::commands[hdr$command]);
@@ -52,10 +52,10 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=5
 		local tmp_file = SMB::FileInfo($uid=c$uid, $id=c$id);
 		tmp_cmd$referenced_file = tmp_file;
 		tmp_cmd$referenced_tree = smb_state$current_tree;
-		
+
 		smb_state$pending_cmds[mid] = tmp_cmd;
 		}
-	
+
 	smb_state$current_cmd = smb_state$pending_cmds[mid];
 
 	if ( !is_orig )
@@ -97,11 +97,11 @@ event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::
 		delete c$smb_state$current_cmd$smb1_offered_dialects;
 		}
 	}
-	
+
 event smb1_negotiate_response(c: connection, hdr: SMB1::Header, response: SMB1::NegotiateResponse) &priority=-5
 	{
 	}
-	
+
 event smb1_tree_connect_andx_request(c: connection, hdr: SMB1::Header, path: string, service: string) &priority=5
 	{
 	local tmp_tree = SMB::TreeInfo($uid=c$uid, $id=c$id, $path=path, $service=service);
@@ -117,7 +117,7 @@ event smb1_tree_connect_andx_response(c: connection, hdr: SMB1::Header, service:
 		c$smb_state$current_cmd$referenced_tree$share_type = "PIPE";
 
 	c$smb_state$current_cmd$tree_service = service;
-	
+
 	if ( native_file_system != "" )
 		c$smb_state$current_cmd$referenced_tree$native_file_system = native_file_system;
 
@@ -150,13 +150,13 @@ event smb1_nt_create_andx_response(c: connection, hdr: SMB1::Header, file_id: co
 	# I'm seeing negative data from IPC tree transfers
 	if ( time_to_double(times$modified) > 0.0 )
 		c$smb_state$current_cmd$referenced_file$times = times;
-	
-	# We can identify the file by its file id now so let's stick it 
+
+	# We can identify the file by its file id now so let's stick it
 	# in the file map.
 	c$smb_state$fid_map[file_id] = c$smb_state$current_cmd$referenced_file;
-	
+
 	c$smb_state$current_file = c$smb_state$fid_map[file_id];
-	
+
 	SMB::write_file_log(c$smb_state);
 	}
 
@@ -167,7 +167,7 @@ event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, o
 	if ( c$smb_state$current_file?$name )
 		c$smb_state$current_cmd$argument = c$smb_state$current_file$name;
 	}
-	
+
 event smb1_read_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, length: count) &priority=-5
 	{
 	if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path )
@@ -180,12 +180,12 @@ event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count,
 	{
 	SMB::set_current_file(c$smb_state, file_id);
 	c$smb_state$current_file$action = SMB::FILE_WRITE;
-	if ( !c$smb_state$current_cmd?$argument && 
+	if ( !c$smb_state$current_cmd?$argument &&
 	     # TODO: figure out why name isn't getting set sometimes.
 	     c$smb_state$current_file?$name )
 		c$smb_state$current_cmd$argument = c$smb_state$current_file$name;
 	}
-	
+
 event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count, offset: count, data_len: count) &priority=-5
 	{
 	if ( c$smb_state$current_tree?$path && !c$smb_state$current_file?$path )
@@ -217,7 +217,7 @@ event smb1_close_request(c: connection, hdr: SMB1::Header, file_id: count) &prio
 
 		if ( fl?$name )
 			c$smb_state$current_cmd$argument = fl$name;
-		
+
 		delete c$smb_state$fid_map[file_id];
 
 		SMB::write_file_log(c$smb_state);
@@ -254,7 +254,7 @@ event smb1_session_setup_andx_response(c: connection, hdr: SMB1::Header, respons
 	{
 	# No behavior yet.
 	}
-	
+
 event smb1_transaction_request(c: connection, hdr: SMB1::Header, name: string, sub_cmd: count, parameters: string, data: string)
 	{
 	c$smb_state$current_cmd$sub_command = SMB1::trans_sub_commands[sub_cmd];
@@ -267,7 +267,7 @@ event smb1_write_andx_request(c: connection, hdr: SMB1::Header, file_id: count,
 		# TODO: figure out why the uuid isn't getting set sometimes.
 		return;
 		}
-	
+
 	c$smb_state$pipe_map[file_id] = c$smb_state$current_file$uuid;
 	}
 
@@ -278,11 +278,11 @@ event smb_pipe_bind_ack_response(c: connection, hdr: SMB1::Header)
 		# TODO: figure out why the uuid isn't getting set sometimes.
 		return;
 		}
-	
+
 	c$smb_state$current_cmd$sub_command = "RPC_BIND_ACK";
 	c$smb_state$current_cmd$argument = SMB::rpc_uuids[c$smb_state$current_file$uuid];
 	}
-	
+
 event smb_pipe_bind_request(c: connection, hdr: SMB1::Header, uuid: string, version: string)
 	{
 	if ( ! c$smb_state?$current_file || ! c$smb_state$current_file?$uuid )
diff --git a/scripts/base/protocols/smb/smb2-main.zeek b/scripts/base/protocols/smb/smb2-main.zeek
index 59436a2c8c..c45a56a799 100644
--- a/scripts/base/protocols/smb/smb2-main.zeek
+++ b/scripts/base/protocols/smb/smb2-main.zeek
@@ -19,7 +19,7 @@ event smb2_message(c: connection, hdr: SMB2::Header, is_orig: bool) &priority=5
 		state$pipe_map = table();
 		c$smb_state = state;
 		}
-	
+
 	local smb_state = c$smb_state;
 	local tid = hdr$tree_id;
 	local mid = hdr$message_id;
@@ -159,10 +159,10 @@ event smb2_create_response(c: connection, hdr: SMB2::Header, response: SMB2::Cre
 	if ( time_to_double(response$times$modified) > 0.0 )
 		c$smb_state$current_file$times = response$times;
 
-	# We can identify the file by its file id now so let's stick it 
+	# We can identify the file by its file id now so let's stick it
 	# in the file map.
 	c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile] = c$smb_state$current_file;
-	
+
 	c$smb_state$current_file = c$smb_state$fid_map[response$file_id$persistent+response$file_id$volatile];
 	}
 
@@ -193,7 +193,7 @@ event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, o
 	}
 
 event smb2_read_request(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, offset: count, length: count) &priority=-5
-	{ 
+	{
 	SMB::write_file_log(c$smb_state);
 	}
 
@@ -249,7 +249,7 @@ event smb2_file_rename(c: connection, hdr: SMB2::Header, file_id: SMB2::GUID, ds
 
 	if ( c$smb_state$current_file?$name )
 		c$smb_state$current_file$prev_name = c$smb_state$current_file$name;
-		
+
 	c$smb_state$current_file$name = dst_filename;
 
 	switch ( c$smb_state$current_tree$share_type )
diff --git a/scripts/base/protocols/syslog/consts.zeek b/scripts/base/protocols/syslog/consts.zeek
index c68cbda658..9ec7c4ce12 100644
--- a/scripts/base/protocols/syslog/consts.zeek
+++ b/scripts/base/protocols/syslog/consts.zeek
@@ -31,7 +31,7 @@ export {
 		[23] =  "LOCAL7",
 		[999] = "UNSPECIFIED",
 	} &default=function(c: count): string { return fmt("?-%d", c); };
-	
+
 	## Mapping between the constants and string values for syslog severities.
 	const severity_codes: table[count] of string = {
 		[0] = "EMERG",
diff --git a/scripts/base/protocols/syslog/main.zeek b/scripts/base/protocols/syslog/main.zeek
index 612507c9c1..7a789a9400 100644
--- a/scripts/base/protocols/syslog/main.zeek
+++ b/scripts/base/protocols/syslog/main.zeek
@@ -1,4 +1,4 @@
-##! Core script support for logging syslog messages.  This script represents 
+##! Core script support for logging syslog messages.  This script represents
 ##! one syslog message as one logged record.
 
 @load ./consts
@@ -52,7 +52,7 @@ event syslog_message(c: connection, facility: count, severity: count, msg: strin
 	info$facility=facility_codes[facility];
 	info$severity=severity_codes[severity];
 	info$message=msg;
-	
+
 	c$syslog = info;
 	}
 
diff --git a/scripts/base/utils/conn-ids.zeek b/scripts/base/utils/conn-ids.zeek
index b5d7fffd77..5222d1ce82 100644
--- a/scripts/base/utils/conn-ids.zeek
+++ b/scripts/base/utils/conn-ids.zeek
@@ -3,16 +3,16 @@
 module GLOBAL;
 
 export {
-	## Takes a conn_id record and returns a string representation with the 
+	## Takes a conn_id record and returns a string representation with the
 	## general data flow appearing to be from the connection originator
 	## on the left to the responder on the right.
 	global id_string: function(id: conn_id): string;
-	
-	## Takes a conn_id record and returns a string representation with the 
+
+	## Takes a conn_id record and returns a string representation with the
 	## general data flow appearing to be from the connection responder
 	## on the right to the originator on the left.
 	global reverse_id_string: function(id: conn_id): string;
-	
+
 	## Calls :zeek:id:`id_string` or :zeek:id:`reverse_id_string` if the
 	## second argument is T or F, respectively.
 	global directed_id_string: function(id: conn_id, is_orig: bool): string;
diff --git a/scripts/base/utils/directions-and-hosts.zeek b/scripts/base/utils/directions-and-hosts.zeek
index 442b4d8454..70f1e9aa2e 100644
--- a/scripts/base/utils/directions-and-hosts.zeek
+++ b/scripts/base/utils/directions-and-hosts.zeek
@@ -58,7 +58,7 @@ type Host: enum {
 function addr_matches_host(ip: addr, h: Host): bool
 	{
 	if ( h == NO_HOSTS ) return F;
-	
+
 	return ( h == ALL_HOSTS ||
 	        (h == LOCAL_HOSTS && Site::is_local_addr(ip)) ||
 	        (h == REMOTE_HOSTS && !Site::is_local_addr(ip)) );
diff --git a/scripts/base/utils/numbers.zeek b/scripts/base/utils/numbers.zeek
index d2adb49ea2..41b8e601bb 100644
--- a/scripts/base/utils/numbers.zeek
+++ b/scripts/base/utils/numbers.zeek
@@ -1,8 +1,7 @@
-
 ## Extract an integer from a string.
-## 
+##
 ## s: The string to search for a number.
-## 
+##
 ## get_first: Provide `F` if you would like the last number found.
 ##
 ## Returns: The request integer from the given string or 0 if
diff --git a/scripts/base/utils/patterns.zeek b/scripts/base/utils/patterns.zeek
index c52556e86a..0fb7e0b72a 100644
--- a/scripts/base/utils/patterns.zeek
+++ b/scripts/base/utils/patterns.zeek
@@ -27,7 +27,7 @@ function set_to_regex(ss: set[string], pat: string): pattern
 	for ( s in ss )
 		{
 		local tmp_pattern = convert_for_pattern(s);
-		return_pat = ( i == 0 ) ? 
+		return_pat = ( i == 0 ) ?
 			 tmp_pattern : cat(tmp_pattern, "|", return_pat);
 		++i;
 		}
diff --git a/scripts/base/utils/strings.zeek b/scripts/base/utils/strings.zeek
index 4fa002acd6..e50954309f 100644
--- a/scripts/base/utils/strings.zeek
+++ b/scripts/base/utils/strings.zeek
@@ -25,7 +25,7 @@ function join_string_set(ss: set[string], j: string): string
 		{
 		if ( i > 0 )
 			output = cat(output, j);
-			
+
 		output = cat(output, s);
 		++i;
 		}
diff --git a/scripts/base/utils/thresholds.zeek b/scripts/base/utils/thresholds.zeek
index d30e9f2b0a..d095edf007 100644
--- a/scripts/base/utils/thresholds.zeek
+++ b/scripts/base/utils/thresholds.zeek
@@ -16,13 +16,13 @@ export {
 		## for.
 		index: count &default=0;
 	};
-	
-	## The thresholds you would like to use as defaults with the 
+
+	## The thresholds you would like to use as defaults with the
 	## :zeek:id:`default_check_threshold` function.
 	const default_notice_thresholds: vector of count = {
 		30, 100, 1000, 10000, 100000, 1000000, 10000000,
 	} &redef;
-	
+
 	## This will check if a :zeek:type:`TrackCount` variable has crossed any
 	## thresholds in a given set.
 	##
@@ -33,7 +33,7 @@ export {
 	##
 	## Returns: T if a threshold has been crossed, else F.
 	global check_threshold: function(v: vector of count, tracker: TrackCount): bool;
-	
+
 	## This will use the :zeek:id:`default_notice_thresholds` variable to
 	## check a :zeek:type:`TrackCount` variable to see if it has crossed
 	## another threshold.
diff --git a/scripts/policy/files/unified2/main.zeek b/scripts/policy/files/unified2/main.zeek
index c1ce27baf7..2930f483a0 100644
--- a/scripts/policy/files/unified2/main.zeek
+++ b/scripts/policy/files/unified2/main.zeek
@@ -1,4 +1,3 @@
-
 @load base/utils/dir
 @load base/utils/paths
 
@@ -255,7 +254,7 @@ event file_new(f: fa_file)
 	if ( |parts| == 3 )
 		file_dir = parts[0];
 
-	if ( (watch_file != "" && f$source == watch_file) || 
+	if ( (watch_file != "" && f$source == watch_file) ||
 	     (watch_dir != "" && compress_path(watch_dir) == file_dir) )
 		{
 		Files::add_analyzer(f, Files::ANALYZER_UNIFIED2);
diff --git a/scripts/policy/frameworks/control/controller.zeek b/scripts/policy/frameworks/control/controller.zeek
index b68f89b345..91820b7828 100644
--- a/scripts/policy/frameworks/control/controller.zeek
+++ b/scripts/policy/frameworks/control/controller.zeek
@@ -41,7 +41,7 @@ event Control::net_stats_response(s: string) &priority=-10
 	{
 	event terminate_event();
 	}
-	
+
 event Control::configuration_update_response() &priority=-10
 	{
 	event terminate_event();
@@ -68,7 +68,7 @@ function configurable_ids(): id_table
 		# We don't want to update non-const globals because that's usually
 		# where state is stored and those values will frequently be declared
 		# with &redef so that attributes can be redefined.
-		# 
+		#
 		# NOTE: functions are currently not fully supported for serialization and hence
 		# aren't sent.
 		if ( t$constant && t$redefinable && t$type_name != "func" )
diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.zeek b/scripts/policy/frameworks/dpd/packet-segment-logging.zeek
index 7dff2b07f8..7386097551 100644
--- a/scripts/policy/frameworks/dpd/packet-segment-logging.zeek
+++ b/scripts/policy/frameworks/dpd/packet-segment-logging.zeek
@@ -24,6 +24,6 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
                          reason: string) &priority=4
 	{
 	if ( ! c?$dpd ) return;
-	
+
 	c$dpd$packet_segment=fmt("%s", sub_bytes(get_current_packet()$data, 0, packet_segment_size));
 	}
diff --git a/scripts/policy/frameworks/files/detect-MHR.zeek b/scripts/policy/frameworks/files/detect-MHR.zeek
index 0c95dadec4..52f8dd7355 100644
--- a/scripts/policy/frameworks/files/detect-MHR.zeek
+++ b/scripts/policy/frameworks/files/detect-MHR.zeek
@@ -66,7 +66,7 @@ function do_mhr_lookup(hash: string, fi: Notice::FileInfo)
 
 event file_hash(f: fa_file, kind: string, hash: string)
 	{
-	if ( kind == "sha1" && f?$info && f$info?$mime_type && 
+	if ( kind == "sha1" && f?$info && f$info?$mime_type &&
 	     match_file_types in f$info$mime_type )
 		do_mhr_lookup(hash, Notice::create_file_info(f));
 	}
diff --git a/scripts/policy/frameworks/files/entropy-test-all-files.zeek b/scripts/policy/frameworks/files/entropy-test-all-files.zeek
index 9c704211f8..38c89e8c5d 100644
--- a/scripts/policy/frameworks/files/entropy-test-all-files.zeek
+++ b/scripts/policy/frameworks/files/entropy-test-all-files.zeek
@@ -1,10 +1,9 @@
-
 module Files;
 
 export {
 	redef record Files::Info += {
-		## The information density of the contents of the file, 
-		## expressed as a number of bits per character. 
+		## The information density of the contents of the file,
+		## expressed as a number of bits per character.
 		entropy: double &log &optional;
 	};
 }
diff --git a/scripts/policy/frameworks/intel/seen/file-hashes.zeek b/scripts/policy/frameworks/intel/seen/file-hashes.zeek
index 2e56ad3c48..e3295c5609 100644
--- a/scripts/policy/frameworks/intel/seen/file-hashes.zeek
+++ b/scripts/policy/frameworks/intel/seen/file-hashes.zeek
@@ -7,6 +7,6 @@ event file_hash(f: fa_file, kind: string, hash: string)
 	                         $indicator_type=Intel::FILE_HASH,
 	                         $f=f,
 	                         $where=Files::IN_HASH);
-	
+
 	Intel::seen(seen);
 	}
\ No newline at end of file
diff --git a/scripts/policy/frameworks/intel/whitelist.zeek b/scripts/policy/frameworks/intel/whitelist.zeek
index 527d828881..e1aa150c7f 100644
--- a/scripts/policy/frameworks/intel/whitelist.zeek
+++ b/scripts/policy/frameworks/intel/whitelist.zeek
@@ -22,9 +22,8 @@ hook Intel::extend_match(info: Info, s: Seen, items: set[Item]) &priority=9
 			break;
 			}
 		}
-	
+
 	if ( whitelisted )
 		# Prevent logging
 		break;
 	}
-
diff --git a/scripts/policy/frameworks/software/version-changes.zeek b/scripts/policy/frameworks/software/version-changes.zeek
index 865cc20447..060778584b 100644
--- a/scripts/policy/frameworks/software/version-changes.zeek
+++ b/scripts/policy/frameworks/software/version-changes.zeek
@@ -8,14 +8,14 @@
 module Software;
 
 export {
-	redef enum Notice::Type += { 
+	redef enum Notice::Type += {
 		## For certain software, a version changing may matter.  In that
 		## case, this notice will be generated.  Software that matters
 		## if the version changes can be configured with the
 		## :zeek:id:`Software::interesting_version_changes` variable.
 		Software_Version_Change,
 	};
-	
+
 	## Some software is more interesting when the version changes and this
 	## is a set of all software that should raise a notice when a different
 	## version is seen on a host.
diff --git a/scripts/policy/integration/barnyard2/main.zeek b/scripts/policy/integration/barnyard2/main.zeek
index 6e85db48d1..35f5a281ba 100644
--- a/scripts/policy/integration/barnyard2/main.zeek
+++ b/scripts/policy/integration/barnyard2/main.zeek
@@ -8,7 +8,7 @@ module Barnyard2;
 
 export {
 	redef enum Log::ID += { LOG };
-	
+
 	global log_policy: Log::PolicyHook;
 
 	type Info: record {
@@ -19,9 +19,9 @@ export {
 		## Associated alert data.
 		alert:              AlertData &log;
 	};
-	
+
 	## This can convert a Barnyard :zeek:type:`Barnyard2::PacketID` value to
-	## a :zeek:type:`conn_id` value in the case that you might need to index 
+	## a :zeek:type:`conn_id` value in the case that you might need to index
 	## into an existing data structure elsewhere within Zeek.
 	global pid2cid: function(p: PacketID): conn_id;
 }
@@ -40,22 +40,22 @@ function pid2cid(p: PacketID): conn_id
 event barnyard_alert(id: PacketID, alert: AlertData, msg: string, data: string)
 	{
 	Log::write(Barnyard2::LOG, [$ts=network_time(), $pid=id, $alert=alert]);
-	
+
 	#local proto_connection_string: string;
 	#if ( id$src_p == 0/tcp )
 	#	proto_connection_string = fmt("{PROTO:255} %s -> %s", id$src_ip, id$dst_ip);
 	#else
-	#	proto_connection_string = fmt("{%s} %s:%d -> %s:%d", 
+	#	proto_connection_string = fmt("{%s} %s:%d -> %s:%d",
 	#	                              to_upper(fmt("%s", get_port_transport_proto(id$dst_p))),
 	#	                              id$src_ip, id$src_p, id$dst_ip, id$dst_p);
     #
-	#local snort_alike_msg = fmt("%.6f [**] [%d:%d:%d] %s [**] [Classification: %s] [Priority: %d] %s", 
+	#local snort_alike_msg = fmt("%.6f [**] [%d:%d:%d] %s [**] [Classification: %s] [Priority: %d] %s",
 	#                            sad$ts,
 	#                            sad$generator_id,
 	#                            sad$signature_id,
 	#                            sad$signature_revision,
-	#                            msg, 
-	#                            sad$classification, 
-	#                            sad$priority_id, 
+	#                            msg,
+	#                            sad$classification,
+	#                            sad$priority_id,
 	#                            proto_connection_string);
 	}
diff --git a/scripts/policy/integration/barnyard2/types.zeek b/scripts/policy/integration/barnyard2/types.zeek
index da7015b302..ed8b35cf58 100644
--- a/scripts/policy/integration/barnyard2/types.zeek
+++ b/scripts/policy/integration/barnyard2/types.zeek
@@ -23,7 +23,7 @@ export {
 		dst_p: port;
 	} &log;
 
-	## This is the event that Barnyard2 instances will send if they're 
+	## This is the event that Barnyard2 instances will send if they're
 	## configured with the bro_alert output plugin.
 	global barnyard_alert: event(id: Barnyard2::PacketID,
 	                             alert: Barnyard2::AlertData,
diff --git a/scripts/policy/misc/trim-trace-file.zeek b/scripts/policy/misc/trim-trace-file.zeek
index f702e9027c..4e31d5fc3e 100644
--- a/scripts/policy/misc/trim-trace-file.zeek
+++ b/scripts/policy/misc/trim-trace-file.zeek
@@ -6,7 +6,7 @@ module TrimTraceFile;
 export {
 	## The interval between times that the output tracefile is rotated.
 	const trim_interval = 10 mins &redef;
-	
+
 	## This event can be generated externally to this script if on-demand
 	## tracefile rotation is required with the caveat that the script
 	## doesn't currently attempt to get back on schedule automatically and
@@ -19,14 +19,14 @@ event TrimTraceFile::go(first_trim: bool)
 	{
 	if ( zeek_is_terminating() || trace_output_file == "" )
 		return;
-	
+
 	if ( ! first_trim )
 		{
 		local info = rotate_file_by_name(trace_output_file);
 		if ( info$old_name != "" )
 			system(fmt("/bin/rm %s", safe_shell_quote(info$new_name)));
 		}
-	
+
 	schedule trim_interval { TrimTraceFile::go(F) };
 	}
 
@@ -35,4 +35,3 @@ event zeek_init()
 	if ( trim_interval > 0 secs )
 		schedule trim_interval { TrimTraceFile::go(T) };
 	}
-
diff --git a/scripts/policy/protocols/conn/known-hosts.zeek b/scripts/policy/protocols/conn/known-hosts.zeek
index b95c1176b2..279fa11917 100644
--- a/scripts/policy/protocols/conn/known-hosts.zeek
+++ b/scripts/policy/protocols/conn/known-hosts.zeek
@@ -1,5 +1,5 @@
 ##! This script logs hosts that Zeek determines have performed complete TCP
-##! handshakes and logs the address once per day (by default).  The log that 
+##! handshakes and logs the address once per day (by default).  The log that
 ##! is output provides an easy way to determine a count of the IP addresses in
 ##! use on a network per day.
 
@@ -29,11 +29,11 @@ export {
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_host_store = T &redef;
-	
+
 	## The hosts whose existence should be logged and tracked.
 	## See :zeek:type:`Host` for possible choices.
 	option host_tracking = LOCAL_HOSTS;
-	
+
 	## Holds the set of all known hosts.  Keys in the store are addresses
 	## and their associated value will always be the "true" boolean.
 	global host_store: Cluster::StoreInfo;
@@ -49,8 +49,8 @@ export {
 	## :zeek:see:`Known::host_store`.
 	option host_store_timeout = 15sec;
 
-	## The set of all known addresses to store for preventing duplicate 
-	## logging of addresses.  It can also be used from other scripts to 
+	## The set of all known addresses to store for preventing duplicate
+	## logging of addresses.  It can also be used from other scripts to
 	## inspect if an address has been seen in use.
 	## Maintain the list of known hosts for 24 hours so that the existence
 	## of each individual address is logged each day.
diff --git a/scripts/policy/protocols/conn/known-services.zeek b/scripts/policy/protocols/conn/known-services.zeek
index 7143c63547..336504fcf6 100644
--- a/scripts/policy/protocols/conn/known-services.zeek
+++ b/scripts/policy/protocols/conn/known-services.zeek
@@ -84,7 +84,7 @@ export {
 }
 
 redef record connection += {
-	# This field is to indicate whether or not the processing for detecting 
+	# This field is to indicate whether or not the processing for detecting
 	# and logging the service for this connection is complete.
 	known_services_done: bool &default=F;
 };
@@ -314,4 +314,3 @@ event zeek_init() &priority=5
 	                                         $path="known_services",
 						 $policy=log_policy_services]);
 	}
-
diff --git a/scripts/policy/protocols/dns/detect-external-names.zeek b/scripts/policy/protocols/dns/detect-external-names.zeek
index 9533f396a2..8798df6361 100644
--- a/scripts/policy/protocols/dns/detect-external-names.zeek
+++ b/scripts/policy/protocols/dns/detect-external-names.zeek
@@ -1,6 +1,6 @@
 ##! This script detects names which are not within zones considered to be
-##! local but resolving to addresses considered local.  
-##! The :zeek:id:`Site::local_zones` variable **must** be set appropriately for 
+##! local but resolving to addresses considered local.
+##! The :zeek:id:`Site::local_zones` variable **must** be set appropriately for
 ##! this detection.
 
 @load base/frameworks/notice
@@ -9,7 +9,7 @@
 module DNS;
 
 export {
-	redef enum Notice::Type += { 
+	redef enum Notice::Type += {
 		## Raised when a non-local name is found to be pointing at a
 		## local host.  The :zeek:id:`Site::local_zones` variable
 		## **must** be set appropriately for this detection.
@@ -21,7 +21,7 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
 	{
 	if ( |Site::local_zones| == 0 )
 		return;
-	
+
 	# Check for responses from remote hosts that point at local hosts
 	# but the name is not considered to be within a "local" zone.
 	if ( Site::is_local_addr(a) &&            # referring to a local host
@@ -29,7 +29,7 @@ event dns_A_reply(c: connection, msg: dns_msg, ans: dns_answer, a: addr) &priori
 		{
 		NOTICE([$note=External_Name,
 		        $msg=fmt("%s is pointing to a local host - %s.", ans$query, a),
-		        $conn=c, 
+		        $conn=c,
 		        $identifier=cat(a,ans$query)]);
 		}
 	}
diff --git a/scripts/policy/protocols/ftp/detect.zeek b/scripts/policy/protocols/ftp/detect.zeek
index e1bd627921..1b3128065a 100644
--- a/scripts/policy/protocols/ftp/detect.zeek
+++ b/scripts/policy/protocols/ftp/detect.zeek
@@ -7,7 +7,7 @@ module FTP;
 
 export {
 	redef enum Notice::Type += {
-		## Indicates that a successful response to a "SITE EXEC" 
+		## Indicates that a successful response to a "SITE EXEC"
 		## command/arg pair was seen.
 		Site_Exec_Success,
 	};
@@ -16,10 +16,10 @@ export {
 event ftp_reply(c: connection, code: count, msg: string, cont_resp: bool) &priority=3
 	{
 	local response_xyz = parse_ftp_reply_code(code);
-	
+
 	# If a successful SITE EXEC command is executed, raise a notice.
 	if ( response_xyz$x == 2 &&
-	     c$ftp$cmdarg$cmd == "SITE" && 
+	     c$ftp$cmdarg$cmd == "SITE" &&
 	     /[Ee][Xx][Ee][Cc]/ in c$ftp$cmdarg$arg )
 		{
 		NOTICE([$note=Site_Exec_Success, $conn=c,
diff --git a/scripts/policy/protocols/http/detect-webapps.zeek b/scripts/policy/protocols/http/detect-webapps.zeek
index 29adbc6580..8b405eae9f 100644
--- a/scripts/policy/protocols/http/detect-webapps.zeek
+++ b/scripts/policy/protocols/http/detect-webapps.zeek
@@ -26,7 +26,7 @@ export {
 event signature_match(state: signature_state, msg: string, data: string) &priority=5
 	{
 	if ( /^webapp-/ !in state$sig_id ) return;
-	
+
 	local c = state$conn;
 	local si: Software::Info;
 	si = [$name=msg, $unparsed_version=msg, $host=c$id$resp_h, $host_p=c$id$resp_p, $software_type=WEB_APPLICATION];
diff --git a/scripts/policy/protocols/http/header-names.zeek b/scripts/policy/protocols/http/header-names.zeek
index 9f4e83638c..8838b41a0a 100644
--- a/scripts/policy/protocols/http/header-names.zeek
+++ b/scripts/policy/protocols/http/header-names.zeek
@@ -11,15 +11,15 @@ export {
 		## The vector of HTTP header names sent by the client.  No
 		## header values are included here, just the header names.
 		client_header_names:  vector of string &log &optional;
-		
+
 		## The vector of HTTP header names sent by the server.  No
 		## header values are included here, just the header names.
 		server_header_names:  vector of string &log &optional;
 	};
-	
+
 	## A boolean value to determine if client header names are to be logged.
 	option log_client_header_names = T;
-	
+
 	## A boolean value to determine if server header names are to be logged.
 	option log_server_header_names = F;
 }
diff --git a/scripts/policy/protocols/http/var-extraction-uri.zeek b/scripts/policy/protocols/http/var-extraction-uri.zeek
index 98eba48fed..776c659530 100644
--- a/scripts/policy/protocols/http/var-extraction-uri.zeek
+++ b/scripts/policy/protocols/http/var-extraction-uri.zeek
@@ -1,4 +1,4 @@
-##! Extracts and logs variables from the requested URI in the default HTTP 
+##! Extracts and logs variables from the requested URI in the default HTTP
 ##! logging stream.
 
 @load base/protocols/http
diff --git a/scripts/policy/protocols/modbus/track-memmap.zeek b/scripts/policy/protocols/modbus/track-memmap.zeek
index c725a27241..b92e90b891 100644
--- a/scripts/policy/protocols/modbus/track-memmap.zeek
+++ b/scripts/policy/protocols/modbus/track-memmap.zeek
@@ -82,10 +82,10 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade
 			if ( slave_regs[c$modbus$track_address]$value != registers[i] )
 				{
 				local delta = network_time() - slave_regs[c$modbus$track_address]$last_set;
-				event Modbus::changed_register(c, c$modbus$track_address, 
+				event Modbus::changed_register(c, c$modbus$track_address,
 				                               slave_regs[c$modbus$track_address]$value, registers[i],
 				                               delta);
-				
+
 				slave_regs[c$modbus$track_address]$last_set = network_time();
 				slave_regs[c$modbus$track_address]$value = registers[i];
 				}
@@ -102,7 +102,7 @@ event modbus_read_holding_registers_response(c: connection, headers: ModbusHeade
 
 event Modbus::changed_register(c: connection, register: count, old_val: count, new_val: count, delta: interval)
 	{
-	local rec: MemmapInfo = [$ts=network_time(), $uid=c$uid, $id=c$id, 
+	local rec: MemmapInfo = [$ts=network_time(), $uid=c$uid, $id=c$id,
 	                         $register=register, $old_val=old_val, $new_val=new_val, $delta=delta];
 	Log::write(REGISTER_CHANGE_LOG, rec);
 	}
diff --git a/scripts/policy/protocols/smb/log-cmds.zeek b/scripts/policy/protocols/smb/log-cmds.zeek
index 569314e980..0d5e4acde3 100644
--- a/scripts/policy/protocols/smb/log-cmds.zeek
+++ b/scripts/policy/protocols/smb/log-cmds.zeek
@@ -39,7 +39,7 @@ event smb1_message(c: connection, hdr: SMB1::Header, is_orig: bool) &priority=-5
 
 	if ( c$smb_state$current_cmd$status in SMB::ignored_command_statuses )
 		return;
-	
+
 	if ( c$smb_state$current_cmd$command in SMB::deferred_logging_cmds )
 		return;
 
diff --git a/scripts/policy/protocols/smtp/blocklists.zeek b/scripts/policy/protocols/smtp/blocklists.zeek
index 4524a6dabb..16292c4390 100644
--- a/scripts/policy/protocols/smtp/blocklists.zeek
+++ b/scripts/policy/protocols/smtp/blocklists.zeek
@@ -6,7 +6,7 @@
 module SMTP;
 
 export {
-	redef enum Notice::Type += { 
+	redef enum Notice::Type += {
 		## An SMTP server sent a reply mentioning an SMTP block list.
 		Blocklist_Error_Message,
 		## The originator's address is seen in the block list error message.
@@ -21,19 +21,19 @@ export {
 		  /spamhaus\.org\//
 		| /sophos\.com\/security\//
 		| /spamcop\.net\/bl/
-		| /cbl\.abuseat\.org\// 
-		| /sorbs\.net\// 
+		| /cbl\.abuseat\.org\//
+		| /sorbs\.net\//
 		| /bsn\.borderware\.com\//
 		| /mail-abuse\.com\//
 		| /b\.barracudacentral\.com\//
-		| /psbl\.surriel\.com\// 
-		| /antispam\.imp\.ch\// 
+		| /psbl\.surriel\.com\//
+		| /antispam\.imp\.ch\//
 		| /dyndns\.com\/.*spam/
 		| /rbl\.knology\.net\//
 		| /intercept\.datapacket\.net\//
 		| /uceprotect\.net\//
 		| /hostkarma\.junkemailfilter\.com\//;
-	
+
 }
 
 event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
@@ -55,8 +55,8 @@ event smtp_reply(c: connection, is_orig: bool, code: count, cmd: string,
 				note = Blocklist_Blocked_Host;
 				message = fmt("%s is on an SMTP block list", c$id$orig_h);
 				}
-			
-			NOTICE([$note=note, $conn=c, $msg=message, $sub=msg, 
+
+			NOTICE([$note=note, $conn=c, $msg=message, $sub=msg,
 			        $identifier=cat(c$id$orig_h)]);
 			}
 		}
diff --git a/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek b/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek
index 12a9a0c312..94edd62f27 100644
--- a/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek
+++ b/scripts/policy/protocols/smtp/detect-suspicious-orig.zeek
@@ -24,7 +24,7 @@ event log_smtp(rec: Info)
 		{
 		ip = rec$x_originating_ip;
 		loc = lookup_location(ip);
-		
+
 		if ( (loc?$country_code &&
 			 loc$country_code in suspicious_origination_countries) ||
 			 ip in suspicious_origination_networks )
diff --git a/scripts/policy/protocols/smtp/software.zeek b/scripts/policy/protocols/smtp/software.zeek
index 342beedae0..06b4ca6c27 100644
--- a/scripts/policy/protocols/smtp/software.zeek
+++ b/scripts/policy/protocols/smtp/software.zeek
@@ -1,10 +1,10 @@
 ##! This script feeds software detected through email into the software
-##! framework.  Mail clients and webmail interfaces are the only thing 
+##! framework.  Mail clients and webmail interfaces are the only thing
 ##! currently detected.
-##! 
+##!
 ##! TODO:
 ##!
-##! * Find some heuristic to determine if email was sent through 
+##! * Find some heuristic to determine if email was sent through
 ##!   a MS Exchange webmail interface as opposed to a desktop client.
 
 @load base/frameworks/software/main
@@ -18,13 +18,13 @@ export {
 		MAIL_SERVER,
 		WEBMAIL_SERVER
 	};
-	
+
 	redef record Info += {
 		## Boolean indicator of if the message was sent through a
 		## webmail interface.
 		is_webmail: bool &log &default=F;
 	};
-	
+
 	## Assuming that local mail servers are more trustworthy with the
 	## headers they insert into message envelopes, this default makes Zeek
 	## not attempt to detect software in inbound message bodies.  If mail
@@ -34,15 +34,15 @@ export {
 	## incoming messages (network traffic originating from a non-local
 	## address), set this variable to EXTERNAL_HOSTS or ALL_HOSTS.
 	option detect_clients_in_messages_from = LOCAL_HOSTS;
-	
-	## A regular expression to match USER-AGENT-like headers to find if a 
+
+	## A regular expression to match USER-AGENT-like headers to find if a
 	## message was sent with a webmail interface.
 	option webmail_user_agents =
-	                     /^iPlanet Messenger/ 
+	                     /^iPlanet Messenger/
 	                   | /^Sun Java\(tm\) System Messenger Express/
 	                   | /\(IMP\)/  # Horde Internet Messaging Program
 	                   | /^SquirrelMail/
-	                   | /^NeoMail/ 
+	                   | /^NeoMail/
 	                   | /ZimbraWebClient/;
 }
 
@@ -66,12 +66,12 @@ event log_smtp(rec: Info)
 			{
 			s_type = WEBMAIL_SERVER;
 			# If the earliest received header indicates that the connection
-			# was via HTTP, then that likely means the actual mail software 
+			# was via HTTP, then that likely means the actual mail software
 			# is installed on the second address in the path.
 			if ( rec?$first_received && /via HTTP/ in rec$first_received )
 				client_ip = rec$path[|rec$path|-2];
 			}
-		
+
 		if ( addr_matches_host(rec$id$orig_h,
 		                       detect_clients_in_messages_from) )
 			{
@@ -79,4 +79,3 @@ event log_smtp(rec: Info)
 			}
 		}
 	}
-
diff --git a/scripts/policy/protocols/ssh/interesting-hostnames.zeek b/scripts/policy/protocols/ssh/interesting-hostnames.zeek
index 92f7bfc1dd..db80d7c6ac 100644
--- a/scripts/policy/protocols/ssh/interesting-hostnames.zeek
+++ b/scripts/policy/protocols/ssh/interesting-hostnames.zeek
@@ -1,7 +1,7 @@
-##! This script will generate a notice if an apparent SSH login originates 
-##! or heads to a host with a reverse hostname that looks suspicious.  By 
-##! default, the regular expression to match "interesting" hostnames includes 
-##! names that are typically used for infrastructure hosts like nameservers, 
+##! This script will generate a notice if an apparent SSH login originates
+##! or heads to a host with a reverse hostname that looks suspicious.  By
+##! default, the regular expression to match "interesting" hostnames includes
+##! names that are typically used for infrastructure hosts like nameservers,
 ##! mail servers, web servers and ftp servers.
 
 @load base/frameworks/notice
@@ -15,7 +15,7 @@ export {
 		## :zeek:id:`SSH::interesting_hostnames` regular expression.
 		Interesting_Hostname_Login,
 	};
-	
+
 	## Strange/bad host names to see successful SSH logins from or to.
 	option interesting_hostnames =
 			/^d?ns[0-9]*\./ |
@@ -49,4 +49,3 @@ event ssh_auth_successful(c: connection, auth_method_none: bool)
 		check_ssh_hostname(c$id, c$uid, host);
 		}
 	}
-
diff --git a/scripts/policy/protocols/ssh/software.zeek b/scripts/policy/protocols/ssh/software.zeek
index ba03bed284..4c44636914 100644
--- a/scripts/policy/protocols/ssh/software.zeek
+++ b/scripts/policy/protocols/ssh/software.zeek
@@ -1,4 +1,4 @@
-##! Extracts SSH client and server information from SSH 
+##! Extracts SSH client and server information from SSH
 ##! connections and forwards it to the software framework.
 
 @load base/frameworks/software
diff --git a/scripts/policy/protocols/ssl/expiring-certs.zeek b/scripts/policy/protocols/ssl/expiring-certs.zeek
index 066ff0d690..a217c03db4 100644
--- a/scripts/policy/protocols/ssl/expiring-certs.zeek
+++ b/scripts/policy/protocols/ssl/expiring-certs.zeek
@@ -1,4 +1,4 @@
-##! Generate notices when X.509 certificates over SSL/TLS are expired or 
+##! Generate notices when X.509 certificates over SSL/TLS are expired or
 ##! going to expire soon based on the date and time values stored within the
 ##! certificate.
 
diff --git a/scripts/policy/protocols/ssl/known-certs.zeek b/scripts/policy/protocols/ssl/known-certs.zeek
index 03b583cc9d..35fbcf0f7b 100644
--- a/scripts/policy/protocols/ssl/known-certs.zeek
+++ b/scripts/policy/protocols/ssl/known-certs.zeek
@@ -12,13 +12,13 @@ export {
 	redef enum Log::ID += { CERTS_LOG };
 
 	global log_policy_certs: Log::PolicyHook;
-	
+
 	type CertsInfo: record {
 		## The timestamp when the certificate was detected.
 		ts:             time   &log;
 		## The address that offered the certificate.
 		host:           addr   &log;
-		## If the certificate was handed out by a server, this is the 
+		## If the certificate was handed out by a server, this is the
 		## port that the server was listening on.
 		port_num:       port   &log &optional;
 		## Certificate subject.
@@ -28,7 +28,7 @@ export {
 		## Serial number for the certificate.
 		serial:         string &log &optional;
 	};
-	
+
 	## The certificates whose existence should be logged and tracked.
 	## Choices are: LOCAL_HOSTS, REMOTE_HOSTS, ALL_HOSTS, NO_HOSTS.
 	option cert_tracking = LOCAL_HOSTS;
@@ -38,7 +38,7 @@ export {
 	## with keys uniformly distributed over proxy nodes in cluster
 	## operation.
 	const use_cert_store = T &redef;
-	
+
 	type AddrCertHashPair: record {
 		host: addr;
 		hash: string;
@@ -60,15 +60,15 @@ export {
 	## :zeek:see:`Known::cert_store`.
 	option cert_store_timeout = 15sec;
 
-	## The set of all known certificates to store for preventing duplicate 
-	## logging. It can also be used from other scripts to 
-	## inspect if a certificate has been seen in use. The string value 
+	## The set of all known certificates to store for preventing duplicate
+	## logging. It can also be used from other scripts to
+	## inspect if a certificate has been seen in use. The string value
 	## in the set is for storing the DER formatted certificate' SHA1 hash.
 	##
 	## In cluster operation, this set is uniformly distributed across
 	## proxy nodes.
 	global certs: set[addr, string] &create_expire=1day &redef;
-	
+
 	## Event that can be handled to access the loggable record as it is sent
 	## on to the logging framework.
 	global log_known_certs: event(rec: CertsInfo);
diff --git a/scripts/policy/tuning/__load__.zeek b/scripts/policy/tuning/__load__.zeek
index 03449882f8..db9fe9a572 100644
--- a/scripts/policy/tuning/__load__.zeek
+++ b/scripts/policy/tuning/__load__.zeek
@@ -1,2 +1,2 @@
-##! This loads the default tuning 
+##! This loads the default tuning
 @load ./defaults
\ No newline at end of file
diff --git a/scripts/policy/tuning/defaults/packet-fragments.zeek b/scripts/policy/tuning/defaults/packet-fragments.zeek
index f95c826547..7ae0e4363c 100644
--- a/scripts/policy/tuning/defaults/packet-fragments.zeek
+++ b/scripts/policy/tuning/defaults/packet-fragments.zeek
@@ -1,7 +1,7 @@
 # Capture TCP fragments, but not UDP (or ICMP), since those are a lot more
 # common due to high-volume, fragmenting protocols such as NFS :-(.
 
-# This normally isn't used because of the default open packet filter 
+# This normally isn't used because of the default open packet filter
 # but we set it anyway in case the user is using a packet filter.
 # Note: This was removed because the default model now is to have a wide
 #       open packet filter.
diff --git a/scripts/policy/tuning/defaults/warnings.zeek b/scripts/policy/tuning/defaults/warnings.zeek
index 6c31e82d4e..0220fc78de 100644
--- a/scripts/policy/tuning/defaults/warnings.zeek
+++ b/scripts/policy/tuning/defaults/warnings.zeek
@@ -1,5 +1,5 @@
 ##! This file is meant to print messages on stdout for settings that would be
-##! good to set in most cases or other things that could be done to achieve 
+##! good to set in most cases or other things that could be done to achieve
 ##! better detection.
 
 @load base/utils/site

From 34694e67ea86b3cf053873f84276e0248130a1d3 Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Thu, 21 Oct 2021 00:34:50 +0000
Subject: [PATCH 016/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index e2f2af92c5..9aaee4e6a3 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit e2f2af92c55df3a27c31d8af79cb7a244af912b6
+Subproject commit 9aaee4e6a30826ed8e298e0b2bcd663b1f76f569

From e63ea95664cbd6988c14e9cee07ef29465b01e30 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 21 Oct 2021 16:38:57 -0700
Subject: [PATCH 017/210] Apply some missing clang-format changes

---
 src/Expr.cc                      |  3 +--
 src/analyzer/protocol/dns/DNS.cc | 20 +++++++++++---------
 src/analyzer/protocol/dns/DNS.h  |  9 ++++++---
 src/net_util.h                   |  5 +++++
 4 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index 0c9c866b6c..41ae5bca3c 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -4328,8 +4328,7 @@ InExpr::InExpr(ExprPtr arg_op1, ExprPtr arg_op2)
 			return;
 			}
 
-		if ( op2->GetType()->Tag() == TYPE_TABLE &&
-		     op2->GetType()->AsTableType()->IsSubNetIndex() )
+		if ( op2->GetType()->Tag() == TYPE_TABLE && op2->GetType()->AsTableType()->IsSubNetIndex() )
 			{
 			SetType(base_type(TYPE_BOOL));
 			return;
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index e7f0d9be09..b87a2a8598 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -1696,7 +1696,7 @@ bool DNS_Interpreter::ParseRR_CAA(detail::DNS_MsgInfo* msg, const u_char*& data,
 	}
 
 bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data, int& len,
-								   int rdlength, const u_char* msg_start, const RR_Type& svcb_type)
+                                   int rdlength, const u_char* msg_start, const RR_Type& svcb_type)
 	{
 	const u_char* data_start = data;
 	// the smallest SVCB/HTTPS rr is 3 bytes:
@@ -1721,12 +1721,13 @@ bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data
 		{
 		target_name[0] = '.';
 		target_name[1] = '\0';
-		name_end = target_name+1;
+		name_end = target_name + 1;
 		}
 
 	SVCB_DATA svcb_data = {
 		.svc_priority = svc_priority,
-		.target_name = make_intrusive<StringVal>(new String(target_name, name_end - target_name, true)),
+		.target_name = make_intrusive<StringVal>(
+			new String(target_name, name_end - target_name, true)),
 	};
 
 	// TODO: parse svcparams
@@ -1735,21 +1736,22 @@ bool DNS_Interpreter::ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data
 	std::ptrdiff_t parsed_bytes = data - data_start;
 	if ( parsed_bytes < rdlength )
 		{
-		len -= ( rdlength - parsed_bytes );
-		data += ( rdlength - parsed_bytes );
+		len -= (rdlength - parsed_bytes);
+		data += (rdlength - parsed_bytes);
 		}
 
-	switch( svcb_type )
+	switch ( svcb_type )
 		{
 		case detail::TYPE_SVCB:
 			analyzer->EnqueueConnEvent(dns_SVCB, analyzer->ConnVal(), msg->BuildHdrVal(),
-									msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
+			                           msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
 			break;
 		case detail::TYPE_HTTPS:
 			analyzer->EnqueueConnEvent(dns_HTTPS, analyzer->ConnVal(), msg->BuildHdrVal(),
-									msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
+			                           msg->BuildAnswerVal(), msg->BuildSVCB_Val(svcb_data));
 			break;
-		default: break; // unreachable. for suppressing compiler warnings.
+		default:
+			break; // unreachable. for suppressing compiler warnings.
 		}
 	return true;
 	}
diff --git a/src/analyzer/protocol/dns/DNS.h b/src/analyzer/protocol/dns/DNS.h
index f6f9a75f9a..edfeee031f 100644
--- a/src/analyzer/protocol/dns/DNS.h
+++ b/src/analyzer/protocol/dns/DNS.h
@@ -71,7 +71,9 @@ enum RR_Type
 	TYPE_DS = 43, ///< Delegation signer (RFC 4034)
 	TYPE_NSEC3 = 50,
 	TYPE_NSEC3PARAM = 51, ///< Contains the NSEC3 parameters (RFC 5155)
-	TYPE_SVCB = 64, ///< SerViCe Binding (RFC draft: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07#section-1.1)
+	TYPE_SVCB =
+	64, ///< SerViCe Binding (RFC draft:
+	    ///< https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07#section-1.1)
 	TYPE_HTTPS = 65, ///< HTTPS record (HTTPS specific SVCB resource record)
 	// Obsoleted
 	TYPE_SPF = 99, ///< Alternative: storing SPF data in TXT records, using the same format (RFC
@@ -150,7 +152,8 @@ enum DNSSEC_Digest
 	SHA384 = 4,
 	};
 
-///< all keys are defined in RFC draft https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07#section-14.3.2
+///< all keys are defined in RFC draft
+///< https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-07#section-14.3.2
 enum SVCPARAM_Key
 	{
 	mandatory = 0,
@@ -415,7 +418,7 @@ protected:
 	bool ParseRR_LOC(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
 	                 const u_char* msg_start);
 	bool ParseRR_SVCB(detail::DNS_MsgInfo* msg, const u_char*& data, int& len, int rdlength,
-	                 const u_char* msg_start, const RR_Type& svcb_type);
+	                  const u_char* msg_start, const RR_Type& svcb_type);
 	void SendReplyOrRejectEvent(detail::DNS_MsgInfo* msg, EventHandlerPtr event,
 	                            const u_char*& data, int& len, String* question_name,
 	                            String* original_name);
diff --git a/src/net_util.h b/src/net_util.h
index 3a6f697388..90a22f0d50 100644
--- a/src/net_util.h
+++ b/src/net_util.h
@@ -21,12 +21,17 @@ enum IPFamily
 	IPv6
 	};
 
+// Force these files to stay in this order. Normally, clang-format
+// wants to move sys/types.h to the end of this block, but that
+// breaks FreeBSD builds.
+// clang-format off
 #include <sys/types.h>
 #include <arpa/inet.h>
 #include <assert.h>
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+// clang-format on
 #ifdef HAVE_LINUX
 #define __FAVOR_BSD
 #endif

From e14b695497f858efc3c10d532e8e166838e10c80 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 28 Oct 2021 16:55:02 +0200
Subject: [PATCH 018/210] Accept packets that use tcp segment offloading.

When checksum offloading is enabled, we now forward packets that
have 0 header lengths set - and assume that they have TSO enabled.

If checksum offloading is not enabled, we drop the packets.

Addresses GH-1829
---
 src/IP.h                                              |  6 +++++-
 src/packet_analysis/protocol/ip/IP.cc                 | 11 ++++++++---
 src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc    |  4 +++-
 src/packet_analysis/protocol/tcp/TCP.cc               |  4 ++++
 .../core.ip-broken-header/ip-bogus-header-weird.log   |  1 -
 5 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/src/IP.h b/src/IP.h
index 3c2fbef813..2b670cf72e 100644
--- a/src/IP.h
+++ b/src/IP.h
@@ -415,7 +415,11 @@ public:
 	uint16_t PayloadLen() const
 		{
 		if ( ip4 )
-			return ntohs(ip4->ip_len) - ip4->ip_hl * 4;
+			{
+			// prevent overflow in case of segment offloading/zeroed header length.
+			auto total_len = ntohs(ip4->ip_len);
+			return total_len ? total_len - ip4->ip_hl * 4 : 0;
+			}
 
 		return ntohs(ip6->ip6_plen) + 40 - ip6_hdrs->TotalLength();
 		}
diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc
index e7ea5e75da..cb45f02e7e 100644
--- a/src/packet_analysis/protocol/ip/IP.cc
+++ b/src/packet_analysis/protocol/ip/IP.cc
@@ -81,8 +81,13 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		// TCP segmentation offloading can zero out the ip_len field.
 		Weird("ip_hdr_len_zero", packet);
 
-		// Cope with the zero'd out ip_len field by using the caplen.
-		total_len = packet->cap_len - hdr_size;
+		if ( detail::ignore_checksums )
+			// Cope with the zero'd out ip_len field by using the caplen.
+			total_len = packet->cap_len - hdr_size;
+		else
+			// If this is caused by segmentation offloading, the checksum will
+			// also be incorrect. If checksum validation is enabled - jus tbail here.
+			return false;
 		}
 
 	if ( packet->len < total_len + hdr_size )
@@ -236,7 +241,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	packet->proto = proto;
 
 	// Double check the lengths one more time before forwarding this on.
-	if ( packet->ip_hdr->TotalLen() < packet->ip_hdr->HdrLen() )
+	if ( total_len < packet->ip_hdr->HdrLen() )
 		{
 		Weird("bogus_IP_header_lengths", packet);
 		return false;
diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
index 785d914498..e18e46b2c1 100644
--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
@@ -115,7 +115,9 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
 
 bool IPBasedAnalyzer::CheckHeaderTrunc(size_t min_hdr_len, size_t remaining, Packet* packet)
 	{
-	if ( packet->ip_hdr->PayloadLen() < min_hdr_len )
+	// If segment offloading or similar is enabled, the payload len will return 0.
+	// Thus, let's ignore that case.
+	if ( packet->ip_hdr->PayloadLen() && packet->ip_hdr->PayloadLen() < min_hdr_len )
 		{
 		Weird("truncated_header", packet);
 		return false;
diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc
index 5a45e28438..cdd8a4c80f 100644
--- a/src/packet_analysis/protocol/tcp/TCP.cc
+++ b/src/packet_analysis/protocol/tcp/TCP.cc
@@ -96,6 +96,10 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	{
 	const u_char* data = pkt->ip_hdr->Payload();
 	int len = pkt->ip_hdr->PayloadLen();
+	// If the header length is zero, tcp checksum offloading is probably enabled
+	// In this case, let's fix up the length.
+	if ( pkt->ip_hdr->TotalLen() == 0 )
+		len = remaining;
 	auto* adapter = static_cast<TCPSessionAdapter*>(c->GetSessionAdapter());
 
 	const struct tcphdr* tp = ExtractTCP_Header(data, len, remaining, adapter);
diff --git a/testing/btest/Baseline/core.ip-broken-header/ip-bogus-header-weird.log b/testing/btest/Baseline/core.ip-broken-header/ip-bogus-header-weird.log
index d5adac806f..179c4fd1a7 100644
--- a/testing/btest/Baseline/core.ip-broken-header/ip-bogus-header-weird.log
+++ b/testing/btest/Baseline/core.ip-broken-header/ip-bogus-header-weird.log
@@ -8,5 +8,4 @@
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	name	addl	notice	peer	source
 #types	time	string	addr	port	addr	port	string	string	bool	string	string
 XXXXXXXXXX.XXXXXX	-	118.181.144.194	0	136.255.115.116	0	ip_hdr_len_zero	-	F	zeek	IP
-XXXXXXXXXX.XXXXXX	-	118.181.144.194	0	136.255.115.116	0	bogus_IP_header_lengths	-	F	zeek	IP
 #close XXXX-XX-XX-XX-XX-XX

From f1c81e3ab9cd6a70edc3d51c596e782069ae152d Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 28 Oct 2021 13:18:46 -0700
Subject: [PATCH 019/210] Update btest submodule to 0.70 [nomail] [skip ci]

---
 auxil/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/btest b/auxil/btest
index 0a37819d48..882e5eb3dc 160000
--- a/auxil/btest
+++ b/auxil/btest
@@ -1 +1 @@
-Subproject commit 0a37819d484358999a47e76ac473da74799ab08d
+Subproject commit 882e5eb3dcec92e7e65423717ff59628ee9684a0

From b6444dce0c9c830ee3be5398b62e9a68efe56902 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 27 Sep 2021 12:11:19 -0700
Subject: [PATCH 020/210] Fix issue with broken libpcaps that return repeat
 packets

This is apparently a problem with the Myricom version of libpcap, where
instead of returning a null or a zero if no packets are available, it
returns the previous packet. This causes Zeek to improperly parse the
packet and crash. We thought we had fixed this previously with a check
for a null packet but that fix was not enough.
---
 src/iosource/pcap/Source.cc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/iosource/pcap/Source.cc b/src/iosource/pcap/Source.cc
index 164bd06a2c..8afe55638a 100644
--- a/src/iosource/pcap/Source.cc
+++ b/src/iosource/pcap/Source.cc
@@ -247,6 +247,14 @@ bool PcapSource::ExtractNextPacket(Packet* pkt)
 	++stats.received;
 	stats.bytes_received += header->len;
 
+	// Some versions of libpcap (myricom) are somewhat broken and will return a duplicate
+	// packet if there are no more packets available. Namely, it returns the exact same
+	// packet structure (including the header) out of the library without reinitializing
+	// any of the values. If we set the header lengths to zero here, we can keep from
+	// processing it a second time.
+	header->len = 0;
+	header->caplen = 0;
+
 	return true;
 	}
 

From c25d5cecb260920af5a0403fdd73985b070dfef9 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 1 Nov 2021 12:10:39 -0700
Subject: [PATCH 021/210] Update btest submodule to 0.71 [nomail] [skip ci]

---
 auxil/btest | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/btest b/auxil/btest
index 882e5eb3dc..5f954ec65c 160000
--- a/auxil/btest
+++ b/auxil/btest
@@ -1 +1 @@
-Subproject commit 882e5eb3dcec92e7e65423717ff59628ee9684a0
+Subproject commit 5f954ec65cb78b17f7156455c8c3c905a816ae96

From c2372ca9d85163952b534578f6826375bf0479f6 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 2 Nov 2021 16:05:59 -0700
Subject: [PATCH 022/210] GH-1781: Add .git-blame-ignore-revs file

---
 .git-blame-ignore-revs | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 .git-blame-ignore-revs

diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs
new file mode 100644
index 0000000000..4a41859c7b
--- /dev/null
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,26 @@
+# Reformat the world (initial clang-format formatting)
+b2f171ec69eae3a833a9db1b16e5234bd3eaf0b6
+
+# clang-format: Force zeek-config.h to be earlier in the config ordering
+9cb54f5d449b63006cc9a1f451a47732c92fef2d
+
+# clang-format: A few minor comment-spacing fixes
+07e276ab2e351ce71b709139f1933b9ead40d094
+
+# clang-format: Enforce ordering of includes in ZBody
+cb99ae2b7c9988656b097ad2789dffd2c0c37939
+
+# clang-format: Other include ordering changes
+e97c14add5b04aedc7f3f9dba59f665cbad793af
+
+# clang-format: Other minor formatting changes
+02206f3215f977ba7752476ba89ca06abe93375c
+
+# clang-format: Set IndentCaseBlocks to false
+4423574d265749da8e707ab0fbcffcbfaed26614
+
+# clang-format: Set penalty for breaking after assignment operator
+9af6b2f48d11b4e287d0f18034a486f76f9f2d61
+
+# Remove trailing whitespace from script files
+a6378531dbc5c357926d98fe785bb719cc70e1b4

From ceaec0902468c4dcf253c1e84c7237c09ad74aae Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 2 Nov 2021 12:59:54 -0700
Subject: [PATCH 023/210] GH-693: use pcap_dump_open_append where supported

---
 cmake                                       | 2 +-
 src/iosource/pcap/Dumper.cc                 | 6 +++++-
 testing/btest/bifs/dump_current_packet.zeek | 4 ++++
 zeek-config.h.in                            | 3 +++
 4 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/cmake b/cmake
index 4d1990f0e4..ed6c3e3414 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 4d1990f0e4c273cf51ec52278add6ff256f9c889
+Subproject commit ed6c3e341408c2469093c40969354c4fb1ebce99
diff --git a/src/iosource/pcap/Dumper.cc b/src/iosource/pcap/Dumper.cc
index 25aff8269e..3b46c5c15f 100644
--- a/src/iosource/pcap/Dumper.cc
+++ b/src/iosource/pcap/Dumper.cc
@@ -68,11 +68,15 @@ void PcapDumper::Open()
 
 	else
 		{
+#ifdef HAVE_PCAP_DUMP_OPEN_APPEND
+		dumper = pcap_dump_open_append(pd, props.path.c_str());
+#else
 		// Old file and we need to append, which, unfortunately,
 		// is not supported by libpcap. So, we have to hack a
-		// little bit, knowing that pcap_dumpter_t is, in fact,
+		// little bit, knowing that pcap_dumper_t is, in fact,
 		// a FILE ... :-(
 		dumper = (pcap_dumper_t*)fopen(props.path.c_str(), "a");
+#endif
 		if ( ! dumper )
 			{
 			Error(util::fmt("can't open dump %s: %s", props.path.c_str(), strerror(errno)));
diff --git a/testing/btest/bifs/dump_current_packet.zeek b/testing/btest/bifs/dump_current_packet.zeek
index ce177a1daf..712ffb0e4f 100644
--- a/testing/btest/bifs/dump_current_packet.zeek
+++ b/testing/btest/bifs/dump_current_packet.zeek
@@ -5,6 +5,10 @@
 # @TEST-EXEC: btest-diff 1.hex
 # @TEST-EXEC: btest-diff 2.hex
 
+# Run the same test a second time, which will try to write to an
+# existing file and shouldn't crash a sanitizer build.
+# @TEST-EXEC: zeek -b -r $TRACES/wikipedia.trace %INPUT
+
 # Note that the hex output will contain global pcap header information,
 # including Zeek's snaplen setting (so maybe check that out in the case
 # you are reading this message due to this test failing in the future).
diff --git a/zeek-config.h.in b/zeek-config.h.in
index 3c90bd5ceb..ff5edc8c8b 100644
--- a/zeek-config.h.in
+++ b/zeek-config.h.in
@@ -49,6 +49,9 @@
 /* Define if you have the <pcap-int.h> header file. */
 #cmakedefine HAVE_PCAP_INT_H
 
+/* Define if libpcap supports pcap_dump_open_append(). */
+#cmakedefine HAVE_PCAP_DUMP_OPEN_APPEND
+
 /* line editing & history powers */
 #cmakedefine HAVE_READLINE
 

From 4c7aac079f9d59c354e3c7c728c1eaf754afb13c Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 2 Nov 2021 21:44:06 -0700
Subject: [PATCH 024/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 9aaee4e6a3..931cc50ce8 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 9aaee4e6a30826ed8e298e0b2bcd663b1f76f569
+Subproject commit 931cc50ce8fa21dbe8b2816136069b2d18716f06

From 75e584cb73561842f13c56ab3acaa18aff4cffb9 Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Wed, 3 Nov 2021 14:21:02 -0400
Subject: [PATCH 025/210] Change set intersection test to be correct

---
 testing/btest/Baseline/language.set/out | 2 +-
 testing/btest/language/set.zeek         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/testing/btest/Baseline/language.set/out b/testing/btest/Baseline/language.set/out
index 57bb3c068f..119293ede6 100644
--- a/testing/btest/Baseline/language.set/out
+++ b/testing/btest/Baseline/language.set/out
@@ -44,7 +44,7 @@ remove element (PASS)
 remove element (PASS)
 !in operator (PASS)
 union (PASS)
-intersection (FAIL)
+intersection (PASS)
 difference (PASS)
 difference (PASS)
 union/inter. (PASS)
diff --git a/testing/btest/language/set.zeek b/testing/btest/language/set.zeek
index 627474b2d3..60ef7b796a 100644
--- a/testing/btest/language/set.zeek
+++ b/testing/btest/language/set.zeek
@@ -150,7 +150,7 @@ function basic_functionality()
 	local a_and_b = a & b;
 
 	test_case( "union", a_or_b == a_plus_b );
-	test_case( "intersection", a_and_b == a_plus_b );
+	test_case( "intersection", a_and_b == a_also_b );
 	test_case( "difference", a - b == a_sans_b );
 	test_case( "difference", b - a == b_sans_a );
 

From aacb812b9ad08c50e3a6562aabfdb331f7cc5b6b Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Wed, 3 Nov 2021 14:26:31 -0400
Subject: [PATCH 026/210] Fix C++ Intersection code

---
 src/Val.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Val.cc b/src/Val.cc
index 305a638d83..b4bf2d2be0 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1716,7 +1716,7 @@ TableValPtr TableVal::Intersection(const TableVal& tv) const
 		}
 
 	const PDict<TableEntryVal>* tbl = AsTable();
-	for ( const auto& tble : *tbl )
+	for ( const auto& tble : *t1 )
 		{
 		auto k = tble.GetHashKey();
 

From d426e285ebfa0b5e0830c6512b31737e2dc9f039 Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Wed, 3 Nov 2021 14:52:45 -0400
Subject: [PATCH 027/210] Add reverse order intersection check

---
 testing/btest/Baseline/language.set/out | 1 +
 testing/btest/language/set.zeek         | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/testing/btest/Baseline/language.set/out b/testing/btest/Baseline/language.set/out
index 119293ede6..51d2a72711 100644
--- a/testing/btest/Baseline/language.set/out
+++ b/testing/btest/Baseline/language.set/out
@@ -45,6 +45,7 @@ remove element (PASS)
 !in operator (PASS)
 union (PASS)
 intersection (PASS)
+intersection (PASS)
 difference (PASS)
 difference (PASS)
 union/inter. (PASS)
diff --git a/testing/btest/language/set.zeek b/testing/btest/language/set.zeek
index 60ef7b796a..4b81ecd0c8 100644
--- a/testing/btest/language/set.zeek
+++ b/testing/btest/language/set.zeek
@@ -148,9 +148,11 @@ function basic_functionality()
 
 	local a_or_b = a | b;
 	local a_and_b = a & b;
+        local b_and_a = b & a;
 
 	test_case( "union", a_or_b == a_plus_b );
 	test_case( "intersection", a_and_b == a_also_b );
+        test_case( "intersection", b_and_a == a_also_b );
 	test_case( "difference", a - b == a_sans_b );
 	test_case( "difference", b - a == b_sans_a );
 

From 96c45a6c93737b44d73541fee8e6a872b8be6fb4 Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Wed, 3 Nov 2021 15:44:55 -0400
Subject: [PATCH 028/210] Remove unused tbl

---
 src/Val.cc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/Val.cc b/src/Val.cc
index b4bf2d2be0..09beec75c5 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -1715,7 +1715,6 @@ TableValPtr TableVal::Intersection(const TableVal& tv) const
 		t0 = tmp;
 		}
 
-	const PDict<TableEntryVal>* tbl = AsTable();
 	for ( const auto& tble : *t1 )
 		{
 		auto k = tble.GetHashKey();

From cdb52e64602b3905d18dc5b688bcc160fac76cfa Mon Sep 17 00:00:00 2001
From: Yacin Nadji <yacin.nadji@corelight.com>
Date: Wed, 3 Nov 2021 15:46:17 -0400
Subject: [PATCH 029/210] Curse you tabs!

---
 testing/btest/language/set.zeek | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/testing/btest/language/set.zeek b/testing/btest/language/set.zeek
index 4b81ecd0c8..b396a0c572 100644
--- a/testing/btest/language/set.zeek
+++ b/testing/btest/language/set.zeek
@@ -148,11 +148,11 @@ function basic_functionality()
 
 	local a_or_b = a | b;
 	local a_and_b = a & b;
-        local b_and_a = b & a;
+	local b_and_a = b & a;
 
 	test_case( "union", a_or_b == a_plus_b );
 	test_case( "intersection", a_and_b == a_also_b );
-        test_case( "intersection", b_and_a == a_also_b );
+	test_case( "intersection", b_and_a == a_also_b );
 	test_case( "difference", a - b == a_sans_b );
 	test_case( "difference", b - a == b_sans_a );
 

From f7d18eeb9ec6ce0cfae9574940f4c0a8ba8f9eee Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Wed, 3 Nov 2021 13:40:22 -0700
Subject: [PATCH 030/210] Add Fedora 35 to CI

---
 .cirrus.yml             |  7 +++++++
 ci/fedora-35/Dockerfile | 23 +++++++++++++++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 ci/fedora-35/Dockerfile

diff --git a/.cirrus.yml b/.cirrus.yml
index 6157b8fb5d..04420c306d 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -93,6 +93,13 @@ env:
 # Linux EOL timelines: https://linuxlifecycle.com/
 # Fedora (~13 months): https://fedoraproject.org/wiki/Fedora_Release_Life_Cycle
 
+fedora35_task:
+  container:
+    # Fedora 35 EOL: Around Dec 2022
+    dockerfile: ci/fedora-35/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+
 fedora34_task:
   container:
     # Fedora 34 EOL: Around May 2022
diff --git a/ci/fedora-35/Dockerfile b/ci/fedora-35/Dockerfile
new file mode 100644
index 0000000000..a168642ff3
--- /dev/null
+++ b/ci/fedora-35/Dockerfile
@@ -0,0 +1,23 @@
+FROM fedora:35
+
+RUN dnf -y install \
+    bison \
+    cmake \
+    diffutils \
+    findutils \
+    flex \
+    git \
+    gcc \
+    gcc-c++ \
+    libpcap-devel \
+    make \
+    openssl-devel \
+    python3-devel \
+    python3-pip\
+    sqlite \
+    swig \
+    which \
+    zlib-devel \
+  && dnf clean all && rm -rf /var/cache/dnf
+
+RUN pip3 install junit2html

From bac833a2f9facd0034214b5ab1b30e3ef469159d Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Wed, 3 Nov 2021 13:52:40 -0700
Subject: [PATCH 031/210] Add macOS Monterey and drop Catalina in CI

---
 .cirrus.yml | 8 ++++----
 ci/build.sh | 5 +++++
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index 04420c306d..3b0b6bc8d9 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -219,16 +219,16 @@ alpine_task:
 
 # Apple doesn't publish official long-term support timelines.
 # We aim to support both the current and previous macOS release.
-macos_big_sur_task:
+macos_monterey_task:
   macos_instance:
-    image: big-sur-xcode-12.5
+    image: monterey-xcode-13.1
   prepare_script: ./ci/macos/prepare.sh
   << : *CI_TEMPLATE
   << : *MACOS_RESOURCES_TEMPLATE
 
-macos_catalina_task:
+macos_big_sur_task:
   macos_instance:
-    image: catalina-xcode
+    image: big-sur-xcode-12.5
   prepare_script: ./ci/macos/prepare.sh
   << : *CI_TEMPLATE
   << : *MACOS_RESOURCES_TEMPLATE
diff --git a/ci/build.sh b/ci/build.sh
index 20ca3237cc..051d119f62 100755
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -10,6 +10,11 @@ set -x
 # some problems with Catalina specifically, but it doesn't break anything on Big Sur either.
 if [[ "${CIRRUS_OS}" == "darwin" ]]; then
     export ZEEK_CI_CONFIGURE_FLAGS="${ZEEK_CI_CONFIGURE_FLAGS} --osx-sysroot=$(xcrun --show-sdk-path)"
+
+    # Starting with Monterey & Xcode 13.1 we need to help it find OpenSSL
+    if [ -d /usr/local/opt/openssl@1.1/lib/pkgconfig ]; then
+        export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/opt/openssl@1.1/lib/pkgconfig
+    fi
 fi
 
 if [[ "${ZEEK_CI_CREATE_ARTIFACT}" != "1" ]]; then

From c1ebb279cad11d25f0d0255c73b697d1c44c0a01 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Wed, 3 Nov 2021 15:22:20 -0700
Subject: [PATCH 032/210] Only push CI's Docker images when we're on the main
 repo

---
 .github/workflows/docker.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 8253d3d4e8..459e81e417 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -27,6 +27,7 @@ jobs:
       # Create and boot a loader. This will e.g., provide caching
       # so we avoid rebuilds of the same image after this step.
       - uses: docker/setup-buildx-action@v1
+
       - name: Build
         uses: docker/build-push-action@v2
         with:
@@ -43,6 +44,7 @@ jobs:
       - name: Get version
         id: version
         run: echo "::set-output name=RELEASE_VERSION::$(cat VERSION)"
+
       - name: Compute target tag
         id: target
         env:
@@ -65,15 +67,16 @@ jobs:
 
       - name: Login to DockerHub
         uses: docker/login-action@v1
-        # Secrets for the login are not available for pull requests.
-        if: github.event_name == 'push'
+        # Don't publish on forks. Also note that secrets for the login are not
+        # available for pull requests, so trigger on pushes only.
+        if: github.repository == 'zeek/zeek' && github.event_name == 'push'
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Push
         # Only publish if we did compute a tag.
-        if: github.event_name == 'push' && steps.target.outputs.tag != ''
+        if: github.repository == 'zeek/zeek' && github.event_name == 'push' && steps.target.outputs.tag != ''
         uses: docker/build-push-action@v2
         with:
           context: ./

From 1efaf8d7a4321ba06e967142d71dd398ccc7e01a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Thu, 7 Oct 2021 09:59:15 +0200
Subject: [PATCH 033/210] Move logic to execute `HookLoadFile` for signatures
 into rule matcher code.

This (1) fixes an issue where signature files supplied on the command
line wouldn't pass through the hooks, and (2) prepares for allowing
hooks to supply the content of a signature file directly.
---
 src/RuleMatcher.cc                            | 47 +++++++++++++++++--
 src/RuleMatcher.h                             |  3 +-
 src/ScannedFile.cc                            | 12 ++++-
 src/ScannedFile.h                             | 13 ++++-
 src/scan.l                                    | 28 +----------
 src/zeek-setup.cc                             | 10 ++--
 testing/btest/Baseline/plugins.hooks/output   |  6 +++
 .../Baseline/signatures.udp-state/reject      |  2 +-
 testing/btest/plugins/hooks.zeek              | 13 ++++-
 9 files changed, 94 insertions(+), 40 deletions(-)

diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index 4cf0c15214..cd2455c074 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -24,6 +24,7 @@
 #include "zeek/ZeekString.h"
 #include "zeek/analyzer/Analyzer.h"
 #include "zeek/module_util.h"
+#include "zeek/plugin/Manager.h"
 
 using namespace std;
 
@@ -248,7 +249,7 @@ void RuleMatcher::Delete(RuleHdrTest* node)
 	delete node;
 	}
 
-bool RuleMatcher::ReadFiles(const std::vector<std::string>& files)
+bool RuleMatcher::ReadFiles(const std::vector<SignatureFile>& files)
 	{
 #ifdef USE_PERFTOOLS_DEBUG
 	HeapLeakChecker::Disabler disabler;
@@ -256,18 +257,54 @@ bool RuleMatcher::ReadFiles(const std::vector<std::string>& files)
 
 	parse_error = false;
 
-	for ( const auto& f : files )
+	for ( auto f : files )
 		{
-		rules_in = util::open_file(util::find_file(f, util::zeek_path(), ".sig"));
+		if ( ! f.full_path )
+			f.full_path = util::find_file(f.file, util::zeek_path(), ".sig");
+
+		int rc = PLUGIN_HOOK_WITH_RESULT(
+			HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SIGNATURES, f.file, *f.full_path),
+			-1);
+
+		switch ( rc )
+			{
+			case -1:
+				// No plugin in charge of this file.
+				if ( f.full_path->empty() )
+					{
+					zeek::reporter->Error("failed to find file associated with @load-sigs %s",
+					                      f.file.c_str());
+					continue;
+					}
+				break;
+
+			case 0:
+				if ( ! zeek::reporter->Errors() )
+					zeek::reporter->Error("Plugin reported error loading signatures %s",
+					                      f.file.c_str());
+
+				exit(1);
+				break;
+
+			case 1:
+				// A plugin took care of it, just skip.
+				continue;
+
+			default:
+				assert(false);
+				break;
+			}
+
+		rules_in = util::open_file(*f.full_path);
 
 		if ( ! rules_in )
 			{
-			reporter->Error("Can't open signature file %s", f.data());
+			reporter->Error("Can't open signature file %s", f.file.c_str());
 			return false;
 			}
 
 		rules_line_number = 0;
-		current_rule_file = f.data();
+		current_rule_file = f.full_path->c_str();
 		rules_parse();
 		fclose(rules_in);
 		}
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
index 9a89d39efd..f64a7bc97e 100644
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@@ -11,6 +11,7 @@
 #include "zeek/CCL.h"
 #include "zeek/RE.h"
 #include "zeek/Rule.h"
+#include "zeek/ScannedFile.h"
 
 //#define MATCHER_PRINT_STATS
 
@@ -259,7 +260,7 @@ public:
 	~RuleMatcher();
 
 	// Parse the given files and built up data structures.
-	bool ReadFiles(const std::vector<std::string>& files);
+	bool ReadFiles(const std::vector<SignatureFile>& files);
 
 	/**
 	 * Inititialize a state object for matching file magic signatures.
diff --git a/src/ScannedFile.cc b/src/ScannedFile.cc
index c5367748e4..8050f0fc12 100644
--- a/src/ScannedFile.cc
+++ b/src/ScannedFile.cc
@@ -10,7 +10,7 @@ namespace zeek::detail
 	{
 
 std::list<ScannedFile> files_scanned;
-std::vector<std::string> sig_files;
+std::vector<SignatureFile> sig_files;
 
 ScannedFile::ScannedFile(int arg_include_level, std::string arg_name, bool arg_skipped,
                          bool arg_prefixes_checked)
@@ -47,4 +47,14 @@ bool ScannedFile::AlreadyScanned() const
 	return rval;
 	}
 
+SignatureFile::SignatureFile(std::string file)
+	: file(std::move(file))
+	{
+	}
+
+SignatureFile::SignatureFile(std::string file, std::string full_path)
+	: file(std::move(file)), full_path(std::move(full_path))
+	{
+	}
+
 	} // namespace zeek::detail
diff --git a/src/ScannedFile.h b/src/ScannedFile.h
index 902d627f7d..9829b2c1d2 100644
--- a/src/ScannedFile.h
+++ b/src/ScannedFile.h
@@ -3,6 +3,7 @@
 #pragma once
 
 #include <list>
+#include <optional>
 #include <string>
 #include <vector>
 
@@ -34,6 +35,16 @@ public:
 	};
 
 extern std::list<ScannedFile> files_scanned;
-extern std::vector<std::string> sig_files;
+
+struct SignatureFile
+	{
+	std::string file;
+	std::optional<std::string> full_path;
+
+	SignatureFile(std::string file);
+	SignatureFile(std::string file, std::string full_path);
+	};
+
+extern std::vector<SignatureFile> sig_files;
 
 	} // namespace zeek::detail
diff --git a/src/scan.l b/src/scan.l
index e6af14cd89..dbcb3fcfd3 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -348,33 +348,7 @@ when	return TOK_WHEN;
 @load-sigs{WS}{FILE} {
 	const char* file = zeek::util::skip_whitespace(yytext + 10);
 	std::string path = find_relative_file(file, ".sig");
-	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SIGNATURES, file, path), -1);
-
-	switch ( rc ) {
-	case -1:
-		// No plugin in charge of this file.
-		if ( path.empty() )
-			zeek::reporter->Error("failed to find file associated with @load-sigs %s",
-			                      file);
-		else
-			zeek::detail::sig_files.push_back(std::move(path));
-		break;
-
-	case 0:
-		if ( ! zeek::reporter->Errors() )
-			zeek::reporter->Error("Plugin reported error loading signatures %s", file);
-
-		exit(1);
-		break;
-
-	case 1:
-		// A plugin took care of it, just skip.
-		break;
-
-	default:
-		assert(false);
-		break;
-	}
+	sig_files.emplace_back(file, path);
 	}
 
 @load-plugin{WS}{ID} {
diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc
index dad543c282..b2e77df628 100644
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@@ -737,15 +737,19 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 			id->SetVal(make_intrusive<StringVal>(*options.pcap_filter));
 			}
 
-		auto all_signature_files = options.signature_files;
+		std::vector<SignatureFile> all_signature_files;
+
+		// Append signature files given on the command line
+		for ( const auto& sf : options.signature_files )
+			all_signature_files.push_back(sf);
 
 		// Append signature files defined in "signature_files" script option
 		for ( auto&& sf : get_script_signature_files() )
-			all_signature_files.emplace_back(std::move(sf));
+			all_signature_files.push_back(std::move(sf));
 
 		// Append signature files defined in @load-sigs
 		for ( const auto& sf : zeek::detail::sig_files )
-			all_signature_files.emplace_back(sf);
+			all_signature_files.push_back(sf);
 
 		if ( ! all_signature_files.empty() )
 			{
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index e16e7c63b6..e340ed914b 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -1034,6 +1034,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/zeek.bif, <...>/zeek.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, s1.sig, ./s1.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./archive, <...>/archive.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./audio, <...>/audio.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./dpd.sig, <...>/dpd.sig) -> -1
@@ -1046,6 +1047,7 @@
 0.000000   MetaHookPost  LoadFile(1, ./office, <...>/office.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./programming, <...>/programming.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./video, <...>/video.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, s2, ./s2.sig) -> -1
 0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
 0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
@@ -2086,6 +2088,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/zeek.bif, <...>/zeek.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek)
 0.000000   MetaHookPre   LoadFile(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek)
+0.000000   MetaHookPre   LoadFile(0, s1.sig, ./s1.sig)
 0.000000   MetaHookPre   LoadFile(1, ./archive, <...>/archive.sig)
 0.000000   MetaHookPre   LoadFile(1, ./audio, <...>/audio.sig)
 0.000000   MetaHookPre   LoadFile(1, ./dpd.sig, <...>/dpd.sig)
@@ -2098,6 +2101,7 @@
 0.000000   MetaHookPre   LoadFile(1, ./office, <...>/office.sig)
 0.000000   MetaHookPre   LoadFile(1, ./programming, <...>/programming.sig)
 0.000000   MetaHookPre   LoadFile(1, ./video, <...>/video.sig)
+0.000000   MetaHookPre   LoadFile(1, s2, ./s2.sig)
 0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
 0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
@@ -3149,6 +3153,8 @@
 0.000000 | HookLoadFile  base<...>/zeek.bif <...>/zeek.bif.zeek
 0.000000 | HookLoadFile  builtin-plugins/__load__.zeek <...>/__load__.zeek
 0.000000 | HookLoadFile  builtin-plugins/__preload__.zeek <...>/__preload__.zeek
+0.000000 | HookLoadFile  s1.sig ./s1.sig
+0.000000 | HookLoadFile  s2 ./s2.sig
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
 0.000000 | HookLogWrite  packet_filter [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
diff --git a/testing/btest/Baseline/signatures.udp-state/reject b/testing/btest/Baseline/signatures.udp-state/reject
index aaeba4be58..9d97a9ac45 100644
--- a/testing/btest/Baseline/signatures.udp-state/reject
+++ b/testing/btest/Baseline/signatures.udp-state/reject
@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error: Error in signature (udp-established.sig:5): 'established' is not a valid 'udp-state'
+error: Error in signature (./udp-established.sig:5): 'established' is not a valid 'udp-state'
 
diff --git a/testing/btest/plugins/hooks.zeek b/testing/btest/plugins/hooks.zeek
index cfff751eca..992d305f14 100644
--- a/testing/btest/plugins/hooks.zeek
+++ b/testing/btest/plugins/hooks.zeek
@@ -1,8 +1,19 @@
 # @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Hooks
 # @TEST-EXEC: cp -r %DIR/hooks-plugin/* .
 # @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
-# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::Hooks" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/http/get.trace %INPUT 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::Hooks" ZEEK_PLUGIN_PATH=`pwd` zeek -b -r $TRACES/http/get.trace %INPUT s1.sig 2>&1 | $SCRIPTS/diff-remove-abspath | sort | uniq  >output
 # @TEST-EXEC: btest-diff output
 
 @unload base/misc/version
 @load base/init-default
+
+@load-sigs s2
+
+@TEST-START-FILE s1.sig
+# Just empty.
+@TEST-END-FILE
+
+@TEST-START-FILE s2.sig
+# Just empty.
+@TEST-END-FILE
+

From 34eaf42b926c64424a6bd5060ce59e16c5baa37d Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Fri, 24 Sep 2021 12:50:27 +0200
Subject: [PATCH 034/210] Add new hook `HookLoadFileExtended` that allows
 plugins to supply Zeek script code to parse.

The new hooks works similar to the existing `HookLoadFile` but,
additionally, allows the plugin to return a string that contains the
code to be used for the file being loaded. If the plugin does so, the
content of any actual file on disk will be ignored (in fact, there
doesn't even need to be a file on disk in that case). This works for
both Zeek scripts and signatures.

There's a new test that covers the new functionality, testing loading
both scripts and signatures from memory. I also manually tested that the
debugger integration works, but I don't see much of a way to add a
regression test for that part.

We keep the existing hook as well for backwards compatibility. We could
decide to deprecate it, but not sure that buys us much, so left that
out.

Closes #1757.
---
 src/PolicyFile.cc                             |   65 +-
 src/PolicyFile.h                              |    6 +-
 src/RuleMatcher.cc                            |   52 +-
 src/RuleMatcher.h                             |    2 +-
 src/ScannedFile.cc                            |    5 +-
 src/plugin/Manager.cc                         |   35 +
 src/plugin/Manager.h                          |   26 +
 src/plugin/Plugin.cc                          |   23 +
 src/plugin/Plugin.h                           |   52 +-
 src/rule-scan.l                               |   20 +
 src/scan.l                                    |  104 +-
 src/zeek-setup.cc                             |    6 +-
 .../missing-sig-file                          |    2 +-
 testing/btest/Baseline/plugins.hooks/output   | 1098 +++++++++++++++++
 .../plugins.plugin-load-file-extended/output  |    7 +
 .../btest/plugins/hooks-plugin/src/Plugin.cc  |    8 +
 .../btest/plugins/hooks-plugin/src/Plugin.h   |    1 +
 .../plugins/plugin-load-file-extended.zeek    |   17 +
 .../plugin-load-file-extended/.btest-ignore   |    0
 .../plugin-load-file-extended/src/Plugin.cc   |   70 ++
 .../plugin-load-file-extended/src/Plugin.h    |   18 +
 21 files changed, 1525 insertions(+), 92 deletions(-)
 create mode 100644 testing/btest/Baseline/plugins.plugin-load-file-extended/output
 create mode 100644 testing/btest/plugins/plugin-load-file-extended.zeek
 create mode 100644 testing/btest/plugins/plugin-load-file-extended/.btest-ignore
 create mode 100644 testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc
 create mode 100644 testing/btest/plugins/plugin-load-file-extended/src/Plugin.h

diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc
index 3d7592f52b..eaee5a9916 100644
--- a/src/PolicyFile.cc
+++ b/src/PolicyFile.cc
@@ -72,49 +72,60 @@ int how_many_lines_in(const char* policy_filename)
 	return pf->lines.size();
 	}
 
-bool LoadPolicyFileText(const char* policy_filename)
+bool LoadPolicyFileText(const char* policy_filename,
+                        const std::optional<std::string>& preloaded_content)
 	{
 	if ( ! policy_filename )
 		return true;
 
-	FILE* f = fopen(policy_filename, "r");
-
-	if ( ! f )
-		{
-		debug_msg("No such policy file: %s.\n", policy_filename);
-		return false;
-		}
-
-	PolicyFile* pf = new PolicyFile;
-
 	if ( policy_files.find(policy_filename) != policy_files.end() )
 		debug_msg("Policy file %s already loaded\n", policy_filename);
 
+	PolicyFile* pf = new PolicyFile;
 	policy_files.insert(PolicyFileMap::value_type(policy_filename, pf));
 
-	struct stat st;
-	if ( fstat(fileno(f), &st) != 0 )
+	if ( preloaded_content )
 		{
-		char buf[256];
-		util::zeek_strerror_r(errno, buf, sizeof(buf));
-		reporter->Error("fstat failed on %s: %s", policy_filename, buf);
-		fclose(f);
-		return false;
+		auto size = preloaded_content->size();
+		pf->filedata = new char[size + 1];
+		memcpy(pf->filedata, preloaded_content->data(), size);
+		pf->filedata[size] = '\0';
 		}
+	else
+		{
+		FILE* f = fopen(policy_filename, "r");
 
-	pf->lmtime = st.st_mtime;
-	off_t size = st.st_size;
+		if ( ! f )
+			{
+			debug_msg("No such policy file: %s.\n", policy_filename);
+			return false;
+			}
 
-	// ### This code is not necessarily Unicode safe!
-	// (probably fine with UTF-8)
-	pf->filedata = new char[size + 1];
-	if ( fread(pf->filedata, size, 1, f) != 1 )
-		reporter->InternalError("Failed to fread() file data");
-	pf->filedata[size] = 0;
-	fclose(f);
+		struct stat st;
+		if ( fstat(fileno(f), &st) != 0 )
+			{
+			char buf[256];
+			util::zeek_strerror_r(errno, buf, sizeof(buf));
+			reporter->Error("fstat failed on %s: %s", policy_filename, buf);
+			fclose(f);
+			return false;
+			}
+
+		pf->lmtime = st.st_mtime;
+		off_t size = st.st_size;
+
+		// ### This code is not necessarily Unicode safe!
+		// (probably fine with UTF-8)
+		pf->filedata = new char[size + 1];
+		if ( fread(pf->filedata, size, 1, f) != 1 )
+			reporter->InternalError("Failed to fread() file data");
+		pf->filedata[size] = 0;
+		fclose(f);
+		}
 
 	// Separate the string by newlines.
 	pf->lines.push_back(pf->filedata);
+
 	for ( char* iter = pf->filedata; *iter; ++iter )
 		{
 		if ( *iter == '\n' )
diff --git a/src/PolicyFile.h b/src/PolicyFile.h
index bda675638e..d85883cb0b 100644
--- a/src/PolicyFile.h
+++ b/src/PolicyFile.h
@@ -14,12 +14,16 @@
 // policy_filename arguments should be absolute or relative paths;
 // no expansion is done.
 
+#include <optional>
+#include <string>
+
 namespace zeek::detail
 	{
 
 int how_many_lines_in(const char* policy_filename);
 
-bool LoadPolicyFileText(const char* policy_filename);
+bool LoadPolicyFileText(const char* policy_filename,
+                        const std::optional<std::string>& preloaded_content = {});
 
 // start_line is 1-based (the intuitive way)
 bool PrintLines(const char* policy_filename, unsigned int start_line, unsigned int how_many_lines,
diff --git a/src/RuleMatcher.cc b/src/RuleMatcher.cc
index cd2455c074..42c3c568b0 100644
--- a/src/RuleMatcher.cc
+++ b/src/RuleMatcher.cc
@@ -24,10 +24,14 @@
 #include "zeek/ZeekString.h"
 #include "zeek/analyzer/Analyzer.h"
 #include "zeek/module_util.h"
-#include "zeek/plugin/Manager.h"
 
 using namespace std;
 
+// Functions exposed by rule-scan.l
+extern void rules_set_input_from_buffer(const char* data, size_t size);
+extern void rules_set_input_from_file(FILE* f);
+extern void rules_parse_input();
+
 namespace zeek::detail
 	{
 
@@ -262,11 +266,18 @@ bool RuleMatcher::ReadFiles(const std::vector<SignatureFile>& files)
 		if ( ! f.full_path )
 			f.full_path = util::find_file(f.file, util::zeek_path(), ".sig");
 
-		int rc = PLUGIN_HOOK_WITH_RESULT(
+		std::pair<int, std::optional<std::string>> rc = {-1, std::nullopt};
+		rc.first = PLUGIN_HOOK_WITH_RESULT(
 			HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SIGNATURES, f.file, *f.full_path),
 			-1);
 
-		switch ( rc )
+		if ( rc.first < 0 )
+			rc = PLUGIN_HOOK_WITH_RESULT(
+				HOOK_LOAD_FILE_EXT,
+				HookLoadFileExtended(zeek::plugin::Plugin::SIGNATURES, f.file, *f.full_path),
+				std::make_pair(-1, std::nullopt));
+
+		switch ( rc.first )
 			{
 			case -1:
 				// No plugin in charge of this file.
@@ -287,26 +298,45 @@ bool RuleMatcher::ReadFiles(const std::vector<SignatureFile>& files)
 				break;
 
 			case 1:
-				// A plugin took care of it, just skip.
-				continue;
+				if ( ! rc.second )
+					// A plugin took care of it, just skip.
+					continue;
+
+				break;
 
 			default:
 				assert(false);
 				break;
 			}
 
-		rules_in = util::open_file(*f.full_path);
+		FILE* rules_in = nullptr;
 
-		if ( ! rules_in )
+		if ( rc.first == 1 )
 			{
-			reporter->Error("Can't open signature file %s", f.file.c_str());
-			return false;
+			// Parse code provided by plugin.
+			assert(rc.second);
+			rules_set_input_from_buffer(rc.second->data(), rc.second->size());
+			}
+		else
+			{
+			// Parse from file.
+			rules_in = util::open_file(*f.full_path);
+
+			if ( ! rules_in )
+				{
+				reporter->Error("Can't open signature file %s", f.file.c_str());
+				return false;
+				}
+
+			rules_set_input_from_file(rules_in);
 			}
 
 		rules_line_number = 0;
 		current_rule_file = f.full_path->c_str();
-		rules_parse();
-		fclose(rules_in);
+		rules_parse_input();
+
+		if ( rules_in )
+			fclose(rules_in);
 		}
 
 	if ( parse_error )
diff --git a/src/RuleMatcher.h b/src/RuleMatcher.h
index f64a7bc97e..76599c117a 100644
--- a/src/RuleMatcher.h
+++ b/src/RuleMatcher.h
@@ -12,6 +12,7 @@
 #include "zeek/RE.h"
 #include "zeek/Rule.h"
 #include "zeek/ScannedFile.h"
+#include "zeek/plugin/Manager.h"
 
 //#define MATCHER_PRINT_STATS
 
@@ -23,7 +24,6 @@ extern void rules_error(zeek::detail::Rule* id, const char* msg);
 extern int rules_lex(void);
 extern int rules_parse(void);
 extern "C" int rules_wrap(void);
-extern FILE* rules_in;
 extern int rules_line_number;
 extern const char* current_rule_file;
 
diff --git a/src/ScannedFile.cc b/src/ScannedFile.cc
index 8050f0fc12..590511050e 100644
--- a/src/ScannedFile.cc
+++ b/src/ScannedFile.cc
@@ -47,10 +47,7 @@ bool ScannedFile::AlreadyScanned() const
 	return rval;
 	}
 
-SignatureFile::SignatureFile(std::string file)
-	: file(std::move(file))
-	{
-	}
+SignatureFile::SignatureFile(std::string file) : file(std::move(file)) { }
 
 SignatureFile::SignatureFile(std::string file, std::string full_path)
 	: file(std::move(file)), full_path(std::move(full_path))
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index f8f9783894..8215c5c56c 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -692,6 +692,41 @@ int Manager::HookLoadFile(const Plugin::LoadType type, const string& file, const
 	return rc;
 	}
 
+std::pair<int, std::optional<std::string>>
+Manager::HookLoadFileExtended(const Plugin::LoadType type, const string& file,
+                              const string& resolved)
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.push_back(HookArgument(type));
+		args.push_back(HookArgument(file));
+		args.push_back(HookArgument(resolved));
+		MetaHookPre(HOOK_LOAD_FILE_EXT, args);
+		}
+
+	hook_list* l = hooks[HOOK_LOAD_FILE_EXT];
+
+	std::pair<int, std::optional<std::string>> rc = {-1, std::nullopt};
+
+	if ( l )
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+
+			rc = p->HookLoadFileExtended(type, file, resolved);
+
+			if ( rc.first >= 0 )
+				break;
+			}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_LOAD_FILE_EXT, args, HookArgument(rc));
+
+	return rc;
+	}
+
 std::pair<bool, ValPtr> Manager::HookCallFunction(const Func* func, zeek::detail::Frame* parent,
                                                   Args* vecargs) const
 	{
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 92b28d7b62..4873a271ba 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -245,6 +245,32 @@ public:
 	virtual int HookLoadFile(const Plugin::LoadType type, const std::string& file,
 	                         const std::string& resolved);
 
+	/**
+	 * Hook that gives plugins a chance to take over loading an input file,
+	 * including replacing the file's content. This method must be called
+	 * between InitPreScript() and InitPostScript() for each input file Bro is
+	 * about to load, either given on the command line or via @load script
+	 * directives. The hook can take over the file, in which case Bro must not
+	 * further process it otherwise; or provide its content, in which case Bro
+	 * must use that and ignore the original file.
+	 *
+	 * @return tuple where the first element is 1 if a plugin took over the
+	 * file; 0 if a plugin took over the file but had trouble loading it; and
+	 * -1 if no plugin was interested in the file at all.
+	 *
+	 * If the plugins takes over by returning 1, there are two cases: if the
+	 * second tuple element remains unset, the plugin handled the loading
+	 * completely internally; the caller must not process it any further.
+	 * Alternatively, the plugin may optionally return the acutal content to
+	 * use for the file as a string through the tuple's second element. If so,
+	 * the caller must ignore the file on disk and use that provided content
+	 * instead (including when there's actually no physical file in place on
+	 * disk at all).
+	 */
+	virtual std::pair<int, std::optional<std::string>>
+	HookLoadFileExtended(const Plugin::LoadType type, const std::string& file,
+	                     const std::string& resolved);
+
 	/**
 	 * Hook that filters calls to a script function/event/hook.
 	 *
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index c569b1afeb..315a844a3b 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -22,6 +22,7 @@ const char* hook_name(HookType h)
 	static constexpr const char* hook_names[int(NUM_HOOKS) + 1] = {
 		// Order must match that of HookType.
 		"LoadFile",
+		"LoadFileExtended",
 		"CallFunction",
 		"QueueEvent",
 		"DrainEvents",
@@ -230,6 +231,21 @@ void HookArgument::Describe(ODesc* d) const
 				{
 				d->Add("<no location>");
 				}
+			break;
+
+		case INPUT_FILE:
+			{
+			d->Add("(");
+			d->Add(input_file.first);
+			d->Add(", ");
+			if ( input_file.second )
+				d->Add(input_file.second->substr(0, 20)); // cut content off
+			else
+				d->Add("<no content>");
+
+			d->Add(")");
+			}
+			break;
 		}
 	}
 
@@ -368,6 +384,13 @@ int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std
 	return -1;
 	}
 
+std::pair<int, std::optional<std::string>> Plugin::HookLoadFileExtended(const LoadType type,
+                                                                        const std::string& file,
+                                                                        const std::string& resolved)
+	{
+	return std::make_pair(-1, std::nullopt);
+	}
+
 std::pair<bool, ValPtr> Plugin::HookFunctionCall(const Func* func, zeek::detail::Frame* parent,
                                                  Args* args)
 	{
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index b9dc8a6a22..f625fc1a49 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -5,6 +5,7 @@
 #include "zeek/zeek-config.h"
 
 #include <list>
+#include <optional>
 #include <string>
 #include <utility>
 
@@ -57,6 +58,7 @@ enum HookType
 	{
 	// Note: when changing this table, update hook_name() in Plugin.cc.
 	HOOK_LOAD_FILE, //< Activates Plugin::HookLoadFile().
+	HOOK_LOAD_FILE_EXT, //< Activates Plugin::HookLoadFileExtended().
 	HOOK_CALL_FUNCTION, //< Activates Plugin::HookCallFunction().
 	HOOK_QUEUE_EVENT, //< Activates Plugin::HookQueueEvent().
 	HOOK_DRAIN_EVENTS, //< Activates Plugin::HookDrainEvents()
@@ -205,7 +207,8 @@ public:
 		CONN,
 		THREAD_FIELDS,
 		LOCATION,
-		ARG_LIST
+		ARG_LIST,
+		INPUT_FILE
 		};
 
 	/**
@@ -357,6 +360,15 @@ public:
 		arg.args = args;
 		}
 
+	/**
+	 * Constructor with HookLoadFileExtended result describing an input file.
+	 */
+	explicit HookArgument(std::pair<int, std::optional<std::string>> file)
+		{
+		type = INPUT_FILE;
+		input_file = std::move(file);
+		}
+
 	/**
 	 * Returns the value for a boolen argument. The argument's type must
 	 * match accordingly.
@@ -540,6 +552,7 @@ private:
 	std::pair<bool, Val*> func_result;
 	std::pair<int, const threading::Field* const*> tfields;
 	std::string arg_string;
+	std::pair<int, std::optional<std::string>> input_file;
 	};
 
 using HookArgumentList = std::list<HookArgument>;
@@ -815,6 +828,43 @@ protected:
 	virtual int HookLoadFile(const LoadType type, const std::string& file,
 	                         const std::string& resolved);
 
+	/**
+	 * Hook into loading input files, with extended capabilities. This method
+	 * will be called between InitPreScript() and InitPostScript(), but with no
+	 * further order or timing guaranteed. It will be called once for each
+	 * input file Bro is about to load, either given on the command line or via
+	 * @load script directives. The hook can take over the file, in which case
+	 * Bro will not further process it otherwise. It can, alternatively, also
+	 * provide the file content as a string, which Bro will then process just
+	 * as if it had read it from a file.
+	 *
+	 * @param type The type of load encountered: script load, signatures load,
+	 *             or plugin load.
+	 *
+	 * @param file The filename that was passed to @load. Only includes
+	 *             an extension if it was given in @load.
+	 *
+	 * @param resolved The file or directory name Bro resolved from
+	 *                 the given path and is going to load. Empty string
+	 *                 if Bro was not able to resolve a path.
+	 *
+	 * @return tuple of an integer and an optional string, where: the integer
+	 * must be 1 if the plugin takes over loading the file (see below); 0 if
+	 * the plugin wanted to take over the file but had trouble loading it
+	 * (processing will abort in this case, and the plugin should have printed
+	 * an error message); and -1 if the plugin wants Bro to proceeed processing
+	 * the file normally. If the plugins takes over by returning 1, there are
+	 * two cases: if the second tuple element remains unset, the plugin handled
+	 * the loading completely internally; Bro will not do anything further with
+	 * it. Alternatively, the plugin may optionally return the acutal content
+	 * to use for the file as a string through the tuple's second element. If
+	 * so, Bro will ignore the file on disk and use that provided content
+	 * instead (including when there's actually no physical file in place on
+	 * disk at all, and loading would have hence failed otherwise).
+	 */
+	virtual std::pair<int, std::optional<std::string>>
+	HookLoadFileExtended(const LoadType type, const std::string& file, const std::string& resolved);
+
 	/**
 	 * Hook into executing a script-level function/event/hook. Whenever
 	 * the script interpreter is about to execution a function, it first
diff --git a/src/rule-scan.l b/src/rule-scan.l
index 2b424d2ee5..3d9bc6da84 100644
--- a/src/rule-scan.l
+++ b/src/rule-scan.l
@@ -228,3 +228,23 @@ void end_PS()
 	{
 	BEGIN(INITIAL);
 	}
+
+static YY_BUFFER_STATE rules_buffer;
+
+void rules_set_input_from_buffer(const char* data, size_t size)
+	{
+	rules_buffer = yy_scan_bytes(data, size); // this copies the data
+	}
+
+void rules_set_input_from_file(FILE* f)
+	{
+	rules_buffer = yy_create_buffer(f, YY_BUF_SIZE);
+	}
+
+void rules_parse_input()
+	{
+	yy_switch_to_buffer(rules_buffer);
+	rules_parse();
+	yy_delete_buffer(rules_buffer);
+	}
+
diff --git a/src/scan.l b/src/scan.l
index dbcb3fcfd3..0301494e2f 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -353,11 +353,14 @@ when	return TOK_WHEN;
 
 @load-plugin{WS}{ID} {
 	const char* plugin = zeek::util::skip_whitespace(yytext + 12);
-	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::PLUGIN, plugin, ""), -1);
+	std::pair<int, std::optional<std::string>> rc;
+	rc.first = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::PLUGIN, plugin, ""), -1);
+	if ( rc.first < 0 )
+		rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE_EXT, HookLoadFileExtended(zeek::plugin::Plugin::PLUGIN, plugin, ""), std::make_pair(-1, std::nullopt));
 
-	switch ( rc ) {
+	switch ( rc.first ) {
 	case -1:
-		// No plugin in charge of this file.
+		// No plugin in charge of this file. (We ignore any returned content.)
 		zeek::plugin_mgr->ActivateDynamicPlugin(plugin);
 		break;
 
@@ -560,12 +563,13 @@ YYLTYPE zeek::detail::GetCurrentLocation()
 static int load_files(const char* orig_file)
 	{
 	std::string file_path = find_relative_script_file(orig_file);
-	int rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SCRIPT, orig_file, file_path), -1);
 
-	if ( rc == 1 )
-		return 0; // A plugin took care of it, just skip.
+	std::pair<int, std::optional<std::string>> rc = {-1, std::nullopt};
+	rc.first = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE, HookLoadFile(zeek::plugin::Plugin::SCRIPT, orig_file, file_path), -1);
+	if ( rc.first < 0 )
+		rc = PLUGIN_HOOK_WITH_RESULT(HOOK_LOAD_FILE_EXT, HookLoadFileExtended(zeek::plugin::Plugin::SCRIPT, orig_file, file_path), std::make_pair(-1, std::nullopt));
 
-	if ( rc == 0 )
+	if ( rc.first == 0 )
 		{
 		if ( ! zeek::reporter->Errors() )
 			// This is just in case the plugin failed to report
@@ -576,55 +580,57 @@ static int load_files(const char* orig_file)
 		exit(1);
 		}
 
-	assert(rc == -1); // No plugin in charge of this file.
+	if ( rc.first == 1 && ! rc.second )
+		return 0; // A plugin took care of it, just skip.
 
 	FILE* f = nullptr;
 
-	if ( zeek::util::streq(orig_file, "-") )
+	if ( rc.first == -1 )
 		{
-		f = stdin;
-		file_path = zeek::detail::ScannedFile::canonical_stdin_path;
-
-		if ( zeek::detail::g_policy_debug )
+		if ( zeek::util::streq(orig_file, "-") )
 			{
-			zeek::detail::debug_msg("Warning: can't use debugger while reading policy from stdin; turning off debugging.\n");
-			zeek::detail::g_policy_debug = false;
+			f = stdin;
+			file_path = zeek::detail::ScannedFile::canonical_stdin_path;
+
+			if ( zeek::detail::g_policy_debug )
+				{
+				zeek::detail::debug_msg("Warning: can't use debugger while reading policy from stdin; turning off debugging.\n");
+				zeek::detail::g_policy_debug = false;
+				}
 			}
-		}
 
-	else
-		{
-		if ( file_path.empty() )
-			zeek::reporter->FatalError("can't find %s", orig_file);
-
-		if ( zeek::util::is_dir(file_path.c_str()) )
-			f = zeek::util::detail::open_package(file_path);
 		else
-			f = zeek::util::open_file(file_path);
+			{
+			if ( file_path.empty() )
+				zeek::reporter->FatalError("can't find %s", orig_file);
 
-		if ( ! f )
-			zeek::reporter->FatalError("can't open %s", file_path.c_str());
+			if ( zeek::util::is_dir(file_path.c_str()) )
+				f = zeek::util::detail::open_package(file_path);
+			else
+				f = zeek::util::open_file(file_path);
+
+			if ( ! f )
+				zeek::reporter->FatalError("can't open %s", file_path.c_str());
+			}
+
+		zeek::detail::ScannedFile sf(file_stack.length(), file_path);
+		if ( sf.AlreadyScanned() )
+			{
+			if ( rc.first == -1 && f != stdin )
+				fclose(f);
+
+			return 0;
+			}
+
+		zeek::detail::files_scanned.push_back(std::move(sf));
 		}
 
-	zeek::detail::ScannedFile sf(file_stack.length(), file_path);
-
-	if ( sf.AlreadyScanned() )
-		{
-		if ( f != stdin )
-			fclose(f);
-
-		return 0;
-		}
-
-	zeek::detail::files_scanned.push_back(std::move(sf));
-
 	if ( zeek::detail::g_policy_debug && ! file_path.empty() )
 		{
 		// Add the filename to the file mapping table (Debug.h).
 		zeek::detail::Filemap* map = new zeek::detail::Filemap;
-		zeek::detail::HashKey* key = new zeek::detail::HashKey(file_path.c_str());
 		zeek::detail::g_dbgfilemaps.emplace(file_path, map);
-		LoadPolicyFileText(file_path.c_str());
+		LoadPolicyFileText(file_path.c_str(), rc.second);
 		}
 
 	// Remember where we were to restore the module scope in which
@@ -633,12 +639,24 @@ static int load_files(const char* orig_file)
 
 	zeek::detail::zeekygen_mgr->Script(file_path);
 
-	DBG_LOG(zeek::DBG_SCRIPTS, "Loading %s", file_path.c_str());
-
 	// "orig_file", could be an alias for yytext, which is ephemeral
 	//  and will be zapped after the yy_switch_to_buffer() below.
-	yy_switch_to_buffer(yy_create_buffer(f, YY_BUF_SIZE));
+	YY_BUFFER_STATE buffer;
 
+	if ( rc.first == 1 ) {
+		// Parse code provided by plugin.
+		assert(rc.second);
+		DBG_LOG(zeek::DBG_SCRIPTS, "Loading %s from code supplied by plugin ", file_path.c_str());
+		buffer = yy_scan_bytes(rc.second->data(), rc.second->size()); // this copies the data
+		}
+	else {
+		// Parse from file.
+		assert(f);
+		DBG_LOG(zeek::DBG_SCRIPTS, "Loading %s", file_path.c_str());
+		buffer = yy_create_buffer(f, YY_BUF_SIZE);
+		}
+
+	yy_switch_to_buffer(buffer);
 	yylloc.first_line = yylloc.last_line = line_number = 1;
 
 	// Don't delete the old filename - it's pointed to by
diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc
index b2e77df628..2e38a48d45 100644
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@@ -741,15 +741,15 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 
 		// Append signature files given on the command line
 		for ( const auto& sf : options.signature_files )
-			all_signature_files.push_back(sf);
+			all_signature_files.emplace_back(sf);
 
 		// Append signature files defined in "signature_files" script option
 		for ( auto&& sf : get_script_signature_files() )
-			all_signature_files.push_back(std::move(sf));
+			all_signature_files.emplace_back(std::move(sf));
 
 		// Append signature files defined in @load-sigs
 		for ( const auto& sf : zeek::detail::sig_files )
-			all_signature_files.push_back(sf);
+			all_signature_files.emplace_back(sf);
 
 		if ( ! all_signature_files.empty() )
 			{
diff --git a/testing/btest/Baseline/core.parse-only-signature-file-issues/missing-sig-file b/testing/btest/Baseline/core.parse-only-signature-file-issues/missing-sig-file
index 3fc89824f4..aaaa346b61 100644
--- a/testing/btest/Baseline/core.parse-only-signature-file-issues/missing-sig-file
+++ b/testing/btest/Baseline/core.parse-only-signature-file-issues/missing-sig-file
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error: Can't open signature file nope
+error: failed to find file associated with @load-sigs nope
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index e340ed914b..898f73cb3b 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -1048,6 +1048,372 @@
 0.000000   MetaHookPost  LoadFile(1, ./programming, <...>/programming.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./video, <...>/video.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, s2, ./s2.sig) -> -1
+0.000000   MetaHookPost  LoadFileExtended(0, ../main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ../plugin, <...>/plugin.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_AsciiReader.ascii.bif.zeek, <...>/Zeek_AsciiReader.ascii.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_AsciiWriter.ascii.bif.zeek, <...>/Zeek_AsciiWriter.ascii.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_BenchmarkReader.benchmark.bif.zeek, <...>/Zeek_BenchmarkReader.benchmark.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_BinaryReader.binary.bif.zeek, <...>/Zeek_BinaryReader.binary.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_BitTorrent.events.bif.zeek, <...>/Zeek_BitTorrent.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ConfigReader.config.bif.zeek, <...>/Zeek_ConfigReader.config.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ConnSize.events.bif.zeek, <...>/Zeek_ConnSize.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ConnSize.functions.bif.zeek, <...>/Zeek_ConnSize.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DCE_RPC.consts.bif.zeek, <...>/Zeek_DCE_RPC.consts.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DCE_RPC.events.bif.zeek, <...>/Zeek_DCE_RPC.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DCE_RPC.types.bif.zeek, <...>/Zeek_DCE_RPC.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DHCP.events.bif.zeek, <...>/Zeek_DHCP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DHCP.types.bif.zeek, <...>/Zeek_DHCP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DNP3.events.bif.zeek, <...>/Zeek_DNP3.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DNS.events.bif.zeek, <...>/Zeek_DNS.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FTP.events.bif.zeek, <...>/Zeek_FTP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FTP.functions.bif.zeek, <...>/Zeek_FTP.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_File.events.bif.zeek, <...>/Zeek_File.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileEntropy.events.bif.zeek, <...>/Zeek_FileEntropy.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ICMP.events.bif.zeek, <...>/Zeek_ICMP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_IMAP.events.bif.zeek, <...>/Zeek_IMAP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_IRC.events.bif.zeek, <...>/Zeek_IRC.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Ident.events.bif.zeek, <...>/Zeek_Ident.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_KRB.events.bif.zeek, <...>/Zeek_KRB.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Modbus.events.bif.zeek, <...>/Zeek_Modbus.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MySQL.events.bif.zeek, <...>/Zeek_MySQL.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NCP.consts.bif.zeek, <...>/Zeek_NCP.consts.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NCP.events.bif.zeek, <...>/Zeek_NCP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NTLM.events.bif.zeek, <...>/Zeek_NTLM.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NTLM.types.bif.zeek, <...>/Zeek_NTLM.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NTP.events.bif.zeek, <...>/Zeek_NTP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NTP.types.bif.zeek, <...>/Zeek_NTP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NetBIOS.events.bif.zeek, <...>/Zeek_NetBIOS.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RFB.events.bif.zeek, <...>/Zeek_RFB.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RPC.events.bif.zeek, <...>/Zeek_RPC.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RawReader.raw.bif.zeek, <...>/Zeek_RawReader.raw.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SIP.events.bif.zeek, <...>/Zeek_SIP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.consts.bif.zeek, <...>/Zeek_SMB.consts.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.events.bif.zeek, <...>/Zeek_SMB.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_check_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_close.bif.zeek, <...>/Zeek_SMB.smb1_com_close.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_create_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_echo.bif.zeek, <...>/Zeek_SMB.smb1_com_echo.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_query_information.bif.zeek, <...>/Zeek_SMB.smb1_com_query_information.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_read_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_write_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_events.bif.zeek, <...>/Zeek_SMB.smb1_events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_close.bif.zeek, <...>/Zeek_SMB.smb2_com_close.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_create.bif.zeek, <...>/Zeek_SMB.smb2_com_create.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_read.bif.zeek, <...>/Zeek_SMB.smb2_com_read.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_session_setup.bif.zeek, <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_set_info.bif.zeek, <...>/Zeek_SMB.smb2_com_set_info.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_transform_header.bif.zeek, <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_connect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SNMP.types.bif.zeek, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SOCKS.events.bif.zeek, <...>/Zeek_SOCKS.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SQLiteReader.sqlite.bif.zeek, <...>/Zeek_SQLiteReader.sqlite.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SQLiteWriter.sqlite.bif.zeek, <...>/Zeek_SQLiteWriter.sqlite.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSH.events.bif.zeek, <...>/Zeek_SSH.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSH.types.bif.zeek, <...>/Zeek_SSH.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.consts.bif.zeek, <...>/Zeek_SSL.consts.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_VXLAN.events.bif.zeek, <...>/Zeek_VXLAN.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_X509.events.bif.zeek, <...>/Zeek_X509.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_X509.functions.bif.zeek, <...>/Zeek_X509.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_X509.ocsp_events.bif.zeek, <...>/Zeek_X509.ocsp_events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_X509.types.bif.zeek, <...>/Zeek_X509.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_XMPP.events.bif.zeek, <...>/Zeek_XMPP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./acld, <...>/acld.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./addrs, <...>/addrs.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./analyzer.bif.zeek, <...>/analyzer.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./api, <...>/api.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./average, <...>/average.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./broker, <...>/broker.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./comm.bif.zeek, <...>/comm.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./const-dos-error, <...>/const-dos-error.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./const-nt-status, <...>/const-nt-status.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./const.bif.zeek, <...>/const.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./consts, <...>/consts.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./contents, <...>/contents.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./control, <...>/control.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./ct-list, <...>/ct-list.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./data.bif.zeek, <...>/data.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./dcc-send, <...>/dcc-send.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./debug, <...>/debug.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./drop, <...>/drop.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./entities, <...>/entities.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./event.bif.zeek, <...>/event.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./exec, <...>/exec.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./file_analysis.bif.zeek, <...>/file_analysis.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./files, <...>/files.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./gridftp, <...>/gridftp.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./hll_unique, <...>/hll_unique.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./hooks.bif.zeek, <...>/hooks.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./inactivity, <...>/inactivity.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./info, <...>/info.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./input, <...>/input.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./input.bif.zeek, <...>/input.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./last, <...>/last.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./log, <...>/log.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./log-ocsp, <...>/log-ocsp.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./magic, <...>/magic) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./max, <...>/max.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./min, <...>/min.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./mozilla-ca-list, <...>/mozilla-ca-list.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./netstats, <...>/netstats.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./non-cluster, <...>/non-cluster.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./openflow, <...>/openflow.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./option.bif.zeek, <...>/option.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./packet_analysis.bif.zeek, <...>/packet_analysis.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./packetfilter, <...>/packetfilter.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./patterns, <...>/patterns.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./pcap.bif.zeek, <...>/pcap.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./plugin, <...>/plugin.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./plugins, <...>/plugins) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./polling, <...>/polling.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./pools, <...>/pools.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./postprocessors, <...>/postprocessors) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./removal-hooks, <...>/removal-hooks.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./reporter.bif.zeek, <...>/reporter.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./ryu, <...>/ryu.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./sample, <...>/sample.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./scp, <...>/scp.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./sftp, <...>/sftp.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./shunt, <...>/shunt.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./site, <...>/site.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./store, <...>/store.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./store.bif.zeek, <...>/store.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./strings.bif.zeek, <...>/strings.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./sum, <...>/sum.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./supervisor.bif.zeek, <...>/supervisor.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./telemetry.bif.zeek, <...>/telemetry.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./thresholds, <...>/thresholds.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./top-k.bif.zeek, <...>/top-k.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./topk, <...>/topk.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./types, <...>/types.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./types.bif.zeek, <...>/types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./unique, <...>/unique.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./utils, <...>/utils.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./utils-commands, <...>/utils-commands.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./variance, <...>/variance.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./weird, <...>/weird.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./zeek.bif.zeek, <...>/zeek.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./zeekygen.bif.zeek, <...>/zeekygen.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/add-geodata, <...>/add-geodata.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/ascii, <...>/ascii.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/benchmark, <...>/benchmark.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/binary, <...>/binary.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/config, <...>/config.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/email_admin, <...>/email_admin.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/none, <...>/none.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/page, <...>/page.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/pp-alarms, <...>/pp-alarms.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/raw, <...>/raw.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/sqlite, <...>/sqlite.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, <...>/__load__.zeek, <...>/__load__.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, <...>/__preload__.zeek, <...>/__preload__.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, <...>/hooks.zeek, <...>/hooks.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base/bif, <...>/bif) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base/init-default, <...>/init-default.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/api, <...>/api.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/broker, <...>/broker) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/cluster, <...>/cluster) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/comm.bif, <...>/comm.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/config, <...>/config) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/conn, <...>/conn) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/conn-ids, <...>/conn-ids.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/const.bif, <...>/const.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/control, <...>/control) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/data.bif, <...>/data.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dce-rpc, <...>/dce-rpc) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dhcp, <...>/dhcp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dir, <...>/dir.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/directions-and-hosts, <...>/directions-and-hosts.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dnp3, <...>/dnp3) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dns, <...>/dns) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dpd, <...>/dpd) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/email, <...>/email.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ethernet, <...>/ethernet) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/event.bif, <...>/event.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/exec, <...>/exec.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/extract, <...>/extract) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/fddi, <...>/fddi) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/file_analysis.bif, <...>/file_analysis.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/files, <...>/files) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/files, <...>/files.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ftp, <...>/ftp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/gre, <...>/gre) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/hash, <...>/hash) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/http, <...>/http) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/icmp, <...>/icmp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ieee802_11, <...>/ieee802_11) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/imap, <...>/imap) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/input, <...>/input) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/input.bif, <...>/input.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/intel, <...>/intel) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ip, <...>/ip) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/iptunnel, <...>/iptunnel) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/irc, <...>/irc) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/krb, <...>/krb) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/modbus, <...>/modbus) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/mpls, <...>/mpls) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/mqtt, <...>/mqtt) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/mysql, <...>/mysql) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/nflog, <...>/nflog) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/notice, <...>/notice) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntlm, <...>/ntlm) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntp, <...>/ntp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/null, <...>/null) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/numbers, <...>/numbers.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/openflow, <...>/openflow) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/option.bif, <...>/option.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/packet-filter, <...>/packet-filter) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/paths, <...>/paths.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/patterns, <...>/patterns.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pe, <...>/pe) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/plugins, <...>/plugins) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pop3, <...>/pop3) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pppoe, <...>/pppoe) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/queue, <...>/queue.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/radius, <...>/radius) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/rdp, <...>/rdp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/removal-hooks, <...>/removal-hooks.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/reporter, <...>/reporter) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/reporter.bif, <...>/reporter.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/rfb, <...>/rfb) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/root, <...>/root) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/signatures, <...>/signatures) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/sip, <...>/sip) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/site, <...>/site.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/skip, <...>/skip) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smb, <...>/smb) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smtp, <...>/smtp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/snmp, <...>/snmp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/socks, <...>/socks) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/software, <...>/software) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ssh, <...>/ssh) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ssl, <...>/ssl) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/stats.bif, <...>/stats.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/store.bif, <...>/store.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/strings, <...>/strings.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/strings.bif, <...>/strings.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/sumstats, <...>/sumstats) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/supervisor, <...>/supervisor) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/syslog, <...>/syslog) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/tcp, <...>/tcp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/time, <...>/time.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/tunnels, <...>/tunnels) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/types.bif, <...>/types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/udp, <...>/udp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/urls, <...>/urls.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/utils, <...>/utils.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/version, <...>/version.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vlan, <...>/vlan) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vntag, <...>/vntag) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/weird, <...>/weird.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/x509, <...>/x509) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/xmpp, <...>/xmpp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/zeek.bif, <...>/zeek.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, s1.sig, ./s1.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./archive, <...>/archive.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./audio, <...>/audio.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./dpd.sig, <...>/dpd.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./executable, <...>/executable.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./font, <...>/font.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./general, <...>/general.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./image, <...>/image.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./java, <...>/java.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./libmagic, <...>/libmagic.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./office, <...>/office.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./programming, <...>/programming.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./video, <...>/video.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, s2, ./s2.sig) -> (-1, <no content>)
 0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
 0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
@@ -2102,6 +2468,372 @@
 0.000000   MetaHookPre   LoadFile(1, ./programming, <...>/programming.sig)
 0.000000   MetaHookPre   LoadFile(1, ./video, <...>/video.sig)
 0.000000   MetaHookPre   LoadFile(1, s2, ./s2.sig)
+0.000000   MetaHookPre   LoadFileExtended(0, ../main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ../plugin, <...>/plugin.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_AsciiReader.ascii.bif.zeek, <...>/Zeek_AsciiReader.ascii.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_AsciiWriter.ascii.bif.zeek, <...>/Zeek_AsciiWriter.ascii.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_BenchmarkReader.benchmark.bif.zeek, <...>/Zeek_BenchmarkReader.benchmark.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_BinaryReader.binary.bif.zeek, <...>/Zeek_BinaryReader.binary.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_BitTorrent.events.bif.zeek, <...>/Zeek_BitTorrent.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ConfigReader.config.bif.zeek, <...>/Zeek_ConfigReader.config.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ConnSize.events.bif.zeek, <...>/Zeek_ConnSize.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ConnSize.functions.bif.zeek, <...>/Zeek_ConnSize.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DCE_RPC.consts.bif.zeek, <...>/Zeek_DCE_RPC.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DCE_RPC.events.bif.zeek, <...>/Zeek_DCE_RPC.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DCE_RPC.types.bif.zeek, <...>/Zeek_DCE_RPC.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DHCP.events.bif.zeek, <...>/Zeek_DHCP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DHCP.types.bif.zeek, <...>/Zeek_DHCP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DNP3.events.bif.zeek, <...>/Zeek_DNP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DNS.events.bif.zeek, <...>/Zeek_DNS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FTP.events.bif.zeek, <...>/Zeek_FTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FTP.functions.bif.zeek, <...>/Zeek_FTP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_File.events.bif.zeek, <...>/Zeek_File.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileEntropy.events.bif.zeek, <...>/Zeek_FileEntropy.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ICMP.events.bif.zeek, <...>/Zeek_ICMP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_IMAP.events.bif.zeek, <...>/Zeek_IMAP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_IRC.events.bif.zeek, <...>/Zeek_IRC.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Ident.events.bif.zeek, <...>/Zeek_Ident.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_KRB.events.bif.zeek, <...>/Zeek_KRB.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Modbus.events.bif.zeek, <...>/Zeek_Modbus.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MySQL.events.bif.zeek, <...>/Zeek_MySQL.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NCP.consts.bif.zeek, <...>/Zeek_NCP.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NCP.events.bif.zeek, <...>/Zeek_NCP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NTLM.events.bif.zeek, <...>/Zeek_NTLM.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NTLM.types.bif.zeek, <...>/Zeek_NTLM.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NTP.events.bif.zeek, <...>/Zeek_NTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NTP.types.bif.zeek, <...>/Zeek_NTP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NetBIOS.events.bif.zeek, <...>/Zeek_NetBIOS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RFB.events.bif.zeek, <...>/Zeek_RFB.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RPC.events.bif.zeek, <...>/Zeek_RPC.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RawReader.raw.bif.zeek, <...>/Zeek_RawReader.raw.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SIP.events.bif.zeek, <...>/Zeek_SIP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.consts.bif.zeek, <...>/Zeek_SMB.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.events.bif.zeek, <...>/Zeek_SMB.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_check_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_close.bif.zeek, <...>/Zeek_SMB.smb1_com_close.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_create_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_echo.bif.zeek, <...>/Zeek_SMB.smb1_com_echo.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_query_information.bif.zeek, <...>/Zeek_SMB.smb1_com_query_information.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_read_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_write_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_events.bif.zeek, <...>/Zeek_SMB.smb1_events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_close.bif.zeek, <...>/Zeek_SMB.smb2_com_close.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_create.bif.zeek, <...>/Zeek_SMB.smb2_com_create.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_read.bif.zeek, <...>/Zeek_SMB.smb2_com_read.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_session_setup.bif.zeek, <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_set_info.bif.zeek, <...>/Zeek_SMB.smb2_com_set_info.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_transform_header.bif.zeek, <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_connect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SNMP.types.bif.zeek, <...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SOCKS.events.bif.zeek, <...>/Zeek_SOCKS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SQLiteReader.sqlite.bif.zeek, <...>/Zeek_SQLiteReader.sqlite.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SQLiteWriter.sqlite.bif.zeek, <...>/Zeek_SQLiteWriter.sqlite.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSH.events.bif.zeek, <...>/Zeek_SSH.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSH.types.bif.zeek, <...>/Zeek_SSH.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.consts.bif.zeek, <...>/Zeek_SSL.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_VXLAN.events.bif.zeek, <...>/Zeek_VXLAN.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_X509.events.bif.zeek, <...>/Zeek_X509.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_X509.functions.bif.zeek, <...>/Zeek_X509.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_X509.ocsp_events.bif.zeek, <...>/Zeek_X509.ocsp_events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_X509.types.bif.zeek, <...>/Zeek_X509.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_XMPP.events.bif.zeek, <...>/Zeek_XMPP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./acld, <...>/acld.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./addrs, <...>/addrs.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./analyzer.bif.zeek, <...>/analyzer.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./api, <...>/api.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./average, <...>/average.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./broker, <...>/broker.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./comm.bif.zeek, <...>/comm.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./const-dos-error, <...>/const-dos-error.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./const-nt-status, <...>/const-nt-status.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./const.bif.zeek, <...>/const.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./consts, <...>/consts.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./contents, <...>/contents.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./control, <...>/control.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./ct-list, <...>/ct-list.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./data.bif.zeek, <...>/data.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./dcc-send, <...>/dcc-send.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./debug, <...>/debug.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./drop, <...>/drop.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./entities, <...>/entities.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./event.bif.zeek, <...>/event.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./exec, <...>/exec.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./file_analysis.bif.zeek, <...>/file_analysis.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./files, <...>/files.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./gridftp, <...>/gridftp.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./hll_unique, <...>/hll_unique.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./hooks.bif.zeek, <...>/hooks.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./inactivity, <...>/inactivity.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./info, <...>/info.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./input, <...>/input.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./input.bif.zeek, <...>/input.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./last, <...>/last.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./log, <...>/log.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./log-ocsp, <...>/log-ocsp.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./magic, <...>/magic)
+0.000000   MetaHookPre   LoadFileExtended(0, ./main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./max, <...>/max.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./min, <...>/min.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./mozilla-ca-list, <...>/mozilla-ca-list.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./netstats, <...>/netstats.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./non-cluster, <...>/non-cluster.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./openflow, <...>/openflow.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./option.bif.zeek, <...>/option.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./packet_analysis.bif.zeek, <...>/packet_analysis.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./packetfilter, <...>/packetfilter.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./patterns, <...>/patterns.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./pcap.bif.zeek, <...>/pcap.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./plugin, <...>/plugin.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./plugins, <...>/plugins)
+0.000000   MetaHookPre   LoadFileExtended(0, ./polling, <...>/polling.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./pools, <...>/pools.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./postprocessors, <...>/postprocessors)
+0.000000   MetaHookPre   LoadFileExtended(0, ./removal-hooks, <...>/removal-hooks.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./reporter.bif.zeek, <...>/reporter.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./ryu, <...>/ryu.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./sample, <...>/sample.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./scp, <...>/scp.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./sftp, <...>/sftp.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./shunt, <...>/shunt.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./site, <...>/site.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./store, <...>/store.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./store.bif.zeek, <...>/store.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./strings.bif.zeek, <...>/strings.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./sum, <...>/sum.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./supervisor.bif.zeek, <...>/supervisor.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./telemetry.bif.zeek, <...>/telemetry.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./thresholds, <...>/thresholds.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./top-k.bif.zeek, <...>/top-k.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./topk, <...>/topk.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./types, <...>/types.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./types.bif.zeek, <...>/types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./unique, <...>/unique.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./utils, <...>/utils.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./utils-commands, <...>/utils-commands.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./variance, <...>/variance.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./weird, <...>/weird.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./zeek.bif.zeek, <...>/zeek.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./zeekygen.bif.zeek, <...>/zeekygen.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/add-geodata, <...>/add-geodata.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/ascii, <...>/ascii.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/benchmark, <...>/benchmark.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/binary, <...>/binary.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/config, <...>/config.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/email_admin, <...>/email_admin.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/none, <...>/none.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/page, <...>/page.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/pp-alarms, <...>/pp-alarms.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/raw, <...>/raw.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/sqlite, <...>/sqlite.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, <...>/__load__.zeek, <...>/__load__.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, <...>/__preload__.zeek, <...>/__preload__.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, <...>/hooks.zeek, <...>/hooks.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base/bif, <...>/bif)
+0.000000   MetaHookPre   LoadFileExtended(0, base/init-default, <...>/init-default.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer, <...>/analyzer)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/api, <...>/api.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/broker, <...>/broker)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/cluster, <...>/cluster)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/comm.bif, <...>/comm.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/config, <...>/config)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/conn, <...>/conn)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/conn-ids, <...>/conn-ids.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/const.bif, <...>/const.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/control, <...>/control)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/data.bif, <...>/data.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dce-rpc, <...>/dce-rpc)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dhcp, <...>/dhcp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dir, <...>/dir.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/directions-and-hosts, <...>/directions-and-hosts.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dnp3, <...>/dnp3)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dns, <...>/dns)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dpd, <...>/dpd)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/email, <...>/email.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ethernet, <...>/ethernet)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/event.bif, <...>/event.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/exec, <...>/exec.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/extract, <...>/extract)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/fddi, <...>/fddi)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/file_analysis.bif, <...>/file_analysis.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/files, <...>/files)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/files, <...>/files.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ftp, <...>/ftp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/gre, <...>/gre)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/hash, <...>/hash)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/http, <...>/http)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/icmp, <...>/icmp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ieee802_11, <...>/ieee802_11)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/imap, <...>/imap)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/input, <...>/input)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/input.bif, <...>/input.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/intel, <...>/intel)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ip, <...>/ip)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/iptunnel, <...>/iptunnel)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/irc, <...>/irc)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/krb, <...>/krb)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging, <...>/logging)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/modbus, <...>/modbus)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/mpls, <...>/mpls)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/mqtt, <...>/mqtt)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/mysql, <...>/mysql)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/nflog, <...>/nflog)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/notice, <...>/notice)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntlm, <...>/ntlm)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntp, <...>/ntp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/null, <...>/null)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/numbers, <...>/numbers.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/openflow, <...>/openflow)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/option.bif, <...>/option.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/packet-filter, <...>/packet-filter)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/paths, <...>/paths.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/patterns, <...>/patterns.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pe, <...>/pe)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/plugins, <...>/plugins)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pop3, <...>/pop3)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pppoe, <...>/pppoe)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/queue, <...>/queue.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/radius, <...>/radius)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/rdp, <...>/rdp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/removal-hooks, <...>/removal-hooks.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/reporter, <...>/reporter)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/reporter.bif, <...>/reporter.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/rfb, <...>/rfb)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/root, <...>/root)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/signatures, <...>/signatures)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/sip, <...>/sip)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/site, <...>/site.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/skip, <...>/skip)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smb, <...>/smb)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smtp, <...>/smtp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/snmp, <...>/snmp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/socks, <...>/socks)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/software, <...>/software)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ssh, <...>/ssh)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ssl, <...>/ssl)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/stats.bif, <...>/stats.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/store.bif, <...>/store.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/strings, <...>/strings.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/strings.bif, <...>/strings.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/sumstats, <...>/sumstats)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/supervisor, <...>/supervisor)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/syslog, <...>/syslog)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/tcp, <...>/tcp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/time, <...>/time.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/tunnels, <...>/tunnels)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/types.bif, <...>/types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/udp, <...>/udp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/urls, <...>/urls.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/utils, <...>/utils.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/version, <...>/version.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vlan, <...>/vlan)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vntag, <...>/vntag)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/weird, <...>/weird.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/x509, <...>/x509)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/xmpp, <...>/xmpp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/zeek.bif, <...>/zeek.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, s1.sig, ./s1.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./archive, <...>/archive.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./audio, <...>/audio.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./dpd.sig, <...>/dpd.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./executable, <...>/executable.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./font, <...>/font.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./general, <...>/general.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./image, <...>/image.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./java, <...>/java.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./libmagic, <...>/libmagic.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./office, <...>/office.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./programming, <...>/programming.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./video, <...>/video.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, s2, ./s2.sig)
 0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
 0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
@@ -3155,6 +3887,372 @@
 0.000000 | HookLoadFile  builtin-plugins/__preload__.zeek <...>/__preload__.zeek
 0.000000 | HookLoadFile  s1.sig ./s1.sig
 0.000000 | HookLoadFile  s2 ./s2.sig
+0.000000 | HookLoadFileExtended ../main <...>/main.zeek
+0.000000 | HookLoadFileExtended ../plugin <...>/plugin.zeek
+0.000000 | HookLoadFileExtended ./CPP-load.bif.zeek <...>/CPP-load.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ARP.events.bif.zeek <...>/Zeek_ARP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_AsciiReader.ascii.bif.zeek <...>/Zeek_AsciiReader.ascii.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_AsciiWriter.ascii.bif.zeek <...>/Zeek_AsciiWriter.ascii.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_BenchmarkReader.benchmark.bif.zeek <...>/Zeek_BenchmarkReader.benchmark.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_BinaryReader.binary.bif.zeek <...>/Zeek_BinaryReader.binary.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_BitTorrent.events.bif.zeek <...>/Zeek_BitTorrent.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ConfigReader.config.bif.zeek <...>/Zeek_ConfigReader.config.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ConnSize.events.bif.zeek <...>/Zeek_ConnSize.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ConnSize.functions.bif.zeek <...>/Zeek_ConnSize.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DCE_RPC.consts.bif.zeek <...>/Zeek_DCE_RPC.consts.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DCE_RPC.events.bif.zeek <...>/Zeek_DCE_RPC.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DCE_RPC.types.bif.zeek <...>/Zeek_DCE_RPC.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DHCP.events.bif.zeek <...>/Zeek_DHCP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DHCP.types.bif.zeek <...>/Zeek_DHCP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DNP3.events.bif.zeek <...>/Zeek_DNP3.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DNS.events.bif.zeek <...>/Zeek_DNS.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FTP.events.bif.zeek <...>/Zeek_FTP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FTP.functions.bif.zeek <...>/Zeek_FTP.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_File.events.bif.zeek <...>/Zeek_File.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FileEntropy.events.bif.zeek <...>/Zeek_FileEntropy.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_HTTP.functions.bif.zeek <...>/Zeek_HTTP.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ICMP.events.bif.zeek <...>/Zeek_ICMP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_IMAP.events.bif.zeek <...>/Zeek_IMAP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_IRC.events.bif.zeek <...>/Zeek_IRC.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Ident.events.bif.zeek <...>/Zeek_Ident.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_KRB.events.bif.zeek <...>/Zeek_KRB.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_KRB.types.bif.zeek <...>/Zeek_KRB.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Login.events.bif.zeek <...>/Zeek_Login.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Login.functions.bif.zeek <...>/Zeek_Login.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_MIME.events.bif.zeek <...>/Zeek_MIME.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_MQTT.events.bif.zeek <...>/Zeek_MQTT.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_MQTT.types.bif.zeek <...>/Zeek_MQTT.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Modbus.events.bif.zeek <...>/Zeek_Modbus.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_MySQL.events.bif.zeek <...>/Zeek_MySQL.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NCP.consts.bif.zeek <...>/Zeek_NCP.consts.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NCP.events.bif.zeek <...>/Zeek_NCP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NTLM.events.bif.zeek <...>/Zeek_NTLM.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NTLM.types.bif.zeek <...>/Zeek_NTLM.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NTP.events.bif.zeek <...>/Zeek_NTP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NTP.types.bif.zeek <...>/Zeek_NTP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.events.bif.zeek <...>/Zeek_NetBIOS.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RFB.events.bif.zeek <...>/Zeek_RFB.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RPC.events.bif.zeek <...>/Zeek_RPC.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RawReader.raw.bif.zeek <...>/Zeek_RawReader.raw.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SIP.events.bif.zeek <...>/Zeek_SIP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.consts.bif.zeek <...>/Zeek_SMB.consts.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.events.bif.zeek <...>/Zeek_SMB.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_check_directory.bif.zeek <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_close.bif.zeek <...>/Zeek_SMB.smb1_com_close.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_create_directory.bif.zeek <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_echo.bif.zeek <...>/Zeek_SMB.smb1_com_echo.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_negotiate.bif.zeek <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_query_information.bif.zeek <...>/Zeek_SMB.smb1_com_query_information.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_read_andx.bif.zeek <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction.bif.zeek <...>/Zeek_SMB.smb1_com_transaction.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction2.bif.zeek <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_write_andx.bif.zeek <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_events.bif.zeek <...>/Zeek_SMB.smb1_events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_close.bif.zeek <...>/Zeek_SMB.smb2_com_close.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_create.bif.zeek <...>/Zeek_SMB.smb2_com_create.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_negotiate.bif.zeek <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_read.bif.zeek <...>/Zeek_SMB.smb2_com_read.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_session_setup.bif.zeek <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_set_info.bif.zeek <...>/Zeek_SMB.smb2_com_set_info.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_transform_header.bif.zeek <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_tree_connect.bif.zeek <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_write.bif.zeek <...>/Zeek_SMB.smb2_com_write.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_events.bif.zeek <...>/Zeek_SMB.smb2_events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.types.bif.zeek <...>/Zeek_SMB.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMTP.events.bif.zeek <...>/Zeek_SMTP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMTP.functions.bif.zeek <...>/Zeek_SMTP.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SNMP.events.bif.zeek <...>/Zeek_SNMP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SNMP.types.bif.zeek <...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SOCKS.events.bif.zeek <...>/Zeek_SOCKS.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SQLiteReader.sqlite.bif.zeek <...>/Zeek_SQLiteReader.sqlite.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SQLiteWriter.sqlite.bif.zeek <...>/Zeek_SQLiteWriter.sqlite.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSH.events.bif.zeek <...>/Zeek_SSH.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSH.types.bif.zeek <...>/Zeek_SSH.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSL.consts.bif.zeek <...>/Zeek_SSL.consts.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_VXLAN.events.bif.zeek <...>/Zeek_VXLAN.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_X509.events.bif.zeek <...>/Zeek_X509.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_X509.functions.bif.zeek <...>/Zeek_X509.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_X509.ocsp_events.bif.zeek <...>/Zeek_X509.ocsp_events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_X509.types.bif.zeek <...>/Zeek_X509.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_XMPP.events.bif.zeek <...>/Zeek_XMPP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./acld <...>/acld.zeek
+0.000000 | HookLoadFileExtended ./addrs <...>/addrs.zeek
+0.000000 | HookLoadFileExtended ./analyzer.bif.zeek <...>/analyzer.bif.zeek
+0.000000 | HookLoadFileExtended ./api <...>/api.zeek
+0.000000 | HookLoadFileExtended ./archive <...>/archive.sig
+0.000000 | HookLoadFileExtended ./audio <...>/audio.sig
+0.000000 | HookLoadFileExtended ./average <...>/average.zeek
+0.000000 | HookLoadFileExtended ./bloom-filter.bif.zeek <...>/bloom-filter.bif.zeek
+0.000000 | HookLoadFileExtended ./broker <...>/broker.zeek
+0.000000 | HookLoadFileExtended ./cardinality-counter.bif.zeek <...>/cardinality-counter.bif.zeek
+0.000000 | HookLoadFileExtended ./certificate-event-cache <...>/certificate-event-cache.zeek
+0.000000 | HookLoadFileExtended ./comm.bif.zeek <...>/comm.bif.zeek
+0.000000 | HookLoadFileExtended ./const-dos-error <...>/const-dos-error.zeek
+0.000000 | HookLoadFileExtended ./const-nt-status <...>/const-nt-status.zeek
+0.000000 | HookLoadFileExtended ./const.bif.zeek <...>/const.bif.zeek
+0.000000 | HookLoadFileExtended ./consts <...>/consts.zeek
+0.000000 | HookLoadFileExtended ./contents <...>/contents.zeek
+0.000000 | HookLoadFileExtended ./control <...>/control.zeek
+0.000000 | HookLoadFileExtended ./ct-list <...>/ct-list.zeek
+0.000000 | HookLoadFileExtended ./data.bif.zeek <...>/data.bif.zeek
+0.000000 | HookLoadFileExtended ./dcc-send <...>/dcc-send.zeek
+0.000000 | HookLoadFileExtended ./debug <...>/debug.zeek
+0.000000 | HookLoadFileExtended ./dpd.sig <...>/dpd.sig
+0.000000 | HookLoadFileExtended ./drop <...>/drop.zeek
+0.000000 | HookLoadFileExtended ./entities <...>/entities.zeek
+0.000000 | HookLoadFileExtended ./event.bif.zeek <...>/event.bif.zeek
+0.000000 | HookLoadFileExtended ./exec <...>/exec.zeek
+0.000000 | HookLoadFileExtended ./executable <...>/executable.sig
+0.000000 | HookLoadFileExtended ./file_analysis.bif.zeek <...>/file_analysis.bif.zeek
+0.000000 | HookLoadFileExtended ./files <...>/files.zeek
+0.000000 | HookLoadFileExtended ./font <...>/font.sig
+0.000000 | HookLoadFileExtended ./general <...>/general.sig
+0.000000 | HookLoadFileExtended ./gridftp <...>/gridftp.zeek
+0.000000 | HookLoadFileExtended ./hll_unique <...>/hll_unique.zeek
+0.000000 | HookLoadFileExtended ./hooks.bif.zeek <...>/hooks.bif.zeek
+0.000000 | HookLoadFileExtended ./image <...>/image.sig
+0.000000 | HookLoadFileExtended ./inactivity <...>/inactivity.zeek
+0.000000 | HookLoadFileExtended ./info <...>/info.zeek
+0.000000 | HookLoadFileExtended ./input <...>/input.zeek
+0.000000 | HookLoadFileExtended ./input.bif.zeek <...>/input.bif.zeek
+0.000000 | HookLoadFileExtended ./java <...>/java.sig
+0.000000 | HookLoadFileExtended ./last <...>/last.zeek
+0.000000 | HookLoadFileExtended ./libmagic <...>/libmagic.sig
+0.000000 | HookLoadFileExtended ./log <...>/log.zeek
+0.000000 | HookLoadFileExtended ./log-ocsp <...>/log-ocsp.zeek
+0.000000 | HookLoadFileExtended ./logging.bif.zeek <...>/logging.bif.zeek
+0.000000 | HookLoadFileExtended ./magic <...>/magic
+0.000000 | HookLoadFileExtended ./main <...>/main.zeek
+0.000000 | HookLoadFileExtended ./max <...>/max.zeek
+0.000000 | HookLoadFileExtended ./messaging.bif.zeek <...>/messaging.bif.zeek
+0.000000 | HookLoadFileExtended ./min <...>/min.zeek
+0.000000 | HookLoadFileExtended ./mozilla-ca-list <...>/mozilla-ca-list.zeek
+0.000000 | HookLoadFileExtended ./netstats <...>/netstats.zeek
+0.000000 | HookLoadFileExtended ./non-cluster <...>/non-cluster.zeek
+0.000000 | HookLoadFileExtended ./office <...>/office.sig
+0.000000 | HookLoadFileExtended ./openflow <...>/openflow.zeek
+0.000000 | HookLoadFileExtended ./option.bif.zeek <...>/option.bif.zeek
+0.000000 | HookLoadFileExtended ./packet_analysis.bif.zeek <...>/packet_analysis.bif.zeek
+0.000000 | HookLoadFileExtended ./packetfilter <...>/packetfilter.zeek
+0.000000 | HookLoadFileExtended ./patterns <...>/patterns.zeek
+0.000000 | HookLoadFileExtended ./pcap.bif.zeek <...>/pcap.bif.zeek
+0.000000 | HookLoadFileExtended ./plugin <...>/plugin.zeek
+0.000000 | HookLoadFileExtended ./plugins <...>/plugins
+0.000000 | HookLoadFileExtended ./polling <...>/polling.zeek
+0.000000 | HookLoadFileExtended ./pools <...>/pools.zeek
+0.000000 | HookLoadFileExtended ./postprocessors <...>/postprocessors
+0.000000 | HookLoadFileExtended ./programming <...>/programming.sig
+0.000000 | HookLoadFileExtended ./removal-hooks <...>/removal-hooks.zeek
+0.000000 | HookLoadFileExtended ./reporter.bif.zeek <...>/reporter.bif.zeek
+0.000000 | HookLoadFileExtended ./ryu <...>/ryu.zeek
+0.000000 | HookLoadFileExtended ./sample <...>/sample.zeek
+0.000000 | HookLoadFileExtended ./scp <...>/scp.zeek
+0.000000 | HookLoadFileExtended ./sftp <...>/sftp.zeek
+0.000000 | HookLoadFileExtended ./shunt <...>/shunt.zeek
+0.000000 | HookLoadFileExtended ./site <...>/site.zeek
+0.000000 | HookLoadFileExtended ./smb1-main <...>/smb1-main.zeek
+0.000000 | HookLoadFileExtended ./smb2-main <...>/smb2-main.zeek
+0.000000 | HookLoadFileExtended ./stats.bif.zeek <...>/stats.bif.zeek
+0.000000 | HookLoadFileExtended ./std-dev <...>/std-dev.zeek
+0.000000 | HookLoadFileExtended ./store <...>/store.zeek
+0.000000 | HookLoadFileExtended ./store.bif.zeek <...>/store.bif.zeek
+0.000000 | HookLoadFileExtended ./strings.bif.zeek <...>/strings.bif.zeek
+0.000000 | HookLoadFileExtended ./sum <...>/sum.zeek
+0.000000 | HookLoadFileExtended ./supervisor.bif.zeek <...>/supervisor.bif.zeek
+0.000000 | HookLoadFileExtended ./telemetry.bif.zeek <...>/telemetry.bif.zeek
+0.000000 | HookLoadFileExtended ./thresholds <...>/thresholds.zeek
+0.000000 | HookLoadFileExtended ./top-k.bif.zeek <...>/top-k.bif.zeek
+0.000000 | HookLoadFileExtended ./topk <...>/topk.zeek
+0.000000 | HookLoadFileExtended ./types <...>/types.zeek
+0.000000 | HookLoadFileExtended ./types.bif.zeek <...>/types.bif.zeek
+0.000000 | HookLoadFileExtended ./unique <...>/unique.zeek
+0.000000 | HookLoadFileExtended ./utils <...>/utils.zeek
+0.000000 | HookLoadFileExtended ./utils-commands <...>/utils-commands.zeek
+0.000000 | HookLoadFileExtended ./variance <...>/variance.zeek
+0.000000 | HookLoadFileExtended ./video <...>/video.sig
+0.000000 | HookLoadFileExtended ./weird <...>/weird.zeek
+0.000000 | HookLoadFileExtended ./zeek.bif.zeek <...>/zeek.bif.zeek
+0.000000 | HookLoadFileExtended ./zeekygen.bif.zeek <...>/zeekygen.bif.zeek
+0.000000 | HookLoadFileExtended .<...>/add-geodata <...>/add-geodata.zeek
+0.000000 | HookLoadFileExtended .<...>/ascii <...>/ascii.zeek
+0.000000 | HookLoadFileExtended .<...>/benchmark <...>/benchmark.zeek
+0.000000 | HookLoadFileExtended .<...>/binary <...>/binary.zeek
+0.000000 | HookLoadFileExtended .<...>/config <...>/config.zeek
+0.000000 | HookLoadFileExtended .<...>/email_admin <...>/email_admin.zeek
+0.000000 | HookLoadFileExtended .<...>/none <...>/none.zeek
+0.000000 | HookLoadFileExtended .<...>/page <...>/page.zeek
+0.000000 | HookLoadFileExtended .<...>/pp-alarms <...>/pp-alarms.zeek
+0.000000 | HookLoadFileExtended .<...>/raw <...>/raw.zeek
+0.000000 | HookLoadFileExtended .<...>/sqlite <...>/sqlite.zeek
+0.000000 | HookLoadFileExtended <...>/__load__.zeek <...>/__load__.zeek
+0.000000 | HookLoadFileExtended <...>/__preload__.zeek <...>/__preload__.zeek
+0.000000 | HookLoadFileExtended <...>/hooks.zeek <...>/hooks.zeek
+0.000000 | HookLoadFileExtended base/bif <...>/bif
+0.000000 | HookLoadFileExtended base/init-default <...>/init-default.zeek
+0.000000 | HookLoadFileExtended base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
+0.000000 | HookLoadFileExtended base/packet-protocols <...>/packet-protocols
+0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/active-http <...>/active-http.zeek
+0.000000 | HookLoadFileExtended base<...>/addrs <...>/addrs.zeek
+0.000000 | HookLoadFileExtended base<...>/analyzer <...>/analyzer
+0.000000 | HookLoadFileExtended base<...>/analyzer.bif <...>/analyzer.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/api <...>/api.zeek
+0.000000 | HookLoadFileExtended base<...>/backtrace <...>/backtrace.zeek
+0.000000 | HookLoadFileExtended base<...>/broker <...>/broker
+0.000000 | HookLoadFileExtended base<...>/cluster <...>/cluster
+0.000000 | HookLoadFileExtended base<...>/comm.bif <...>/comm.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/config <...>/config
+0.000000 | HookLoadFileExtended base<...>/conn <...>/conn
+0.000000 | HookLoadFileExtended base<...>/conn-ids <...>/conn-ids.zeek
+0.000000 | HookLoadFileExtended base<...>/const.bif <...>/const.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/control <...>/control
+0.000000 | HookLoadFileExtended base<...>/data.bif <...>/data.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/dce-rpc <...>/dce-rpc
+0.000000 | HookLoadFileExtended base<...>/dhcp <...>/dhcp
+0.000000 | HookLoadFileExtended base<...>/dir <...>/dir.zeek
+0.000000 | HookLoadFileExtended base<...>/directions-and-hosts <...>/directions-and-hosts.zeek
+0.000000 | HookLoadFileExtended base<...>/dnp3 <...>/dnp3
+0.000000 | HookLoadFileExtended base<...>/dns <...>/dns
+0.000000 | HookLoadFileExtended base<...>/dpd <...>/dpd
+0.000000 | HookLoadFileExtended base<...>/email <...>/email.zeek
+0.000000 | HookLoadFileExtended base<...>/ethernet <...>/ethernet
+0.000000 | HookLoadFileExtended base<...>/event.bif <...>/event.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/exec <...>/exec.zeek
+0.000000 | HookLoadFileExtended base<...>/extract <...>/extract
+0.000000 | HookLoadFileExtended base<...>/fddi <...>/fddi
+0.000000 | HookLoadFileExtended base<...>/file_analysis.bif <...>/file_analysis.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/files <...>/files
+0.000000 | HookLoadFileExtended base<...>/files <...>/files.zeek
+0.000000 | HookLoadFileExtended base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
+0.000000 | HookLoadFileExtended base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
+0.000000 | HookLoadFileExtended base<...>/ftp <...>/ftp
+0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek
+0.000000 | HookLoadFileExtended base<...>/gre <...>/gre
+0.000000 | HookLoadFileExtended base<...>/hash <...>/hash
+0.000000 | HookLoadFileExtended base<...>/hash_hrw <...>/hash_hrw.zeek
+0.000000 | HookLoadFileExtended base<...>/http <...>/http
+0.000000 | HookLoadFileExtended base<...>/icmp <...>/icmp
+0.000000 | HookLoadFileExtended base<...>/ieee802_11 <...>/ieee802_11
+0.000000 | HookLoadFileExtended base<...>/ieee802_11_radio <...>/ieee802_11_radio
+0.000000 | HookLoadFileExtended base<...>/imap <...>/imap
+0.000000 | HookLoadFileExtended base<...>/input <...>/input
+0.000000 | HookLoadFileExtended base<...>/input.bif <...>/input.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/intel <...>/intel
+0.000000 | HookLoadFileExtended base<...>/ip <...>/ip
+0.000000 | HookLoadFileExtended base<...>/iptunnel <...>/iptunnel
+0.000000 | HookLoadFileExtended base<...>/irc <...>/irc
+0.000000 | HookLoadFileExtended base<...>/krb <...>/krb
+0.000000 | HookLoadFileExtended base<...>/linux_sll <...>/linux_sll
+0.000000 | HookLoadFileExtended base<...>/logging <...>/logging
+0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek
+0.000000 | HookLoadFileExtended base<...>/messaging.bif <...>/messaging.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/modbus <...>/modbus
+0.000000 | HookLoadFileExtended base<...>/mpls <...>/mpls
+0.000000 | HookLoadFileExtended base<...>/mqtt <...>/mqtt
+0.000000 | HookLoadFileExtended base<...>/mysql <...>/mysql
+0.000000 | HookLoadFileExtended base<...>/netcontrol <...>/netcontrol
+0.000000 | HookLoadFileExtended base<...>/nflog <...>/nflog
+0.000000 | HookLoadFileExtended base<...>/notice <...>/notice
+0.000000 | HookLoadFileExtended base<...>/ntlm <...>/ntlm
+0.000000 | HookLoadFileExtended base<...>/ntp <...>/ntp
+0.000000 | HookLoadFileExtended base<...>/null <...>/null
+0.000000 | HookLoadFileExtended base<...>/numbers <...>/numbers.zeek
+0.000000 | HookLoadFileExtended base<...>/openflow <...>/openflow
+0.000000 | HookLoadFileExtended base<...>/option.bif <...>/option.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/packet-filter <...>/packet-filter
+0.000000 | HookLoadFileExtended base<...>/packet_analysis.bif <...>/packet_analysis.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/paths <...>/paths.zeek
+0.000000 | HookLoadFileExtended base<...>/patterns <...>/patterns.zeek
+0.000000 | HookLoadFileExtended base<...>/pe <...>/pe
+0.000000 | HookLoadFileExtended base<...>/plugins <...>/plugins
+0.000000 | HookLoadFileExtended base<...>/pop3 <...>/pop3
+0.000000 | HookLoadFileExtended base<...>/ppp_serial <...>/ppp_serial
+0.000000 | HookLoadFileExtended base<...>/pppoe <...>/pppoe
+0.000000 | HookLoadFileExtended base<...>/queue <...>/queue.zeek
+0.000000 | HookLoadFileExtended base<...>/radius <...>/radius
+0.000000 | HookLoadFileExtended base<...>/rdp <...>/rdp
+0.000000 | HookLoadFileExtended base<...>/removal-hooks <...>/removal-hooks.zeek
+0.000000 | HookLoadFileExtended base<...>/reporter <...>/reporter
+0.000000 | HookLoadFileExtended base<...>/reporter.bif <...>/reporter.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/rfb <...>/rfb
+0.000000 | HookLoadFileExtended base<...>/root <...>/root
+0.000000 | HookLoadFileExtended base<...>/signatures <...>/signatures
+0.000000 | HookLoadFileExtended base<...>/sip <...>/sip
+0.000000 | HookLoadFileExtended base<...>/site <...>/site.zeek
+0.000000 | HookLoadFileExtended base<...>/skip <...>/skip
+0.000000 | HookLoadFileExtended base<...>/smb <...>/smb
+0.000000 | HookLoadFileExtended base<...>/smtp <...>/smtp
+0.000000 | HookLoadFileExtended base<...>/snmp <...>/snmp
+0.000000 | HookLoadFileExtended base<...>/socks <...>/socks
+0.000000 | HookLoadFileExtended base<...>/software <...>/software
+0.000000 | HookLoadFileExtended base<...>/ssh <...>/ssh
+0.000000 | HookLoadFileExtended base<...>/ssl <...>/ssl
+0.000000 | HookLoadFileExtended base<...>/stats.bif <...>/stats.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/store.bif <...>/store.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/strings <...>/strings.zeek
+0.000000 | HookLoadFileExtended base<...>/strings.bif <...>/strings.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/sumstats <...>/sumstats
+0.000000 | HookLoadFileExtended base<...>/supervisor <...>/supervisor
+0.000000 | HookLoadFileExtended base<...>/supervisor.bif <...>/supervisor.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/syslog <...>/syslog
+0.000000 | HookLoadFileExtended base<...>/tcp <...>/tcp
+0.000000 | HookLoadFileExtended base<...>/thresholds <...>/thresholds.zeek
+0.000000 | HookLoadFileExtended base<...>/time <...>/time.zeek
+0.000000 | HookLoadFileExtended base<...>/tunnels <...>/tunnels
+0.000000 | HookLoadFileExtended base<...>/types.bif <...>/types.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/udp <...>/udp
+0.000000 | HookLoadFileExtended base<...>/urls <...>/urls.zeek
+0.000000 | HookLoadFileExtended base<...>/utils <...>/utils.zeek
+0.000000 | HookLoadFileExtended base<...>/version <...>/version.zeek
+0.000000 | HookLoadFileExtended base<...>/vlan <...>/vlan
+0.000000 | HookLoadFileExtended base<...>/vntag <...>/vntag
+0.000000 | HookLoadFileExtended base<...>/weird <...>/weird.zeek
+0.000000 | HookLoadFileExtended base<...>/x509 <...>/x509
+0.000000 | HookLoadFileExtended base<...>/xmpp <...>/xmpp
+0.000000 | HookLoadFileExtended base<...>/zeek.bif <...>/zeek.bif.zeek
+0.000000 | HookLoadFileExtended builtin-plugins/__load__.zeek <...>/__load__.zeek
+0.000000 | HookLoadFileExtended builtin-plugins/__preload__.zeek <...>/__preload__.zeek
+0.000000 | HookLoadFileExtended s1.sig ./s1.sig
+0.000000 | HookLoadFileExtended s2 ./s2.sig
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
 0.000000 | HookLogWrite  packet_filter [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
diff --git a/testing/btest/Baseline/plugins.plugin-load-file-extended/output b/testing/btest/Baseline/plugins.plugin-load-file-extended/output
new file mode 100644
index 0000000000..d32f2141d1
--- /dev/null
+++ b/testing/btest/Baseline/plugins.plugin-load-file-extended/output
@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+HookLoadExtended/script: file=|xxx| resolved=|./xxx.zeek|
+HookLoadExtended/script: file=|yyy| resolved=||
+HookLoadExtended/signature: file=|abc.sig| resolved=|./abc.sig|
+new zeek_init(): script has been replaced
+new zeek_init(): script has been added
+signature works!
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index 852d9656bf..1fd4054f38 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -15,6 +15,7 @@ using namespace btest::plugin::Demo_Hooks;
 zeek::plugin::Configuration Plugin::Configure()
 	{
 	EnableHook(zeek::plugin::HOOK_LOAD_FILE);
+	EnableHook(zeek::plugin::HOOK_LOAD_FILE_EXT);
 	EnableHook(zeek::plugin::HOOK_CALL_FUNCTION);
 	EnableHook(zeek::plugin::HOOK_QUEUE_EVENT);
 	EnableHook(zeek::plugin::HOOK_DRAIN_EVENTS);
@@ -56,6 +57,13 @@ int Plugin::HookLoadFile(const LoadType type, const std::string& file, const std
 	return -1;
 	}
 
+std::pair<int, std::optional<std::string>> Plugin::HookLoadFileExtended(const LoadType type, const std::string& file, const std::string& resolved)
+	{
+	fprintf(stderr, "%.6f %-15s %s %s\n", zeek::run_state::network_time, "| HookLoadFileExtended",
+		file.c_str(), resolved.c_str());
+	return std::make_pair(-1, std::nullopt);
+	}
+
 std::pair<bool, zeek::ValPtr> Plugin::HookFunctionCall(const zeek::Func* func, zeek::detail::Frame* frame,
                                                        zeek::Args* args)
 	{
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h
index 94a7f16aee..b721608a6f 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.h
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h
@@ -9,6 +9,7 @@ class Plugin : public zeek::plugin::Plugin
 {
 protected:
 	int HookLoadFile(const LoadType type, const std::string& file, const std::string& resolved) override;
+	std::pair<int, std::optional<std::string>> HookLoadFileExtended(const LoadType type, const std::string& file, const std::string& resolved) override;
 	std::pair<bool, zeek::ValPtr> HookFunctionCall(const zeek::Func* func, zeek::detail::Frame* parent,
 	                                               zeek::Args* args) override;
 	bool HookQueueEvent(zeek::Event* event) override;
diff --git a/testing/btest/plugins/plugin-load-file-extended.zeek b/testing/btest/plugins/plugin-load-file-extended.zeek
new file mode 100644
index 0000000000..0d3d297c5a
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-file-extended.zeek
@@ -0,0 +1,17 @@
+# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Testing LoadFileExtended
+# @TEST-EXEC: cp -r %DIR/plugin-load-file-extended/* .
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
+# @TEST-EXEC: ZEEK_PLUGIN_PATH=$(pwd) zeek -r $TRACES/wikipedia.trace -b Testing::LoadFileExtended xxx yyy -s abc.sig >> output
+# @TEST-EXEC: btest-diff output
+
+# @TEST-START-FILE xxx.zeek
+
+event zeek_init() {
+    print "original script";
+}
+
+# @TEST-END-FILE
+
+# @TEST-START-FILE abc.sig
+# empty
+# @TEST-END-FILE
diff --git a/testing/btest/plugins/plugin-load-file-extended/.btest-ignore b/testing/btest/plugins/plugin-load-file-extended/.btest-ignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc
new file mode 100644
index 0000000000..a86d4f50f2
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.cc
@@ -0,0 +1,70 @@
+
+#include "Plugin.h"
+
+namespace btest::plugin::Testing_LoadFileExtended
+	{
+Plugin plugin;
+	}
+
+using namespace btest::plugin::Testing_LoadFileExtended;
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	EnableHook(zeek::plugin::HOOK_LOAD_FILE_EXT);
+
+	zeek::plugin::Configuration config;
+	config.name = "Testing::LoadFileExtended";
+	config.version.major = 0;
+	config.version.minor = 1;
+	config.version.patch = 4;
+	return config;
+	}
+
+#include <iostream>
+
+std::pair<int, std::optional<std::string>> Plugin::HookLoadFileExtended(const LoadType type,
+                                                                        const std::string& file,
+                                                                        const std::string& resolved)
+	{
+	if ( type == LoadType::SCRIPT && file == "xxx" )
+		{
+		printf("HookLoadExtended/script: file=|%s| resolved=|%s|\n", file.c_str(), resolved.c_str());
+
+		return std::make_pair(1, R"(
+			event zeek_init() {
+				print "new zeek_init(): script has been replaced";
+			}
+
+			event signature_match(state: signature_state, msg: string, data: string) {
+				print msg;
+			}
+		)");
+		}
+
+	if ( type == LoadType::SCRIPT && file == "yyy" )
+		{
+		printf("HookLoadExtended/script: file=|%s| resolved=|%s|\n", file.c_str(), resolved.c_str());
+
+		return std::make_pair(1, R"(
+			event zeek_init() {
+				print "new zeek_init(): script has been added";
+			}
+		)");
+		}
+
+	if ( type == LoadType::SIGNATURES && file == "abc.sig" )
+		{
+		printf("HookLoadExtended/signature: file=|%s| resolved=|%s|\n", file.c_str(), resolved.c_str());
+
+		return std::make_pair(1, R"(
+		signature my-sig {
+			ip-proto == tcp
+			payload /GET \/images/
+			event "signature works!"
+			}
+		)");
+		}
+
+	return std::make_pair(-1, std::nullopt);
+	}
+
diff --git a/testing/btest/plugins/plugin-load-file-extended/src/Plugin.h b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.h
new file mode 100644
index 0000000000..83137bce6f
--- /dev/null
+++ b/testing/btest/plugins/plugin-load-file-extended/src/Plugin.h
@@ -0,0 +1,18 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+
+namespace btest::plugin::Testing_LoadFileExtended {
+
+class Plugin : public zeek::plugin::Plugin
+{
+protected:
+	// Overridden from zeek::plugin::Plugin.
+	zeek::plugin::Configuration Configure() override;
+    std::pair<int, std::optional<std::string>> HookLoadFileExtended(const Plugin::LoadType type, const std::string& file, const std::string& resolved) override;
+};
+
+extern Plugin plugin;
+
+}

From c39f33527a306d08356b3ca3a0a92f7c1f2ee2b7 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Fri, 5 Nov 2021 12:49:24 -0700
Subject: [PATCH 035/210] Update broker and zeek-archiver submodules [nomail]
 [skip ci]

---
 auxil/broker        | 2 +-
 auxil/zeek-archiver | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/auxil/broker b/auxil/broker
index 47cac80cbe..32d97ec752 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 47cac80cbe1e1bde8e3b425903e50d62715972a2
+Subproject commit 32d97ec7522951a28aeb521120cc512acd47e324
diff --git a/auxil/zeek-archiver b/auxil/zeek-archiver
index f3a1e8fe46..479e8a85fd 160000
--- a/auxil/zeek-archiver
+++ b/auxil/zeek-archiver
@@ -1 +1 @@
-Subproject commit f3a1e8fe464c0425688eff67e30f35c678914ad2
+Subproject commit 479e8a85fd58936c16d361dbf3de4e7268d751f8

From 1a6da54aedcf2afc52b8f61fa592e7f78657cbe0 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Fri, 5 Nov 2021 13:40:04 -0700
Subject: [PATCH 036/210] Update broker submodule [nomail] [skip ci]

---
 auxil/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/broker b/auxil/broker
index 32d97ec752..07842d8bcd 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 32d97ec7522951a28aeb521120cc512acd47e324
+Subproject commit 07842d8bcdd4cf90fb7355be53fa3d14146147dd

From f2ea56379bdbe1e8ef2504fb42dccd0ed7116fab Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 3 Nov 2021 11:15:50 -0700
Subject: [PATCH 037/210] Remove no-op false-teredo test

---
 .../known_services.log                        |   4 +-
 .../btest/Traces/tunnels/false-teredo.pcap    | Bin 3098 -> 0 bytes
 testing/btest/core/tunnels/false-teredo.zeek  |  47 ------------------
 .../core/tunnels/teredo-known-services.test   |   2 +-
 4 files changed, 4 insertions(+), 49 deletions(-)
 delete mode 100644 testing/btest/Traces/tunnels/false-teredo.pcap
 delete mode 100644 testing/btest/core/tunnels/false-teredo.zeek

diff --git a/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log b/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log
index 140fed3fc9..d7565fafdf 100644
--- a/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log
+++ b/testing/btest/Baseline/core.tunnels.teredo-known-services/known_services.log
@@ -7,5 +7,7 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	host	port_num	port_proto	service
 #types	time	addr	port	enum	set[string]
-XXXXXXXXXX.XXXXXX	192.168.1.1	53	udp	DNS
+XXXXXXXXXX.XXXXXX	192.168.2.1	53	udp	DNS
+XXXXXXXXXX.XXXXXX	192.168.2.16	1577	tcp	(empty)
+XXXXXXXXXX.XXXXXX	192.168.2.16	1576	tcp	(empty)
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/tunnels/false-teredo.pcap b/testing/btest/Traces/tunnels/false-teredo.pcap
deleted file mode 100644
index e82a6f41693b06517d460a0f976cbed141f9e8fb..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3098
zcmd6pe`r%z6vyv-xlLkiV`IB%WtO28hO}auCKj!;^oNtCLtF<I$EGjIOJ3XLz4X0g
zA;?%e=VU(=al(c_@t@fa5p>F&=(wfB$;N*C;fihybY)04n2zCG9nqchUXqvgvHUrf
za-iqj`|kIi&pG$LcWvVA37$}r|2=v{2nWt0KMj<7>|`tak49>zZojykIFl{hIVb5N
zq|0`QkYV>ny=;{02jgz-AU@)`oenL9=Wz-6Q6V0ZTtg{QOZF>rTu=waq%EYxaRRqz
z;8F%<zKc7^VVI0&2pD3z%-#u@+~)SSpae=09|&dk&xDqa48tls{FRnr6(|Nvml0Yq
z^0_?Ae{IVQbHfraz9vkZWno!c?PG3B%){J^VXF_?D#>%O6q<!d8*M@&XIY-e6&Z*$
z+z}&_CK0<P3TjBAqLz^Ps8WD2bm+iNRB%mJk|9_e%>pCT^BBVT@S+I=G&a}19huZ&
z=z0E|LLu)uLOY-N_86-+^0vK792C;_uxbf5(6Nt@ZqP=vq}Wpa08>0g@+oFFLW=bV
z>b+xTikv_rT39ZmcB}4aAFdpL)@p@mXmeBJRy9Aw)W+>*YT1q4l0!$lV|r>fG7p+&
z&dQKd8J5mfMHUy0ImB>O927G)Sxgf4lriV|9i)beEo+*%Xt^*b#D#vG#n!Q&Tzk|I
zy2Czoifu8lIGn_8lUt&!cXnj8CE~M0nk<numWbaHX|_Z>mWUT3WdaR!&e-N2&G|oU
z9;`Bs=D-E4QjZ^4O2|{MlIMx@QWjt#eJnskQIbI+7UNTc4pmGgMO7=5?BtQguTiGq
zri1(rlhKGSP;@k>_E%uZBAvOCNyG<2-(*in+1$~z5x%5MzJ8;O)XfXUQW|W+<F~2t
zs57LfVp>o|KBT|~3G*3Mf~wGo-|kkij^Zk59@bG5sj<mgQ>B{HG%*&_BtcDx?8%~W
zs4G0No1HM$tdR-5@t*J&8!`Rfdn@^Lm<FP|oFzC9twhdUpXE8<_zADTd+vdS#he8#
z8Hx2L%A<-BjfpWKXmTE2G3`W|MGxkaF90!`h4ZDcGswB;ipd#-MjJjDSeWAs*S9lL
zLMF$V+cHe59YP|ZC6pu=vl|-%G&#6j1EJloRPSXQbh!NS5j+BbYQvm}*Ai*AM4H$J
zr$Pg}PL%?fxsL!_@8<#PH>M}HOqntP+S2Lt0$I?cl#mo-VpJ6pQlU}(+{LF+CUvfo
zl)*D-7J&CZ`56JWZZ!dd&{Q8)rV0RQNtt}3@_mG7RjkTr6!2)<OWPKMufIXSUjR30
zW0)pnAz|D;<`7=8jX~B|G+PgatRVqH2Xzhp@IBPnNtry$ug^8BF}{60WxYk?+t=40
z%h14Ab(JNWcUKp(_m1V+XD6_EuU;1~o9vxwI6<<gX=TBf64hw3KQ0#7XI`J_M47(Y
z1>`(DgEp5vcQUaA+3!|O_Sp&U-QB;4mv#1V%MyD@nLK;A<ZCN%1NlA8ODk$Pp~CL;
z7S`VcD_4;+J{Dx{Y@1Ody{E7K@%J1*TkQ9AKioOne>BVAG|jIq9tVFNYd31{@#|;A
z3yQNN&6bGI67g6fO_qqCwU6U_9X@s5A0l+qbeC(q+Vp$6kH5*jH2t<^XO6QUb)UfA
zV7?S&cTB(Q^k46cuQ2_#WvBQ2dVvPkw!5so5_;j9@j~H!*emDoyCaH)oc<JhWwKqm
zYxasgl?cNLt<VHGtYRpo_9ruiUI~sikD*NKe<M@X;UWj28_}R8A&;W>)*JgIY)NTj
zt|g<y2l=S3kEOeMOX5c*DVYtlBo>6M_><7<-`||heM)i5A15wHG#PJ{Ga;MsauoW~
X_{hSM`A!^xS5kyMizwXx^F96p8SMi;

diff --git a/testing/btest/core/tunnels/false-teredo.zeek b/testing/btest/core/tunnels/false-teredo.zeek
deleted file mode 100644
index 818b543d95..0000000000
--- a/testing/btest/core/tunnels/false-teredo.zeek
+++ /dev/null
@@ -1,47 +0,0 @@
-# @TEST-EXEC: zeek -r $TRACES/tunnels/false-teredo.pcap %INPUT >output
-# @TEST-EXEC: test ! -e weird.log
-# @TEST-EXEC: test ! -e dpd.log
-
-# In the first case, there isn't any weird or protocol violation logged
-# since the teredo analyzer recognizes that the DNS analyzer has confirmed
-# the protocol and yields.
-
-# In the second case, there are weirds since the teredo analyzer decapsulates
-# despite the presence of the confirmed DNS analyzer and the resulting
-# inner packets are malformed (no surprise there).  There's also no dpd.log
-# since the teredo analyzer doesn't confirm until it's seen a valid teredo
-# encapsulation in both directions and protocol violations aren't logged
-# until there's been a confirmation.
-
-# In either case, the analyzer doesn't, by default, get disabled as a result
-# of the protocol violations.
-
-function print_teredo(name: string, outer: connection, inner: teredo_hdr)
-	{
-	print fmt("%s: %s", name, outer$id);
-	print fmt("    ip6: %s", inner$hdr$ip6);
-	if ( inner?$auth )
-		print fmt("    auth: %s", inner$auth);
-	if ( inner?$origin )
-		print fmt("    origin: %s", inner$origin);
-	}
-
-event teredo_packet(outer: connection, inner: teredo_hdr)
-	{
-	print_teredo("packet", outer, inner);
-	}
-
-event teredo_authentication(outer: connection, inner: teredo_hdr)
-	{
-	print_teredo("auth", outer, inner);
-	}
-
-event teredo_origin_indication(outer: connection, inner: teredo_hdr)
-	{
-	print_teredo("origin", outer, inner);
-	}
-
-event teredo_bubble(outer: connection, inner: teredo_hdr)
-	{
-	print_teredo("bubble", outer, inner);
-	}
diff --git a/testing/btest/core/tunnels/teredo-known-services.test b/testing/btest/core/tunnels/teredo-known-services.test
index 8e0a09862b..c5a687527c 100644
--- a/testing/btest/core/tunnels/teredo-known-services.test
+++ b/testing/btest/core/tunnels/teredo-known-services.test
@@ -1,4 +1,4 @@
-# @TEST-EXEC: zeek -b -r $TRACES/tunnels/false-teredo.pcap base/frameworks/dpd base/protocols/tunnels base/protocols/dns protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.1.0/24}"
+# @TEST-EXEC: zeek -b -r $TRACES/tunnels/Teredo.pcap base/frameworks/dpd base/protocols/tunnels base/protocols/dns protocols/conn/known-services Tunnel::delay_teredo_confirmation=T "Site::local_nets+={192.168.2.0/24}"
 # @TEST-EXEC: btest-diff known_services.log
 
 # Expect known_services.log to NOT indicate any service using teredo.

From 14abfc68315faae7cd00bae3aa12654ad7f0afa0 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 7 Nov 2021 16:56:57 -0800
Subject: [PATCH 038/210] removing unused SubNetType class

---
 src/Type.cc | 22 ----------------------
 src/Type.h  | 12 ------------
 2 files changed, 34 deletions(-)

diff --git a/src/Type.cc b/src/Type.cc
index 80a6e9c678..b03e3b8b7d 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -123,18 +123,6 @@ RecordType* Type::AsRecordType()
 	return (RecordType*)this;
 	}
 
-const SubNetType* Type::AsSubNetType() const
-	{
-	CHECK_TYPE_TAG(TYPE_SUBNET, "Type::AsSubNetType");
-	return (const SubNetType*)this;
-	}
-
-SubNetType* Type::AsSubNetType()
-	{
-	CHECK_TYPE_TAG(TYPE_SUBNET, "Type::AsSubNetType");
-	return (SubNetType*)this;
-	}
-
 const FuncType* Type::AsFuncType() const
 	{
 	CHECK_TYPE_TAG(TYPE_FUNC, "Type::AsFuncType");
@@ -1442,16 +1430,6 @@ string RecordType::GetFieldDeprecationWarning(int field, bool has_check) const
 	return "";
 	}
 
-SubNetType::SubNetType() : Type(TYPE_SUBNET) { }
-
-void SubNetType::Describe(ODesc* d) const
-	{
-	if ( d->IsReadable() )
-		d->Add("subnet");
-	else
-		d->Add(int(Tag()));
-	}
-
 FileType::FileType(TypePtr yield_type) : Type(TYPE_FILE), yield(std::move(yield_type)) { }
 
 FileType::~FileType() = default;
diff --git a/src/Type.h b/src/Type.h
index e81ed9eec9..cc6b6c9106 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -152,7 +152,6 @@ class TypeList;
 class TableType;
 class SetType;
 class RecordType;
-class SubNetType;
 class FuncType;
 class EnumType;
 class VectorType;
@@ -165,7 +164,6 @@ using TypeListPtr = IntrusivePtr<TypeList>;
 using TableTypePtr = IntrusivePtr<TableType>;
 using SetTypePtr = IntrusivePtr<SetType>;
 using RecordTypePtr = IntrusivePtr<RecordType>;
-using SubNetTypePtr = IntrusivePtr<SubNetType>;
 using FuncTypePtr = IntrusivePtr<FuncType>;
 using EnumTypePtr = IntrusivePtr<EnumType>;
 using VectorTypePtr = IntrusivePtr<VectorType>;
@@ -226,9 +224,6 @@ public:
 	const RecordType* AsRecordType() const;
 	RecordType* AsRecordType();
 
-	const SubNetType* AsSubNetType() const;
-	SubNetType* AsSubNetType();
-
 	const FuncType* AsFuncType() const;
 	FuncType* AsFuncType();
 
@@ -700,13 +695,6 @@ protected:
 	type_decl_list* types;
 	};
 
-class SubNetType final : public Type
-	{
-public:
-	SubNetType();
-	void Describe(ODesc* d) const override;
-	};
-
 class FileType final : public Type
 	{
 public:

From bc3bf4ea6ca53024799d2a37deb2f12a841194a9 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 7 Nov 2021 16:57:52 -0800
Subject: [PATCH 039/210] factoring out CPPEscape to be a standalone function

---
 src/script_opt/CPP/Util.cc | 56 ++++++++++++++++++++++++++++++++++++++
 src/script_opt/CPP/Util.h  |  8 ++++++
 2 files changed, 64 insertions(+)

diff --git a/src/script_opt/CPP/Util.cc b/src/script_opt/CPP/Util.cc
index c2a6fed195..1c64c9af21 100644
--- a/src/script_opt/CPP/Util.cc
+++ b/src/script_opt/CPP/Util.cc
@@ -75,4 +75,60 @@ void unlock_file(const string& fname, FILE* f)
 		}
 	}
 
+string CPPEscape(const char* b, int len)
+	{
+	string res;
+
+	for ( int i = 0; i < len; ++i )
+		{
+		unsigned char c = b[i];
+
+		switch ( c )
+			{
+			case '\a':
+				res += "\\a";
+				break;
+			case '\b':
+				res += "\\b";
+				break;
+			case '\f':
+				res += "\\f";
+				break;
+			case '\n':
+				res += "\\n";
+				break;
+			case '\r':
+				res += "\\r";
+				break;
+			case '\t':
+				res += "\\t";
+				break;
+			case '\v':
+				res += "\\v";
+				break;
+
+			case '\\':
+				res += "\\\\";
+				break;
+			case '"':
+				res += "\\\"";
+				break;
+
+			default:
+				if ( isprint(c) )
+					res += c;
+				else
+					{
+					char buf[8192];
+					snprintf(buf, sizeof buf, "%03o", c);
+					res += "\\";
+					res += buf;
+					}
+				break;
+			}
+		}
+
+	return res;
+	}
+
 	} // zeek::detail
diff --git a/src/script_opt/CPP/Util.h b/src/script_opt/CPP/Util.h
index 6ea06e6752..23e2533922 100644
--- a/src/script_opt/CPP/Util.h
+++ b/src/script_opt/CPP/Util.h
@@ -36,4 +36,12 @@ extern bool is_CPP_compilable(const ProfileFunc* pf, const char** reason = nullp
 extern void lock_file(const std::string& fname, FILE* f);
 extern void unlock_file(const std::string& fname, FILE* f);
 
+// For the given byte array / string, returns a version expanded
+// with escape sequences in order to represent it as a C++ string.
+extern std::string CPPEscape(const char* b, int len);
+inline std::string CPPEscape(const char* s)
+	{
+	return CPPEscape(s, strlen(s));
+	}
+
 	} // zeek::detail

From e1a760e6747e6b14f5fddaacdf5ecc6b7f3d762b Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 7 Nov 2021 17:00:19 -0800
Subject: [PATCH 040/210] extensive rewrite of generation & execution of
 run-time initialization

---
 src/CMakeLists.txt                            |   4 +-
 src/script_opt/CPP/Attrs.cc                   | 136 +---
 src/script_opt/CPP/Attrs.h                    |  19 +
 src/script_opt/CPP/Compile.h                  | 687 +++++++++--------
 src/script_opt/CPP/Consts.cc                  | 284 ++-----
 src/script_opt/CPP/DeclFunc.cc                | 271 ++++---
 src/script_opt/CPP/Driver.cc                  | 298 +++++---
 src/script_opt/CPP/Emit.cc                    |  65 +-
 src/script_opt/CPP/Exprs.cc                   |  13 +-
 src/script_opt/CPP/GenFunc.cc                 |  16 +-
 src/script_opt/CPP/HashMgr.cc                 |  21 +-
 src/script_opt/CPP/HashMgr.h                  |   8 +-
 src/script_opt/CPP/Inits.cc                   | 426 ++---------
 src/script_opt/CPP/InitsInfo.cc               | 577 +++++++++++++++
 src/script_opt/CPP/InitsInfo.h                | 693 ++++++++++++++++++
 src/script_opt/CPP/Runtime.h                  |   7 +-
 .../{RuntimeInit.cc => RuntimeInitSupport.cc} |  30 +-
 .../{RuntimeInit.h => RuntimeInitSupport.h}   |   1 +
 src/script_opt/CPP/RuntimeInits.cc            | 528 +++++++++++++
 src/script_opt/CPP/RuntimeInits.h             | 542 ++++++++++++++
 src/script_opt/CPP/Stmts.cc                   |   2 +-
 src/script_opt/CPP/Tracker.cc                 |  14 +-
 src/script_opt/CPP/Tracker.h                  |  21 +-
 src/script_opt/CPP/Types.cc                   | 278 +------
 src/script_opt/CPP/Vars.cc                    |  78 +-
 src/script_opt/ScriptOpt.cc                   |  20 +-
 26 files changed, 3459 insertions(+), 1580 deletions(-)
 create mode 100644 src/script_opt/CPP/Attrs.h
 create mode 100644 src/script_opt/CPP/InitsInfo.cc
 create mode 100644 src/script_opt/CPP/InitsInfo.h
 rename src/script_opt/CPP/{RuntimeInit.cc => RuntimeInitSupport.cc} (89%)
 rename src/script_opt/CPP/{RuntimeInit.h => RuntimeInitSupport.h} (98%)
 create mode 100644 src/script_opt/CPP/RuntimeInits.cc
 create mode 100644 src/script_opt/CPP/RuntimeInits.h

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index c0f520fbeb..3646f8fa16 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -401,7 +401,9 @@ set(MAIN_SRCS
     script_opt/CPP/GenFunc.cc
     script_opt/CPP/HashMgr.cc
     script_opt/CPP/Inits.cc
-    script_opt/CPP/RuntimeInit.cc
+    script_opt/CPP/InitsInfo.cc
+    script_opt/CPP/RuntimeInits.cc
+    script_opt/CPP/RuntimeInitSupport.cc
     script_opt/CPP/RuntimeOps.cc
     script_opt/CPP/RuntimeVec.cc
     script_opt/CPP/Stmts.cc
diff --git a/src/script_opt/CPP/Attrs.cc b/src/script_opt/CPP/Attrs.cc
index b1d12978ac..6c2594be2d 100644
--- a/src/script_opt/CPP/Attrs.cc
+++ b/src/script_opt/CPP/Attrs.cc
@@ -7,42 +7,53 @@ namespace zeek::detail
 
 using namespace std;
 
-void CPPCompile::RegisterAttributes(const AttributesPtr& attrs)
+shared_ptr<CPP_InitInfo> CPPCompile::RegisterAttributes(const AttributesPtr& attrs)
 	{
-	if ( ! attrs || attributes.HasKey(attrs) )
-		return;
+	if ( ! attrs )
+		return nullptr;
+
+	auto a = attrs.get();
+
+	if ( processed_attrs.count(a) > 0 )
+		return processed_attrs[a];
 
 	attributes.AddKey(attrs);
-	AddInit(attrs);
 
-	auto a_rep = attributes.GetRep(attrs);
-	if ( a_rep != attrs.get() )
+	// The cast is just so we can make an IntrusivePtr.
+	auto a_rep = const_cast<Attributes*>(attributes.GetRep(attrs));
+	if ( a_rep != a )
 		{
-		NoteInitDependency(attrs.get(), a_rep);
-		return;
+		AttributesPtr a_rep_ptr = {NewRef{}, a_rep};
+		processed_attrs[a] = RegisterAttributes(a_rep_ptr);
+		return processed_attrs[a];
 		}
 
 	for ( const auto& a : attrs->GetAttrs() )
-		{
-		const auto& e = a->GetExpr();
-		if ( e )
-			{
-			if ( IsSimpleInitExpr(e) )
-				{
-				// Make sure any dependencies it has get noted.
-				(void)GenExpr(e, GEN_VAL_PTR);
-				continue;
-				}
+		(void)RegisterAttr(a);
 
-			init_exprs.AddKey(e);
-			AddInit(e);
-			NoteInitDependency(attrs, e);
+	shared_ptr<CPP_InitInfo> gi = make_shared<AttrsInfo>(this, attrs);
+	attrs_info->AddInstance(gi);
+	processed_attrs[a] = gi;
 
-			auto e_rep = init_exprs.GetRep(e);
-			if ( e_rep != e.get() )
-				NoteInitDependency(e.get(), e_rep);
-			}
-		}
+	return gi;
+	}
+
+shared_ptr<CPP_InitInfo> CPPCompile::RegisterAttr(const AttrPtr& attr)
+	{
+	auto a = attr.get();
+
+	if ( processed_attr.count(a) > 0 )
+		return processed_attr[a];
+
+	const auto& e = a->GetExpr();
+	if ( e && ! IsSimpleInitExpr(e) )
+		init_exprs.AddKey(e);
+
+	auto gi = make_shared<AttrInfo>(this, attr);
+	attr_info->AddInstance(gi);
+	processed_attr[a] = gi;
+
+	return gi;
 	}
 
 void CPPCompile::BuildAttrs(const AttributesPtr& attrs, string& attr_tags, string& attr_vals)
@@ -72,78 +83,9 @@ void CPPCompile::BuildAttrs(const AttributesPtr& attrs, string& attr_tags, strin
 	attr_vals = string("{") + attr_vals + "}";
 	}
 
-void CPPCompile::GenAttrs(const AttributesPtr& attrs)
+const char* CPPCompile::AttrName(AttrTag t)
 	{
-	NL();
-
-	Emit("AttributesPtr %s", AttrsName(attrs));
-
-	StartBlock();
-
-	const auto& avec = attrs->GetAttrs();
-	Emit("auto attrs = std::vector<AttrPtr>();");
-
-	AddInit(attrs);
-
-	for ( const auto& attr : avec )
-		{
-		const auto& e = attr->GetExpr();
-
-		if ( ! e )
-			{
-			Emit("attrs.emplace_back(make_intrusive<Attr>(%s));", AttrName(attr));
-			continue;
-			}
-
-		NoteInitDependency(attrs, e);
-		AddInit(e);
-
-		string e_arg;
-		if ( IsSimpleInitExpr(e) )
-			e_arg = GenAttrExpr(e);
-		else
-			e_arg = InitExprName(e);
-
-		Emit("attrs.emplace_back(make_intrusive<Attr>(%s, %s));", AttrName(attr), e_arg);
-		}
-
-	Emit("return make_intrusive<Attributes>(attrs, nullptr, true, false);");
-
-	EndBlock();
-	}
-
-string CPPCompile::GenAttrExpr(const ExprPtr& e)
-	{
-	switch ( e->Tag() )
-		{
-		case EXPR_CONST:
-			return string("make_intrusive<ConstExpr>(") + GenExpr(e, GEN_VAL_PTR) + ")";
-
-		case EXPR_NAME:
-			NoteInitDependency(e, e->AsNameExpr()->IdPtr());
-			return string("make_intrusive<NameExpr>(") + globals[e->AsNameExpr()->Id()->Name()] +
-			       ")";
-
-		case EXPR_RECORD_COERCE:
-			NoteInitDependency(e, TypeRep(e->GetType()));
-			return string("make_intrusive<RecordCoerceExpr>(make_intrusive<RecordConstructorExpr>("
-			              "make_intrusive<ListExpr>()), cast_intrusive<RecordType>(") +
-			       GenTypeName(e->GetType()) + "))";
-
-		default:
-			reporter->InternalError("bad expr tag in CPPCompile::GenAttrs");
-			return "###";
-		}
-	}
-
-string CPPCompile::AttrsName(const AttributesPtr& a)
-	{
-	return attributes.KeyName(a) + "()";
-	}
-
-const char* CPPCompile::AttrName(const AttrPtr& attr)
-	{
-	switch ( attr->Tag() )
+	switch ( t )
 		{
 		case ATTR_OPTIONAL:
 			return "ATTR_OPTIONAL";
diff --git a/src/script_opt/CPP/Attrs.h b/src/script_opt/CPP/Attrs.h
new file mode 100644
index 0000000000..8a399341e7
--- /dev/null
+++ b/src/script_opt/CPP/Attrs.h
@@ -0,0 +1,19 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Definitions associated with type attributes.
+
+#pragma once
+
+namespace zeek::detail
+	{
+
+enum AttrExprType
+	{
+	AE_NONE, // attribute doesn't have an expression
+	AE_CONST, // easy expression - a constant (ConstExpr)
+	AE_NAME, // easy - a global (NameExpr)
+	AE_RECORD, // an empty record cast to a given type
+	AE_CALL, // everything else - requires a lambda, essentially
+	};
+
+	} // zeek::detail
diff --git a/src/script_opt/CPP/Compile.h b/src/script_opt/CPP/Compile.h
index 5331d2a9a6..7974c9206a 100644
--- a/src/script_opt/CPP/Compile.h
+++ b/src/script_opt/CPP/Compile.h
@@ -5,18 +5,20 @@
 #include "zeek/Desc.h"
 #include "zeek/script_opt/CPP/Func.h"
 #include "zeek/script_opt/CPP/HashMgr.h"
+#include "zeek/script_opt/CPP/InitsInfo.h"
 #include "zeek/script_opt/CPP/Tracker.h"
 #include "zeek/script_opt/CPP/Util.h"
 #include "zeek/script_opt/ScriptOpt.h"
 
 // We structure the compiler for generating C++ versions of Zeek script
-// bodies as a single large class.  While we divide the compiler's
+// bodies maily as a single large class.  While we divide the compiler's
 // functionality into a number of groups (see below), these interact with
 // one another, and in particular with various member variables, enough
 // so that it's not clear there's benefit to further splitting the
 // functionality into multiple classes.  (Some splitting has already been
 // done for more self-contained functionality, resulting in the CPPTracker
-// and CPPHashManager classes.)
+// and CPPHashManager classes, and initialization information in
+// InitsInfo.{h,cc} and RuntimeInits.{h,cc}.)
 //
 // Most aspects of translating to C++ have a straightforward nature.
 // We can turn many Zeek script statements directly into the C++ that's
@@ -45,26 +47,6 @@
 // all of the scripts loaded in "bare" mode, plus those for foo.zeek; and
 // without the "-b" for all of the default scripts plus those in foo.zeek.
 //
-// One of the design goals employed is to support "incremental" compilation,
-// i.e., compiling *additional* Zeek scripts at a later point after an
-// initial compilation.  This comes in two forms.
-//
-// "-O update-C++" produces C++ code that extends that already compiled,
-// in a manner where subsequent compilations can leverage both the original
-// and the newly added.  Such compilations *must* be done in a consistent
-// context (for example, any types extended in the original are extended in
-// the same manner - plus then perhaps further extensions - in the updated
-// code).
-//
-// "-O add-C++" instead produces C++ code that (1) will not be leveraged in
-// any subsequent compilations, and (2) can be inconsistent with other
-// "-O add-C++" code added in the future.  The main use of this feature is
-// to support compiling polyglot versions of Zeek scripts used to run
-// the test suite.
-//
-// Zeek invocations specifying "-O use-C++" will activate any code compiled
-// into the zeek binary; otherwise, the code lies dormant.
-//
 // "-O report-C++" reports on which compiled functions will/won't be used
 // (including ones that are available but not relevant to the scripts loaded
 // on the command line).  This can be useful when debugging to make sure
@@ -104,29 +86,41 @@
 //
 //	Emit		Low-level code generation.
 //
-// Of these, Inits is probably the most subtle.  It turns out to be
-// very tricky ensuring that we create run-time variables in the
-// proper order.  For example, a global might need a record type to be
-// defined; one of the record's fields is a table; that table contains
-// another record; one of that other record's fields is the original
-// record (recursion); another field has an &default expression that
-// requires the compiler to generate a helper function to construct
-// the expression dynamically; and that helper function might in turn
-// refer to other types that require initialization.
+// Of these, Inits is the most subtle and complex.  There are two major
+// challenges in creating run-time values (such as Zeek types and constants).
 //
-// To deal with these dependencies, for every run-time object the compiler
-// maintains (1) all of the other run-time objects on which its initialization
-// depends, and (2) the C++ statements needed to initialize it, once those
-// other objects have been initialized.  It then beings initialization with
-// objects that have no dependencies, marks those as done (essentially), finds
-// objects that now can be initialized and emits their initializations,
-// marks those as done, etc.
+// First, generating individual code for creating each of these winds up
+// incurring unacceptable compile times (for example, clang compiling all
+// of the base scripts with optimization takes many hours on a high-end
+// laptop).  As a result, we employ a table-driven approach that compiles
+// much faster (though still taking many minutes on the same high-end laptop,
+// running about 40x faster however).
 //
-// Below in declaring the CPPCompiler class, we group methods in accordance
-// with those listed above.  We also locate member variables with the group
-// most relevant for their usage.  However, keep in mind that many member
-// variables are used by multiple groups, which is why we haven't created
-// distinct per-group classes.
+// Second, initializations frequently rely upon *other* initializations
+// having occurred first.  For example, a global might need a record type
+// to be defined; one of the record's fields is a table; that table contains
+// another record; one of that other record's fields is the original record
+// (recursion); another field has an &default expression that requires the
+// compiler to generate a helper function to construct the expression
+// dynamically; and that helper function might in turn refer to other types
+// that require initialization.  What's required is a framework for ensuring
+// that everything occurs in the proper order.
+//
+// The logic for dealing with these complexities is isolated into several
+// sets of classes.  InitsInfo.{h,cc} provides the classes related to tracking
+// how to generate initializations in the proper order.  RuntimeInits.{h,cc}
+// provides the classes used when initialization generated code in order
+// to instantiate all of the necessary values.  See those files for discussions
+// on how they address the points framed above.
+//
+// In declaring the CPPCompiler class, we group methods in accordance with
+// those listed above, locating member variables with the group most relevant
+// for their usage.  However, keep in mind that many member variables are
+// used by multiple groups, which is why we haven't created distinct
+// per-group classes.  In addition, we make a number of methods public
+// in order to avoid the need for numerous "friend" declarations to allow
+// associated classes (like those for initialization) access to a the
+// necessary compiler methods.
 
 namespace zeek::detail
 	{
@@ -135,10 +129,124 @@ class CPPCompile
 	{
 public:
 	CPPCompile(std::vector<FuncInfo>& _funcs, ProfileFuncs& pfs, const std::string& gen_name,
-	           const std::string& addl_name, CPPHashManager& _hm, bool _update, bool _standalone,
+	           const std::string& addl_name, CPPHashManager& _hm, bool _standalone,
 	           bool report_uncompilable);
 	~CPPCompile();
 
+	// Constructing a CPPCompile object does all of the compilation.
+	// The public methods here are for use by helper classes.
+
+	// Tracks the given type (with support methods for ones that
+	// are complicated), recursively including its sub-types, and
+	// creating initializations for constructing C++ variables
+	// representing the types.
+	//
+	// Returns the initialization info associated with the type.
+	std::shared_ptr<CPP_InitInfo> RegisterType(const TypePtr& t);
+
+	// Easy access to the global offset and the initialization
+	// cohort associated with a given type.
+	int TypeOffset(const TypePtr& t) { return GI_Offset(RegisterType(t)); }
+	int TypeCohort(const TypePtr& t) { return GI_Cohort(RegisterType(t)); }
+
+	// Tracks a Zeek ValPtr used as a constant value.  These occur
+	// in two contexts: directly as constant expressions, and indirectly
+	// as elements within aggregate constants (such as in vector
+	// initializers).
+	//
+	// Returns the associated initialization info.  In addition,
+	// consts_offset returns an offset into an initialization-time
+	// global that tracks all constructed globals, providing
+	// general access to them for aggregate constants.
+	std::shared_ptr<CPP_InitInfo> RegisterConstant(const ValPtr& vp, int& consts_offset);
+
+	// Tracks a global to generate the necessary initialization.
+	// Returns the associated initialization info.
+	std::shared_ptr<CPP_InitInfo> RegisterGlobal(const ID* g);
+
+	// Tracks a use of the given set of attributes, including
+	// initialization dependencies and the generation of any
+	// associated expressions.
+	//
+	// Returns the initialization info associated with the set of
+	// attributes.
+	std::shared_ptr<CPP_InitInfo> RegisterAttributes(const AttributesPtr& attrs);
+
+	// Convenient access to the global offset associated with
+	// a set of Attributes.
+	int AttributesOffset(const AttributesPtr& attrs)
+		{
+		return GI_Offset(RegisterAttributes(attrs));
+		}
+
+	// The same, for a single attribute.
+	std::shared_ptr<CPP_InitInfo> RegisterAttr(const AttrPtr& attr);
+	int AttrOffset(const AttrPtr& attr) { return GI_Offset(RegisterAttr(attr)); }
+
+	// Returns a mapping of from Attr objects to their associated
+	// initialization information.  The Attr must have previously
+	// been registered.
+	auto ProcessedAttr() { return processed_attr; }
+
+	// True if the given expression is simple enough that we can
+	// generate code to evaluate it directly, and don't need to
+	// create a separate function per RegisterInitExpr() to track it.
+	static bool IsSimpleInitExpr(const ExprPtr& e);
+
+	// Tracks expressions used in attributes (such as &default=<expr>).
+	//
+	// We need to generate code to evaluate these, via CallExpr's
+	// that invoke functions that return the value of the expression.
+	// However, we can't generate that code when first encountering
+	// the attribute, because doing so will need to refer to the names
+	// of types, and initially those are unavailable (because the type's
+	// representatives, per pfs.RepTypes(), might not have yet been
+	// tracked).  So instead we track the associated CallExprInitInfo
+	// objects, and after all types have been tracked, then spin
+	// through them to generate the code.
+	//
+	// Returns the associated initialization information.
+	std::shared_ptr<CPP_InitInfo> RegisterInitExpr(const ExprPtr& e);
+
+	// Tracks a C++ string value needed for initialization.  Returns
+	// an offset into the global vector that will hold these.
+	int TrackString(std::string s)
+		{
+		if ( tracked_strings.count(s) == 0 )
+			{
+			tracked_strings[s] = ordered_tracked_strings.size();
+			ordered_tracked_strings.emplace_back(s);
+			}
+
+		return tracked_strings[s];
+		}
+
+	// Tracks a profile hash value needed for initialization.  Returns
+	// an offset into the global vector that will hold these.
+	int TrackHash(p_hash_type h)
+		{
+		if ( tracked_hashes.count(h) == 0 )
+			{
+			tracked_hashes[h] = ordered_tracked_hashes.size();
+			ordered_tracked_hashes.emplace_back(h);
+			}
+
+		return tracked_hashes[h];
+		}
+
+	// Returns the hash associated with a given function body.
+	// It's a fatal error to call this for a body that hasn't
+	// been compiled.
+	p_hash_type BodyHash(const Stmt* body);
+
+	// Returns true if at least one of the function bodies associated
+	// with the function/hook/event handler of the given fname is
+	// not compilable.
+	bool NotFullyCompilable(const std::string& fname) const
+		{
+		return not_fully_compilable.count(fname) > 0;
+		}
+
 private:
 	// Start of methods related to driving the overall compilation
 	// process.
@@ -148,6 +256,37 @@ private:
 	// Main driver, invoked by constructor.
 	void Compile(bool report_uncompilable);
 
+	// The following methods all create objects that track the
+	// initializations of a given type of value.  In each, "tag"
+	// is the name used to identify the initializer global
+	// associated with the given type of value, and "type" is
+	// its C++ representation.  Often "tag" is concatenated with
+	// "type" to designate a specific C++ type.  For example,
+	// "tag" might be "Double" and "type" might be "ValPtr";
+	// the resulting global's type is "DoubleValPtr".
+
+	// Creates an object for tracking values associated with Zeek
+	// constants.  "c_type" is the C++ type used in the initializer
+	// for each object; or, if empty, it specifies that we represent
+	// the value using an index into a separate vector that holds
+	// the constant.
+	std::shared_ptr<CPP_InitsInfo> CreateConstInitInfo(const char* tag, const char* type,
+	                                                   const char* c_type);
+
+	// Creates an object for tracking compound initializers, which
+	// are whose initialization uses indexes into other vectors.
+	std::shared_ptr<CPP_InitsInfo> CreateCompoundInitInfo(const char* tag, const char* type);
+
+	// Creates an object for tracking initializers that have custom
+	// C++ objects to hold their initialization information.
+	std::shared_ptr<CPP_InitsInfo> CreateCustomInitInfo(const char* tag, const char* type);
+
+	// Generates the declaration associated with a set of initializations
+	// and tracks the object to facilitate looping over all so
+	// initializations.  As a convenience, returns the object.
+	std::shared_ptr<CPP_InitsInfo> RegisterInitInfo(const char* tag, const char* type,
+	                                                std::shared_ptr<CPP_InitsInfo> gi);
+
 	// Generate the beginning of the compiled code: run-time functions,
 	// namespace, auxiliary globals.
 	void GenProlog();
@@ -158,7 +297,7 @@ private:
 	void RegisterCompiledBody(const std::string& f);
 
 	// After compilation, generate the final code.  Most of this is
-	// run-time initialization of various dynamic values.
+	// in support of run-time initialization of various dynamic values.
 	void GenEpilog();
 
 	// True if the given function (plus body and profile) is one
@@ -185,9 +324,13 @@ private:
 	// it including some functionality we don't currently support
 	// for compilation.
 	//
-	// Indexed by the name of the function.
+	// Indexed by the C++ name of the function.
 	std::unordered_set<std::string> compilable_funcs;
 
+	// Tracks which functions/hooks/events have at least one non-compilable
+	// body.  Indexed by the Zeek name of function.
+	std::unordered_set<std::string> not_fully_compilable;
+
 	// Maps functions (not hooks or events) to upstream compiled names.
 	std::unordered_map<std::string, std::string> hashed_funcs;
 
@@ -200,10 +343,6 @@ private:
 	// compilation units.
 	int addl_tag = 0;
 
-	// If true, then we're updating the C++ base (i.e., generating
-	// code meant for use by subsequently generated code).
-	bool update = false;
-
 	// If true, the generated code should run "standalone".
 	bool standalone = false;
 
@@ -211,7 +350,7 @@ private:
 	// needed for "seatbelts", to ensure that we can produce a
 	// unique hash relating to this compilation (*and* its
 	// compilation time, which is why these are "seatbelts" and
-	// likely not important to make distinct.
+	// likely not important to make distinct).
 	p_hash_type total_hash = 0;
 
 	// Working directory in which we're compiling.  Used to quasi-locate
@@ -236,11 +375,6 @@ private:
 	// track it as such.
 	void CreateGlobal(const ID* g);
 
-	// For the globals used in the compilation, if new then append
-	// them to the hash file to make the information available
-	// to subsequent compilation runs.
-	void UpdateGlobalHashes();
-
 	// Register the given identifier as a BiF.  If is_var is true
 	// then the BiF is also used in a non-call context.
 	void AddBiF(const ID* b, bool is_var);
@@ -258,10 +392,9 @@ private:
 
 	// The following match various forms of identifiers to the
 	// name used for their C++ equivalent.
-	const char* IDName(const ID& id) { return IDName(&id); }
 	const char* IDName(const IDPtr& id) { return IDName(id.get()); }
 	const char* IDName(const ID* id) { return IDNameStr(id).c_str(); }
-	const std::string& IDNameStr(const ID* id) const;
+	const std::string& IDNameStr(const ID* id);
 
 	// Returns a canonicalized version of a variant of a global made
 	// distinct by the given suffix.
@@ -280,12 +413,20 @@ private:
 	// conflict with C++ keywords.
 	std::string Canonicalize(const char* name) const;
 
+	// Returns the name of the global corresponding to an expression
+	// (which must be a EXPR_NAME).
+	std::string GlobalName(const ExprPtr& e) { return globals[e->AsNameExpr()->Id()->Name()]; }
+
 	// Maps global names (not identifiers) to the names we use for them.
 	std::unordered_map<std::string, std::string> globals;
 
 	// Similar for locals, for the function currently being compiled.
 	std::unordered_map<const ID*, std::string> locals;
 
+	// Retrieves the initialization information associated with the
+	// given global.
+	std::unordered_map<const ID*, std::shared_ptr<CPP_InitInfo>> global_gis;
+
 	// Maps event names to the names we use for them.
 	std::unordered_map<std::string, std::string> events;
 
@@ -307,14 +448,37 @@ private:
 	// Similar, but for lambdas.
 	void DeclareLambda(const LambdaExpr* l, const ProfileFunc* pf);
 
-	// Declares the CPPStmt subclass used for compiling the given
+	// Generates code to declare the compiled version of a script
 	// function.  "ft" gives the functions type, "pf" its profile,
 	// "fname" its C++ name, "body" its AST, "l" if non-nil its
 	// corresponding lambda expression, and "flavor" whether it's
 	// a hook/event/function.
+	//
+	// We use two basic approaches.  Most functions are represented
+	// by a "CPPDynStmt" object that's parameterized by a void* pointer
+	// to the underlying C++ function and an index used to dynamically
+	// cast the pointer to having the correct type for then calling it.
+	// Lambdas, however (including "implicit" lambdas used to associate
+	// complex expressions with &attributes), each have a unique
+	// subclass derived from CPPStmt that calls the underlying C++
+	// function without requiring a cast, and that holds the values
+	// of the lambda's captures.
+	//
+	// It would be cleanest to use the latter approach for all functions,
+	// but the hundreds/thousands of additional classes required for
+	// doing so significantly slows down C++ compilation, so we instead
+	// opt for the uglier dynamic casting approach, which only requires
+	// one additional class.
+	void CreateFunction(const FuncTypePtr& ft, const ProfileFunc* pf, const std::string& fname,
+	                    const StmtPtr& body, int priority, const LambdaExpr* l,
+	                    FunctionFlavor flavor);
+
+	// Used for the case of creating a custom subclass of CPPStmt.
 	void DeclareSubclass(const FuncTypePtr& ft, const ProfileFunc* pf, const std::string& fname,
-	                     const StmtPtr& body, int priority, const LambdaExpr* l,
-	                     FunctionFlavor flavor);
+	                     const std::string& args, const IDPList* lambda_ids);
+
+	// Used for the case of employing an instance of a CPPDynStmt object.
+	void DeclareDynCPPStmt();
 
 	// Generates the declarations (and in-line definitions) associated
 	// with compiling a lambda.
@@ -331,11 +495,40 @@ private:
 	// the given type, lambda captures (if non-nil), and profile.
 	std::string ParamDecl(const FuncTypePtr& ft, const IDPList* lambda_ids, const ProfileFunc* pf);
 
+	// Returns in p_types the types associated with the parameters for a function
+	// of the given type, set of lambda captures (if any), and profile.
+	void GatherParamTypes(std::vector<std::string>& p_types, const FuncTypePtr& ft,
+	                      const IDPList* lambda_ids, const ProfileFunc* pf);
+
+	// Same, but instead returns the parameter's names.
+	void GatherParamNames(std::vector<std::string>& p_names, const FuncTypePtr& ft,
+	                      const IDPList* lambda_ids, const ProfileFunc* pf);
+
 	// Inspects the given profile to find the i'th parameter (starting
 	// at 0).  Returns nil if the profile indicates that that parameter
 	// is not used by the function.
 	const ID* FindParam(int i, const ProfileFunc* pf);
 
+	// Information associated with a CPPDynStmt dynamic dispatch.
+	struct DispatchInfo
+		{
+		std::string cast; // C++ cast to use for function pointer
+		std::string args; // arguments to pass to the function
+		bool is_hook; // whether the function is a hook
+		TypePtr yield; // what type the function returns, if any
+		};
+
+	// An array of cast/invocation pairs used to generate the CPPDynStmt
+	// Exec method.
+	std::vector<DispatchInfo> func_casting_glue;
+
+	// Maps casting strings to indices into func_casting_glue.  The index
+	// is what's used to dynamically switch to the right dispatch.
+	std::unordered_map<std::string, int> casting_index;
+
+	// Maps functions (using their C++ name) to their casting strings.
+	std::unordered_map<std::string, std::string> func_index;
+
 	// Names for lambda capture ID's.  These require a separate space
 	// that incorporates the lambda's name, to deal with nested lambda's
 	// that refer to the identifiers with the same name.
@@ -344,7 +537,7 @@ private:
 	// The function's parameters.  Tracked so we don't re-declare them.
 	std::unordered_set<const ID*> params;
 
-	// Whether we're parsing a hook.
+	// Whether we're compiling a hook.
 	bool in_hook = false;
 
 	//
@@ -362,8 +555,12 @@ private:
 	void CompileLambda(const LambdaExpr* l, const ProfileFunc* pf);
 
 	// Generates the body of the Invoke() method (which supplies the
-	// "glue" between for calling the C++-generated code).
-	void GenInvokeBody(const std::string& fname, const TypePtr& t, const std::string& args);
+	// "glue" for calling the C++-generated code, for CPPStmt subclasses).
+	void GenInvokeBody(const std::string& fname, const TypePtr& t, const std::string& args)
+		{
+		GenInvokeBody(fname + "(" + args + ")", t);
+		}
+	void GenInvokeBody(const std::string& call, const TypePtr& t);
 
 	// Generates the code for the body of a script function with
 	// the given type, profile, C++ name, AST, lambda captures
@@ -405,9 +602,6 @@ private:
 	// Maps function bodies to the names we use for them.
 	std::unordered_map<const Stmt*, std::string> body_names;
 
-	// Reverse mapping.
-	std::unordered_map<std::string, const Stmt*> names_to_bodies;
-
 	// Maps function names to hashes of bodies.
 	std::unordered_map<std::string, p_hash_type> body_hashes;
 
@@ -426,62 +620,84 @@ private:
 	//
 	// End of methods related to generating compiled script bodies.
 
-	// Start of methods related to generating code for representing
-	// script constants as run-time values.
-	// See Consts.cc for definitions.
-	//
+	// Methods related to generating code for representing script constants
+	// as run-time values.  There's only one nontrivial one of these,
+	// RegisterConstant() (declared above, as it's public).  All the other
+	// work is done by secondary objects - see InitsInfo.{h,cc} for those.
 
-	// Returns an instantiation of a constant - either as a native
-	// C++ constant, or as a C++ variable that will be bound to
-	// a Zeek value at run-time initialization - that is needed
-	// by the given "parent" object (which acquires an initialization
-	// dependency, if a C++ variable is needed).
-	std::string BuildConstant(IntrusivePtr<Obj> parent, const ValPtr& vp)
-		{
-		return BuildConstant(parent.get(), vp);
-		}
-	std::string BuildConstant(const Obj* parent, const ValPtr& vp);
+	// Returns the object used to track indices (vectors of integers
+	// that are used to index various other vectors, including other
+	// indices).  Only used by CPP_InitsInfo objects, but stored
+	// in the CPPCompile object to make it available across different
+	// CPP_InitsInfo objects.
 
-	// Called to create a constant appropriate for the given expression
-	// or, more directly, the given value.  The second method returns
-	// "true" if a C++ variable needed to be created to construct the
-	// constant at run-time initialization, false if can be instantiated
-	// directly as a C++ constant.
-	void AddConstant(const ConstExpr* c);
-	bool AddConstant(const ValPtr& v);
-
-	// Build particular types of C++ variables (with the given name)
-	// to hold constants initialized at run-time.
-	void AddStringConstant(const ValPtr& v, std::string& const_name);
-	void AddPatternConstant(const ValPtr& v, std::string& const_name);
-	void AddListConstant(const ValPtr& v, std::string& const_name);
-	void AddRecordConstant(const ValPtr& v, std::string& const_name);
-	void AddTableConstant(const ValPtr& v, std::string& const_name);
-	void AddVectorConstant(const ValPtr& v, std::string& const_name);
+	friend class CPP_InitsInfo;
+	IndicesManager& IndMgr() { return indices_mgr; }
 
 	// Maps (non-native) constants to associated C++ globals.
 	std::unordered_map<const ConstExpr*, std::string> const_exprs;
 
-	// Maps the values of (non-native) constants to associated C++ globals.
-	std::unordered_map<const Val*, std::string> const_vals;
+	// Maps the values of (non-native) constants to associated initializer
+	// information.
+	std::unordered_map<const Val*, std::shared_ptr<CPP_InitInfo>> const_vals;
+
+	// Same, but for the offset into the vector that tracks all constants
+	// collectively (to support initialization of compound constants).
+	std::unordered_map<const Val*, int> const_offsets;
+
+	// The same as the above pair, but indexed by the string representation
+	// rather than the Val*.  The reason for having both is to enable
+	// reusing common constants even though their Val*'s differ.
+	std::unordered_map<std::string, std::shared_ptr<CPP_InitInfo>> constants;
+	std::unordered_map<std::string, int> constants_offsets;
 
 	// Used for memory management associated with const_vals's index.
 	std::vector<ValPtr> cv_indices;
 
-	// Maps string representations of (non-native) constants to
-	// associated C++ globals.
-	std::unordered_map<std::string, std::string> constants;
+	// For different types of constants (as indicated by TypeTag),
+	// provides the associated object that manages the initializers
+	// for those constants.
+	std::unordered_map<TypeTag, std::shared_ptr<CPP_InitsInfo>> const_info;
 
-	// Maps the same representations to the Val* associated with their
-	// original creation.  This enables us to construct initialization
-	// dependencies for later Val*'s that are able to reuse the same
-	// constant.
-	std::unordered_map<std::string, const Val*> constants_to_vals;
+	// Tracks entries for constructing the vector of all constants
+	// (regardless of type).  Each entry provides a TypeTag, used
+	// to identify the type-specific vector for a given constant,
+	// and the offset into that vector.
+	std::vector<std::pair<TypeTag, int>> consts;
 
-	// Function variables that we need to create dynamically for
-	// initializing globals, coupled with the name of their associated
-	// constant.
-	std::unordered_map<FuncVal*, std::string> func_vars;
+	// The following objects track initialization information for
+	// different types of initializers: Zeek types, individual
+	// attributes, sets of attributes, expressions that call script
+	// functions (for attribute expressions), registering lambda
+	// bodies, and registering Zeek globals.
+	std::shared_ptr<CPP_InitsInfo> type_info;
+	std::shared_ptr<CPP_InitsInfo> attr_info;
+	std::shared_ptr<CPP_InitsInfo> attrs_info;
+	std::shared_ptr<CPP_InitsInfo> call_exprs_info;
+	std::shared_ptr<CPP_InitsInfo> lambda_reg_info;
+	std::shared_ptr<CPP_InitsInfo> global_id_info;
+
+	// Tracks all of the above objects (as well as each entry in
+	// const_info), to facilitate easy iterating over them.
+	std::set<std::shared_ptr<CPP_InitsInfo>> all_global_info;
+
+	// Tracks the attribute expressions for which we need to generate
+	// function calls to evaluate them.
+	std::unordered_map<std::string, std::shared_ptr<CallExprInitInfo>> init_infos;
+
+	// See IndMgr() above for the role of this variable.
+	IndicesManager indices_mgr;
+
+	// Maps strings to associated offsets.
+	std::unordered_map<std::string, int> tracked_strings;
+
+	// Tracks strings we've registered in order (corresponding to
+	// their offsets).
+	std::vector<std::string> ordered_tracked_strings;
+
+	// The same as the previous two, but for profile hashes.
+	std::vector<p_hash_type> ordered_tracked_hashes;
+	std::unordered_map<p_hash_type, int> tracked_hashes;
 
 	//
 	// End of methods related to generating code for script constants.
@@ -649,9 +865,9 @@ private:
 	// not the outer map).
 	int num_rf_mappings = 0;
 
-	// For each entry in "field_mapping", the record and TypeDecl
-	// associated with the mapping.
-	std::vector<std::pair<const RecordType*, const TypeDecl*>> field_decls;
+	// For each entry in "field_mapping", the record (as a global
+	// offset) and TypeDecl associated with the mapping.
+	std::vector<std::pair<int, const TypeDecl*>> field_decls;
 
 	// For enums that are extended via redef's, maps each distinct
 	// value (that the compiled scripts refer to) to locations in the
@@ -665,9 +881,9 @@ private:
 	// not the outer map).
 	int num_ev_mappings = 0;
 
-	// For each entry in "enum_mapping", the record and name
-	// associated with the mapping.
-	std::vector<std::pair<const EnumType*, std::string>> enum_names;
+	// For each entry in "enum_mapping", the EnumType (as a global
+	// offset) and name associated with the mapping.
+	std::vector<std::pair<int, std::string>> enum_names;
 
 	//
 	// End of methods related to generating code for AST Expr's.
@@ -690,24 +906,6 @@ private:
 	// given script type 't', converts it as needed to the given GenType.
 	std::string GenericValPtrToGT(const std::string& expr, const TypePtr& t, GenType gt);
 
-	// For a given type, generates the code necessary to initialize
-	// it at run time.  The term "expand" in the method's name refers
-	// to the fact that the type has already been previously declared
-	// (necessary to facilitate defining recursive types), so this method
-	// generates the "meat" of the type but not its original declaration.
-	void ExpandTypeVar(const TypePtr& t);
-
-	// Methods for expanding specific such types.  "tn" is the name
-	// of the C++ variable used for the particular type.
-	void ExpandListTypeVar(const TypePtr& t, std::string& tn);
-	void ExpandRecordTypeVar(const TypePtr& t, std::string& tn);
-	void ExpandEnumTypeVar(const TypePtr& t, std::string& tn);
-	void ExpandTableTypeVar(const TypePtr& t, std::string& tn);
-	void ExpandFuncTypeVar(const TypePtr& t, std::string& tn);
-
-	// The following assumes we're populating a type_decl_list called "tl".
-	std::string GenTypeDecl(const TypeDecl* td);
-
 	// Returns the name of a C++ variable that will hold a TypePtr
 	// of the appropriate flavor.  't' does not need to be a type
 	// representative.
@@ -721,21 +919,11 @@ private:
 	const Type* TypeRep(const TypePtr& t) { return TypeRep(t.get()); }
 
 	// Low-level C++ representations for types, of various flavors.
-	const char* TypeTagName(TypeTag tag) const;
+	static const char* TypeTagName(TypeTag tag);
 	const char* TypeName(const TypePtr& t);
 	const char* FullTypeName(const TypePtr& t);
 	const char* TypeType(const TypePtr& t);
 
-	// Track the given type (with support methods for onces that
-	// are complicated), recursively including its sub-types, and
-	// creating initializations (and dependencies) for constructing
-	// C++ variables representing the types.
-	void RegisterType(const TypePtr& t);
-	void RegisterListType(const TypePtr& t);
-	void RegisterTableType(const TypePtr& t);
-	void RegisterRecordType(const TypePtr& t);
-	void RegisterFuncType(const TypePtr& t);
-
 	// Access to a type's underlying values.
 	const char* NativeAccessor(const TypePtr& t);
 
@@ -744,11 +932,13 @@ private:
 	const char* IntrusiveVal(const TypePtr& t);
 
 	// Maps types to indices in the global "types__CPP" array.
-	CPPTracker<Type> types = {"types", &compiled_items};
+	CPPTracker<Type> types = {"types", true, &compiled_items};
 
 	// Used to prevent analysis of mutually-referring types from
-	// leading to infinite recursion.
-	std::unordered_set<const Type*> processed_types;
+	// leading to infinite recursion.  Maps types to their global
+	// initialization information (or, initially, to nullptr, if
+	// they're in the process of being registered).
+	std::unordered_map<const Type*, std::shared_ptr<CPP_InitInfo>> processed_types;
 
 	//
 	// End of methods related to managing script types.
@@ -758,11 +948,6 @@ private:
 	// See Attrs.cc for definitions.
 	//
 
-	// Tracks a use of the given set of attributes, including
-	// initialization dependencies and the generation of any
-	// associated expressions.
-	void RegisterAttributes(const AttributesPtr& attrs);
-
 	// Populates the 2nd and 3rd arguments with C++ representations
 	// of the tags and (optional) values/expressions associated with
 	// the set of attributes.
@@ -772,16 +957,17 @@ private:
 	void GenAttrs(const AttributesPtr& attrs);
 	std::string GenAttrExpr(const ExprPtr& e);
 
-	// Returns the name of the C++ variable that will hold the given
-	// attributes at run-time.
-	std::string AttrsName(const AttributesPtr& attrs);
-
 	// Returns a string representation of the name associated with
-	// different attributes (e.g., "ATTR_DEFAULT").
-	const char* AttrName(const AttrPtr& attr);
+	// different attribute tags (e.g., "ATTR_DEFAULT").
+	static const char* AttrName(AttrTag t);
 
 	// Similar for attributes, so we can reconstruct record types.
-	CPPTracker<Attributes> attributes = {"attrs", &compiled_items};
+	CPPTracker<Attributes> attributes = {"attrs", false, &compiled_items};
+
+	// Maps Attributes and Attr's to their global initialization
+	// information.
+	std::unordered_map<const Attributes*, std::shared_ptr<CPP_InitInfo>> processed_attrs;
+	std::unordered_map<const Attr*, std::shared_ptr<CPP_InitInfo>> processed_attr;
 
 	//
 	// End of methods related to managing script type attributes.
@@ -790,121 +976,42 @@ private:
 	// See Inits.cc for definitions.
 	//
 
-	// Generates code to construct a CallExpr that can be used to
-	// evaluate the expression 'e' as an initializer (typically
-	// for a record &default attribute).
-	void GenInitExpr(const ExprPtr& e);
-
-	// True if the given expression is simple enough that we can
-	// generate code to evaluate it directly, and don't need to
-	// create a separate function per GenInitExpr().
-	bool IsSimpleInitExpr(const ExprPtr& e) const;
+	// Generates code for dynamically generating an expression
+	// associated with an attribute, via a function call.
+	void GenInitExpr(std::shared_ptr<CallExprInitInfo> ce_init);
 
 	// Returns the name of a function used to evaluate an
 	// initialization expression.
 	std::string InitExprName(const ExprPtr& e);
 
-	// Generates code to initializes the global 'g' (with C++ name "gl")
-	// to the given value *if* on start-up it doesn't already have a value.
-	void GenGlobalInit(const ID* g, std::string& gl, const ValPtr& v);
-
-	// Generates code to initialize all of the function-valued globals
-	// (i.e., those pointing to lambdas).
-	void GenFuncVarInits();
-
-	// Generates the "pre-initialization" for a given type.  For
-	// extensible types (records, enums, lists), these are empty
-	// versions that we'll later populate.
-	void GenPreInit(const Type* t);
-
-	// Generates a function that executes the pre-initializations.
-	void GenPreInits();
-
-	// The following all track that for a given object, code associated
-	// with initializing it.  Multiple calls for the same object append
-	// additional lines of code (the order of the calls is preserved).
-	//
-	// Versions with "lhs" and "rhs" arguments provide an initialization
-	// of the form "lhs = rhs;", as a convenience.
-	void AddInit(const IntrusivePtr<Obj>& o, const std::string& lhs, const std::string& rhs)
+	// Convenience functions for return the offset or initialization cohort
+	// associated with an initialization.
+	int GI_Offset(const std::shared_ptr<CPP_InitInfo>& gi) const { return gi ? gi->Offset() : -1; }
+	int GI_Cohort(const std::shared_ptr<CPP_InitInfo>& gi) const
 		{
-		AddInit(o.get(), lhs + " = " + rhs + ";");
-		}
-	void AddInit(const Obj* o, const std::string& lhs, const std::string& rhs)
-		{
-		AddInit(o, lhs + " = " + rhs + ";");
-		}
-	void AddInit(const IntrusivePtr<Obj>& o, const std::string& init) { AddInit(o.get(), init); }
-	void AddInit(const Obj* o, const std::string& init);
-
-	// We do consistency checking of initialization dependencies by
-	// looking for depended-on objects have initializations.  Sometimes
-	// it's unclear whether the object will actually require
-	// initialization, in which case we add an empty initialization
-	// for it so that the consistency-checking is happy.
-	void AddInit(const IntrusivePtr<Obj>& o) { AddInit(o.get()); }
-	void AddInit(const Obj* o);
-
-	// This is akin to an initialization, but done separately
-	// (upon "activation") so it can include initializations that
-	// rely on parsing having finished (in particular, BiFs having
-	// been registered).  Only used when generating  standalone code.
-	void AddActivation(std::string a) { activations.emplace_back(a); }
-
-	// Records the fact that the initialization of object o1 depends
-	// on that of object o2.
-	void NoteInitDependency(const IntrusivePtr<Obj>& o1, const IntrusivePtr<Obj>& o2)
-		{
-		NoteInitDependency(o1.get(), o2.get());
-		}
-	void NoteInitDependency(const IntrusivePtr<Obj>& o1, const Obj* o2)
-		{
-		NoteInitDependency(o1.get(), o2);
-		}
-	void NoteInitDependency(const Obj* o1, const IntrusivePtr<Obj>& o2)
-		{
-		NoteInitDependency(o1, o2.get());
-		}
-	void NoteInitDependency(const Obj* o1, const Obj* o2);
-
-	// Records an initialization dependency of the given object
-	// on the given type, unless the type is a record.  We need
-	// this notion to protect against circular dependencies in
-	// the face of recursive records.
-	void NoteNonRecordInitDependency(const Obj* o, const TypePtr& t)
-		{
-		if ( t && t->Tag() != TYPE_RECORD )
-			NoteInitDependency(o, TypeRep(t));
-		}
-	void NoteNonRecordInitDependency(const IntrusivePtr<Obj> o, const TypePtr& t)
-		{
-		NoteNonRecordInitDependency(o.get(), t);
+		return gi ? gi->InitCohort() : 0;
 		}
 
-	// Analyzes the initialization dependencies to ensure that they're
-	// consistent, i.e., every object that either depends on another,
-	// or is itself depended on, appears in the "to_do" set.
-	void CheckInitConsistency(std::unordered_set<const Obj*>& to_do);
-
-	// Generate initializations for the items in the "to_do" set,
-	// in accordance with their dependencies.  Returns 'n', the
-	// number of initialization functions generated.  They should
-	// be called in order, from 1 to n.
-	int GenDependentInits(std::unordered_set<const Obj*>& to_do);
-
-	// Generates a function for initializing the nc'th cohort.
-	void GenInitCohort(int nc, std::unordered_set<const Obj*>& cohort);
-
-	// Initialize the mappings for record field offsets for field
-	// accesses into regions of records that can be extensible (and
-	// thus can vary at run-time to the offsets encountered during
-	// compilation).
+	// Generate code to initialize the mappings for record field
+	// offsets for field accesses into regions of records that
+	// can be extensible (and thus can vary at run-time to the
+	// offsets encountered during compilation).
 	void InitializeFieldMappings();
 
-	// Same, but for enum types.  The second form does a single
-	// initialization corresponding to the given index in the mapping.
+	// Same, but for enum types.
 	void InitializeEnumMappings();
-	void InitializeEnumMappings(const EnumType* et, const std::string& e_name, int index);
+
+	// Generate code to initialize BiFs.
+	void InitializeBiFs();
+
+	// Generate code to initialize strings that we track.
+	void InitializeStrings();
+
+	// Generate code to initialize hashes that we track.
+	void InitializeHashes();
+
+	// Generate code to initialize indirect references to constants.
+	void InitializeConsts();
 
 	// Generate the initialization hook for this set of compiled code.
 	void GenInitHook();
@@ -917,25 +1024,15 @@ private:
 	// what we compiled.
 	void GenLoad();
 
-	// A list of pre-initializations (those potentially required by
-	// other initializations, and that themselves have no dependencies).
-	std::vector<std::string> pre_inits;
-
-	// A list of "activations" (essentially, post-initializations).
-	// See AddActivation() above.
-	std::vector<std::string> activations;
+	// A list of BiFs to look up during initialization.  First
+	// string is the name of the C++ global holding the BiF, the
+	// second is its name as known to Zeek.
+	std::unordered_map<std::string, std::string> BiFs;
 
 	// Expressions for which we need to generate initialization-time
 	// code.  Currently, these are only expressions appearing in
 	// attributes.
-	CPPTracker<Expr> init_exprs = {"gen_init_expr", &compiled_items};
-
-	// Maps an object requiring initialization to its initializers.
-	std::unordered_map<const Obj*, std::vector<std::string>> obj_inits;
-
-	// Maps an object requiring initializations to its dependencies
-	// on other such objects.
-	std::unordered_map<const Obj*, std::unordered_set<const Obj*>> obj_deps;
+	CPPTracker<Expr> init_exprs = {"gen_init_expr", false, &compiled_items};
 
 	//
 	// End of methods related to run-time initialization.
@@ -944,12 +1041,20 @@ private:
 	// See Emit.cc for definitions.
 	//
 
+	// The following all need to be able to emit code.
+	friend class CPP_BasicConstInitsInfo;
+	friend class CPP_CompoundInitsInfo;
+	friend class IndicesManager;
+
 	// Used to create (indented) C++ {...} code blocks.  "needs_semi"
 	// controls whether to terminate the block with a ';' (such as
 	// for class definitions.
 	void StartBlock();
 	void EndBlock(bool needs_semi = false);
 
+	void IndentUp() { ++block_level; }
+	void IndentDown() { --block_level; }
+
 	// Various ways of generating code.  The multi-argument methods
 	// assume that the first argument is a printf-style format
 	// (but one that can only have %s specifiers).
@@ -960,11 +1065,12 @@ private:
 		NL();
 		}
 
-	void Emit(const std::string& fmt, const std::string& arg) const
+	void Emit(const std::string& fmt, const std::string& arg, bool do_NL = true) const
 		{
 		Indent();
 		fprintf(write_file, fmt.c_str(), arg.c_str());
-		NL();
+		if ( do_NL )
+			NL();
 		}
 
 	void Emit(const std::string& fmt, const std::string& arg1, const std::string& arg2) const
@@ -999,14 +1105,15 @@ private:
 		NL();
 		}
 
-	// Returns an expression for constructing a Zeek String object
-	// corresponding to the given byte array.
-	std::string GenString(const char* b, int len) const;
-
-	// For the given byte array / string, returns a version expanded
-	// with escape sequences in order to represent it as a C++ string.
-	std::string CPPEscape(const char* b, int len) const;
-	std::string CPPEscape(const char* s) const { return CPPEscape(s, strlen(s)); }
+	void Emit(const std::string& fmt, const std::string& arg1, const std::string& arg2,
+	          const std::string& arg3, const std::string& arg4, const std::string& arg5,
+	          const std::string& arg6) const
+		{
+		Indent();
+		fprintf(write_file, fmt.c_str(), arg1.c_str(), arg2.c_str(), arg3.c_str(), arg4.c_str(),
+		        arg5.c_str(), arg6.c_str());
+		NL();
+		}
 
 	void NL() const { fputc('\n', write_file); }
 
diff --git a/src/script_opt/CPP/Consts.cc b/src/script_opt/CPP/Consts.cc
index c21a1db9b8..30b758df99 100644
--- a/src/script_opt/CPP/Consts.cc
+++ b/src/script_opt/CPP/Consts.cc
@@ -4,55 +4,26 @@
 #include "zeek/RE.h"
 #include "zeek/script_opt/CPP/Compile.h"
 
+using namespace std;
+
 namespace zeek::detail
 	{
 
-using namespace std;
-
-string CPPCompile::BuildConstant(const Obj* parent, const ValPtr& vp)
+shared_ptr<CPP_InitInfo> CPPCompile::RegisterConstant(const ValPtr& vp, int& consts_offset)
 	{
-	if ( ! vp )
-		return "nullptr";
+	// Make sure the value pointer, which might be transient
+	// in construction, sticks around so we can track its
+	// value.
+	cv_indices.push_back(vp);
 
-	if ( AddConstant(vp) )
-		{
-		auto v = vp.get();
-		AddInit(parent);
-		NoteInitDependency(parent, v);
-
-		// Make sure the value pointer, which might be transient
-		// in construction, sticks around so we can track its
-		// value.
-		cv_indices.push_back(vp);
-
-		return const_vals[v];
-		}
-	else
-		return NativeToGT(GenVal(vp), vp->GetType(), GEN_VAL_PTR);
-	}
-
-void CPPCompile::AddConstant(const ConstExpr* c)
-	{
-	auto v = c->ValuePtr();
-
-	if ( AddConstant(v) )
-		{
-		AddInit(c);
-		NoteInitDependency(c, v.get());
-		}
-	}
-
-bool CPPCompile::AddConstant(const ValPtr& vp)
-	{
 	auto v = vp.get();
 
-	if ( IsNativeType(v->GetType()) )
-		// These we instantiate directly.
-		return false;
-
 	if ( const_vals.count(v) > 0 )
+		{
 		// Already did this one.
-		return true;
+		consts_offset = const_offsets[v];
+		return const_vals[v];
+		}
 
 	// Formulate a key that's unique per distinct constant.
 
@@ -82,213 +53,100 @@ bool CPPCompile::AddConstant(const ValPtr& vp)
 	if ( constants.count(c_desc) > 0 )
 		{
 		const_vals[v] = constants[c_desc];
-
-		auto orig_v = constants_to_vals[c_desc];
-		ASSERT(v != orig_v);
-		AddInit(v);
-		NoteInitDependency(v, orig_v);
-
-		return true;
+		consts_offset = const_offsets[v] = constants_offsets[c_desc];
+		return const_vals[v];
 		}
 
-	// Need a C++ global for this constant.
-	auto const_name = string("CPP__const__") + Fmt(int(constants.size()));
-
-	const_vals[v] = constants[c_desc] = const_name;
-	constants_to_vals[c_desc] = v;
-
 	auto tag = t->Tag();
+	auto const_name = const_info[tag]->NextName();
+	shared_ptr<CPP_InitInfo> gi;
 
 	switch ( tag )
 		{
-		case TYPE_STRING:
-			AddStringConstant(vp, const_name);
+		case TYPE_BOOL:
+			gi = make_shared<BasicConstInfo>(vp->AsBool() ? "true" : "false");
 			break;
 
-		case TYPE_PATTERN:
-			AddPatternConstant(vp, const_name);
+		case TYPE_INT:
+			gi = make_shared<BasicConstInfo>(to_string(vp->AsInt()));
 			break;
 
-		case TYPE_LIST:
-			AddListConstant(vp, const_name);
+		case TYPE_COUNT:
+			gi = make_shared<BasicConstInfo>(to_string(vp->AsCount()) + "ULL");
 			break;
 
-		case TYPE_RECORD:
-			AddRecordConstant(vp, const_name);
+		case TYPE_DOUBLE:
+			gi = make_shared<BasicConstInfo>(to_string(vp->AsDouble()));
 			break;
 
-		case TYPE_TABLE:
-			AddTableConstant(vp, const_name);
+		case TYPE_TIME:
+			gi = make_shared<BasicConstInfo>(to_string(vp->AsDouble()));
 			break;
 
-		case TYPE_VECTOR:
-			AddVectorConstant(vp, const_name);
+		case TYPE_INTERVAL:
+			gi = make_shared<BasicConstInfo>(to_string(vp->AsDouble()));
 			break;
 
 		case TYPE_ADDR:
-		case TYPE_SUBNET:
-			{
-			auto prefix = (tag == TYPE_ADDR) ? "Addr" : "SubNet";
-
-			Emit("%sValPtr %s;", prefix, const_name);
-
-			ODesc d;
-			v->Describe(&d);
-
-			AddInit(v, const_name,
-			        string("make_intrusive<") + prefix + "Val>(\"" + d.Description() + "\")");
-			}
+			gi = make_shared<DescConstInfo>(this, vp);
 			break;
 
-		case TYPE_FUNC:
-			Emit("FuncValPtr %s;", const_name);
+		case TYPE_SUBNET:
+			gi = make_shared<DescConstInfo>(this, vp);
+			break;
 
-			// We can't generate the initialization now because it
-			// depends on first having compiled the associated body,
-			// so we know its hash.  So for now we just note it
-			// to deal with later.
-			func_vars[v->AsFuncVal()] = const_name;
+		case TYPE_ENUM:
+			gi = make_shared<EnumConstInfo>(this, vp);
+			break;
+
+		case TYPE_STRING:
+			gi = make_shared<StringConstInfo>(this, vp);
+			break;
+
+		case TYPE_PATTERN:
+			gi = make_shared<PatternConstInfo>(this, vp);
+			break;
+
+		case TYPE_PORT:
+			gi = make_shared<PortConstInfo>(vp);
+			break;
+
+		case TYPE_LIST:
+			gi = make_shared<ListConstInfo>(this, vp);
+			break;
+
+		case TYPE_VECTOR:
+			gi = make_shared<VectorConstInfo>(this, vp);
+			break;
+
+		case TYPE_RECORD:
+			gi = make_shared<RecordConstInfo>(this, vp);
+			break;
+
+		case TYPE_TABLE:
+			gi = make_shared<TableConstInfo>(this, vp);
 			break;
 
 		case TYPE_FILE:
-			{
-			Emit("FileValPtr %s;", const_name);
+			gi = make_shared<FileConstInfo>(this, vp);
+			break;
 
-			auto f = cast_intrusive<FileVal>(vp)->Get();
-
-			AddInit(v, const_name,
-			        string("make_intrusive<FileVal>(") + "make_intrusive<File>(\"" + f->Name() +
-			            "\", \"w\"))");
-			}
+		case TYPE_FUNC:
+			gi = make_shared<FuncConstInfo>(this, vp);
 			break;
 
 		default:
 			reporter->InternalError("bad constant type in CPPCompile::AddConstant");
+			break;
 		}
 
-	return true;
-	}
+	const_info[tag]->AddInstance(gi);
+	const_vals[v] = constants[c_desc] = gi;
 
-void CPPCompile::AddStringConstant(const ValPtr& v, string& const_name)
-	{
-	Emit("StringValPtr %s;", const_name);
+	consts_offset = const_offsets[v] = constants_offsets[c_desc] = consts.size();
+	consts.emplace_back(pair(tag, gi->Offset()));
 
-	auto s = v->AsString();
-	const char* b = (const char*)(s->Bytes());
-	auto len = s->Len();
-
-	AddInit(v, const_name, GenString(b, len));
-	}
-
-void CPPCompile::AddPatternConstant(const ValPtr& v, string& const_name)
-	{
-	Emit("PatternValPtr %s;", const_name);
-
-	auto re = v->AsPatternVal()->Get();
-
-	AddInit(v, string("{ auto re = new RE_Matcher(") + CPPEscape(re->OrigText()) + ");");
-
-	if ( re->IsCaseInsensitive() )
-		AddInit(v, "re->MakeCaseInsensitive();");
-
-	AddInit(v, "re->Compile();");
-	AddInit(v, const_name, "make_intrusive<PatternVal>(re)");
-	AddInit(v, "}");
-	}
-
-void CPPCompile::AddListConstant(const ValPtr& v, string& const_name)
-	{
-	Emit("ListValPtr %s;", const_name);
-
-	// No initialization dependency on the main type since we don't
-	// use the underlying TypeList.  However, we *do* use the types of
-	// the elements.
-
-	AddInit(v, const_name, string("make_intrusive<ListVal>(TYPE_ANY)"));
-
-	auto lv = cast_intrusive<ListVal>(v);
-	auto n = lv->Length();
-
-	for ( auto i = 0; i < n; ++i )
-		{
-		const auto& l_i = lv->Idx(i);
-		auto l_i_c = BuildConstant(v, l_i);
-		AddInit(v, const_name + "->Append(" + l_i_c + ");");
-		NoteInitDependency(v, TypeRep(l_i->GetType()));
-		}
-	}
-
-void CPPCompile::AddRecordConstant(const ValPtr& v, string& const_name)
-	{
-	const auto& t = v->GetType();
-
-	Emit("RecordValPtr %s;", const_name);
-
-	NoteInitDependency(v, TypeRep(t));
-
-	AddInit(v, const_name,
-	        string("make_intrusive<RecordVal>(") + "cast_intrusive<RecordType>(" + GenTypeName(t) +
-	            "))");
-
-	auto r = cast_intrusive<RecordVal>(v);
-	auto n = r->NumFields();
-
-	for ( auto i = 0u; i < n; ++i )
-		{
-		const auto& r_i = r->GetField(i);
-
-		if ( r_i )
-			{
-			auto r_i_c = BuildConstant(v, r_i);
-			AddInit(v, const_name + "->Assign(" + Fmt(static_cast<int>(i)) + ", " + r_i_c + ");");
-			}
-		}
-	}
-
-void CPPCompile::AddTableConstant(const ValPtr& v, string& const_name)
-	{
-	const auto& t = v->GetType();
-
-	Emit("TableValPtr %s;", const_name);
-
-	NoteInitDependency(v, TypeRep(t));
-
-	AddInit(v, const_name,
-	        string("make_intrusive<TableVal>(") + "cast_intrusive<TableType>(" + GenTypeName(t) +
-	            "))");
-
-	auto tv = cast_intrusive<TableVal>(v);
-	auto tv_map = tv->ToMap();
-
-	for ( auto& tv_i : tv_map )
-		{
-		auto ind = BuildConstant(v, tv_i.first);
-		auto val = BuildConstant(v, tv_i.second);
-		AddInit(v, const_name + "->Assign(" + ind + ", " + val + ");");
-		}
-	}
-
-void CPPCompile::AddVectorConstant(const ValPtr& v, string& const_name)
-	{
-	const auto& t = v->GetType();
-
-	Emit("VectorValPtr %s;", const_name);
-
-	NoteInitDependency(v, TypeRep(t));
-
-	AddInit(v, const_name,
-	        string("make_intrusive<VectorVal>(") + "cast_intrusive<VectorType>(" + GenTypeName(t) +
-	            "))");
-
-	auto vv = cast_intrusive<VectorVal>(v);
-	auto n = vv->Size();
-
-	for ( auto i = 0u; i < n; ++i )
-		{
-		const auto& v_i = vv->ValAt(i);
-		auto v_i_c = BuildConstant(v, v_i);
-		AddInit(v, const_name + "->Append(" + v_i_c + ");");
-		}
+	return gi;
 	}
 
 	} // zeek::detail
diff --git a/src/script_opt/CPP/DeclFunc.cc b/src/script_opt/CPP/DeclFunc.cc
index dbca009052..0d9117d2d8 100644
--- a/src/script_opt/CPP/DeclFunc.cc
+++ b/src/script_opt/CPP/DeclFunc.cc
@@ -22,7 +22,7 @@ void CPPCompile::DeclareFunc(const FuncInfo& func)
 	const auto& body = func.Body();
 	auto priority = func.Priority();
 
-	DeclareSubclass(f->GetType(), pf, fname, body, priority, nullptr, f->Flavor());
+	CreateFunction(f->GetType(), pf, fname, body, priority, nullptr, f->Flavor());
 
 	if ( f->GetBodies().size() == 1 )
 		compiled_simple_funcs[f->Name()] = fname;
@@ -40,17 +40,88 @@ void CPPCompile::DeclareLambda(const LambdaExpr* l, const ProfileFunc* pf)
 	for ( auto id : ids )
 		lambda_names[id] = LocalName(id);
 
-	DeclareSubclass(l_id->GetType<FuncType>(), pf, lname, body, 0, l, FUNC_FLAVOR_FUNCTION);
+	CreateFunction(l_id->GetType<FuncType>(), pf, lname, body, 0, l, FUNC_FLAVOR_FUNCTION);
 	}
 
-void CPPCompile::DeclareSubclass(const FuncTypePtr& ft, const ProfileFunc* pf, const string& fname,
-                                 const StmtPtr& body, int priority, const LambdaExpr* l,
-                                 FunctionFlavor flavor)
+void CPPCompile::CreateFunction(const FuncTypePtr& ft, const ProfileFunc* pf, const string& fname,
+                                const StmtPtr& body, int priority, const LambdaExpr* l,
+                                FunctionFlavor flavor)
 	{
 	const auto& yt = ft->Yield();
 	in_hook = flavor == FUNC_FLAVOR_HOOK;
 	const IDPList* lambda_ids = l ? &l->OuterIDs() : nullptr;
 
+	string args = BindArgs(ft, lambda_ids);
+
+	auto yt_decl = in_hook ? "bool" : FullTypeName(yt);
+
+	vector<string> p_types;
+	GatherParamTypes(p_types, ft, lambda_ids, pf);
+
+	string cast = string(yt_decl) + "(*)(";
+	for ( auto& pt : p_types )
+		cast += pt + ", ";
+	cast += string("Frame*)");
+
+	// We need to distinguish between hooks and non-hooks that happen
+	// to have matching type signatures.  They'll be equivalent if they
+	// have identical cast's.  To keep them separate, we cheat and
+	// make hook casts different, string-wise, without altering their
+	// semantics.
+	if ( in_hook )
+		cast += " ";
+
+	func_index[fname] = cast;
+
+	if ( casting_index.count(cast) == 0 )
+		{
+		casting_index[cast] = func_casting_glue.size();
+
+		DispatchInfo di;
+		di.cast = cast;
+		di.args = args;
+		di.is_hook = in_hook;
+		di.yield = yt;
+
+		func_casting_glue.emplace_back(di);
+		}
+
+	if ( lambda_ids )
+		{
+		DeclareSubclass(ft, pf, fname, args, lambda_ids);
+		BuildLambda(ft, pf, fname, body, l, lambda_ids);
+		EndBlock(true);
+		}
+	else
+		{
+		Emit("static %s %s(%s);", yt_decl, fname, ParamDecl(ft, lambda_ids, pf));
+
+		// Track this function as known to have been compiled.
+		// We don't track lambda bodies as compiled because they
+		// can't be instantiated directly without also supplying
+		// the captures.  In principle we could make an exception
+		// for lambdas that don't take any arguments, but that
+		// seems potentially more confusing than beneficial.
+		compiled_funcs.emplace(fname);
+
+		auto loc_f = script_specific_filename(body);
+		cf_locs[fname] = loc_f;
+		}
+
+	auto h = pf->HashVal();
+
+	body_hashes[fname] = h;
+	body_priorities[fname] = priority;
+	body_names.emplace(body.get(), fname);
+
+	total_hash = merge_p_hashes(total_hash, h);
+	}
+
+void CPPCompile::DeclareSubclass(const FuncTypePtr& ft, const ProfileFunc* pf, const string& fname,
+                                 const string& args, const IDPList* lambda_ids)
+	{
+	const auto& yt = ft->Yield();
+
 	auto yt_decl = in_hook ? "bool" : FullTypeName(yt);
 
 	NL();
@@ -76,8 +147,7 @@ void CPPCompile::DeclareSubclass(const FuncTypePtr& ft, const ProfileFunc* pf, c
 			}
 		}
 
-	Emit("%s_cl(const char* name%s) : CPPStmt(name)%s { }", fname, addl_args.c_str(),
-	     inits.c_str());
+	Emit("%s_cl(const char* name%s) : CPPStmt(name)%s { }", fname, addl_args, inits);
 
 	// An additional constructor just used to generate place-holder
 	// instances, due to the mis-design that lambdas are identified
@@ -92,7 +162,7 @@ void CPPCompile::DeclareSubclass(const FuncTypePtr& ft, const ProfileFunc* pf, c
 
 	if ( in_hook )
 		{
-		Emit("if ( ! %s(%s) )", fname, BindArgs(ft, lambda_ids));
+		Emit("if ( ! %s(%s) )", fname, args);
 		StartBlock();
 		Emit("flow = FLOW_BREAK;");
 		EndBlock();
@@ -100,42 +170,36 @@ void CPPCompile::DeclareSubclass(const FuncTypePtr& ft, const ProfileFunc* pf, c
 		}
 
 	else if ( IsNativeType(yt) )
-		GenInvokeBody(fname, yt, BindArgs(ft, lambda_ids));
+		GenInvokeBody(fname, yt, args);
 
 	else
-		Emit("return %s(%s);", fname, BindArgs(ft, lambda_ids));
+		Emit("return %s(%s);", fname, args);
 
 	EndBlock();
+	}
 
-	if ( lambda_ids )
-		BuildLambda(ft, pf, fname, body, l, lambda_ids);
-	else
-		{
-		// Track this function as known to have been compiled.
-		// We don't track lambda bodies as compiled because they
-		// can't be instantiated directly without also supplying
-		// the captures.  In principle we could make an exception
-		// for lambdas that don't take any arguments, but that
-		// seems potentially more confusing than beneficial.
-		compiled_funcs.emplace(fname);
-
-		auto loc_f = script_specific_filename(body);
-		cf_locs[fname] = loc_f;
-
-		// Some guidance for those looking through the generated code.
-		Emit("// compiled body for: %s", loc_f);
-		}
-
-	EndBlock(true);
-
-	auto h = pf->HashVal();
-
-	body_hashes[fname] = h;
-	body_priorities[fname] = priority;
-	body_names.emplace(body.get(), fname);
-	names_to_bodies.emplace(fname, body.get());
-
-	total_hash = merge_p_hashes(total_hash, h);
+void CPPCompile::DeclareDynCPPStmt()
+	{
+	Emit("// A version of CPPStmt that manages a function pointer and");
+	Emit("// dynamically casts it to a given type to call it via Exec().");
+	Emit("// We will later generate a custom Exec method to support this");
+	Emit("// dispatch.  All of this is ugly, and only needed because clang");
+	Emit("// goes nuts (super slow) in the face of thousands of templates");
+	Emit("// in a given context (initializers, or a function body).");
+	Emit("class CPPDynStmt : public CPPStmt");
+	Emit("\t{");
+	Emit("public:");
+	Emit("\tCPPDynStmt(const char* _name, void* _func, int _type_signature) : CPPStmt(_name), "
+	     "func(_func), type_signature(_type_signature) { }");
+	Emit("\tValPtr Exec(Frame* f, StmtFlowType& flow) override final;");
+	Emit("private:");
+	Emit("\t// The function to call in Exec().");
+	Emit("\tvoid* func;");
+	Emit("\t// Used via a switch in the dynamically-generated Exec() method");
+	Emit("\t// to cast func to the write type, and to call it with the");
+	Emit("\t// right arguments pulled out of the frame.");
+	Emit("\tint type_signature;");
+	Emit("\t};");
 	}
 
 void CPPCompile::BuildLambda(const FuncTypePtr& ft, const ProfileFunc* pf, const string& fname,
@@ -146,28 +210,17 @@ void CPPCompile::BuildLambda(const FuncTypePtr& ft, const ProfileFunc* pf, const
 		{
 		auto name = lambda_names[id];
 		auto tn = FullTypeName(id->GetType());
-		Emit("%s %s;", tn, name.c_str());
+		Emit("%s %s;", tn, name);
 		}
 
 	// Generate initialization to create and register the lambda.
-	auto literal_name = string("\"") + l->Name() + "\"";
-	auto instantiate = string("make_intrusive<") + fname + "_cl>(" + literal_name + ")";
+	auto h = pf->HashVal();
+	auto nl = lambda_ids->length();
+	bool has_captures = nl > 0;
 
-	int nl = lambda_ids->length();
-	auto h = Fmt(pf->HashVal());
-	auto has_captures = nl > 0 ? "true" : "false";
-	auto l_init = string("register_lambda__CPP(") + instantiate + ", " + h + ", \"" + l->Name() +
-	              "\", " + GenTypeName(ft) + ", " + has_captures + ");";
-
-	AddInit(l, l_init);
-	NoteInitDependency(l, TypeRep(ft));
-
-	// Make the lambda's body's initialization depend on the lambda's
-	// initialization.  That way GenFuncVarInits() can generate
-	// initializations with the assurance that the associated body
-	// hashes will have been registered.
-	AddInit(body.get());
-	NoteInitDependency(body.get(), l);
+	auto gi = make_shared<LambdaRegistrationInfo>(this, l->Name(), ft, fname + "_cl", h,
+	                                              has_captures);
+	lambda_reg_info->AddInstance(gi);
 
 	// Generate method to extract the lambda captures from a deserialized
 	// Frame object.
@@ -237,17 +290,71 @@ string CPPCompile::BindArgs(const FuncTypePtr& ft, const IDPList* lambda_ids)
 string CPPCompile::ParamDecl(const FuncTypePtr& ft, const IDPList* lambda_ids,
                              const ProfileFunc* pf)
 	{
-	const auto& params = ft->Params();
-	int n = params->NumFields();
+	vector<string> p_types;
+	vector<string> p_names;
+
+	GatherParamTypes(p_types, ft, lambda_ids, pf);
+	GatherParamNames(p_names, ft, lambda_ids, pf);
+
+	ASSERT(p_types.size() == p_names.size());
 
 	string decl;
 
+	for ( auto i = 0U; i < p_types.size(); ++i )
+		decl += p_types[i] + " " + p_names[i] + ", ";
+
+	// Add in the declaration of the frame.
+	return decl + "Frame* f__CPP";
+	}
+
+void CPPCompile::GatherParamTypes(vector<string>& p_types, const FuncTypePtr& ft,
+                                  const IDPList* lambda_ids, const ProfileFunc* pf)
+	{
+	const auto& params = ft->Params();
+	int n = params->NumFields();
+
 	for ( auto i = 0; i < n; ++i )
 		{
 		const auto& t = params->GetFieldType(i);
 		auto tn = FullTypeName(t);
 		auto param_id = FindParam(i, pf);
-		string fn;
+
+		if ( IsNativeType(t) )
+			// Native types are always pass-by-value.
+			p_types.emplace_back(tn);
+		else
+			{
+			if ( param_id && pf->Assignees().count(param_id) > 0 )
+				// We modify the parameter.
+				p_types.emplace_back(tn);
+			else
+				// Not modified, so pass by const reference.
+				p_types.emplace_back(string("const ") + tn + "&");
+			}
+		}
+
+	if ( lambda_ids )
+		// Add the captures as additional parameters.
+		for ( auto& id : *lambda_ids )
+			{
+			const auto& t = id->GetType();
+			auto tn = FullTypeName(t);
+
+			// Allow the captures to be modified.
+			p_types.emplace_back(string(tn) + "& ");
+			}
+	}
+
+void CPPCompile::GatherParamNames(vector<string>& p_names, const FuncTypePtr& ft,
+                                  const IDPList* lambda_ids, const ProfileFunc* pf)
+	{
+	const auto& params = ft->Params();
+	int n = params->NumFields();
+
+	for ( auto i = 0; i < n; ++i )
+		{
+		const auto& t = params->GetFieldType(i);
+		auto param_id = FindParam(i, pf);
 
 		if ( param_id )
 			{
@@ -255,50 +362,22 @@ string CPPCompile::ParamDecl(const FuncTypePtr& ft, const IDPList* lambda_ids,
 				// We'll need to translate the parameter
 				// from its current representation to
 				// type "any".
-				fn = string("any_param__CPP_") + Fmt(i);
+				p_names.emplace_back(string("any_param__CPP_") + Fmt(i));
 			else
-				fn = LocalName(param_id);
+				p_names.emplace_back(LocalName(param_id));
 			}
 		else
-			// Parameters that are unused don't wind up
-			// in the ProfileFunc.  Rather than dig their
-			// name out of the function's declaration, we
-			// explicitly name them to reflect that they're
-			// unused.
-			fn = string("unused_param__CPP_") + Fmt(i);
-
-		if ( IsNativeType(t) )
-			// Native types are always pass-by-value.
-			decl = decl + tn + " " + fn;
-		else
-			{
-			if ( param_id && pf->Assignees().count(param_id) > 0 )
-				// We modify the parameter.
-				decl = decl + tn + " " + fn;
-			else
-				// Not modified, so pass by const reference.
-				decl = decl + "const " + tn + "& " + fn;
-			}
-
-		decl += ", ";
+			// Parameters that are unused don't wind up in the
+			//  ProfileFunc.  Rather than dig their name out of
+			// the function's declaration, we explicitly name
+			// them to reflect that they're unused.
+			p_names.emplace_back(string("unused_param__CPP_") + Fmt(i));
 		}
 
 	if ( lambda_ids )
-		{
 		// Add the captures as additional parameters.
 		for ( auto& id : *lambda_ids )
-			{
-			auto name = lambda_names[id];
-			const auto& t = id->GetType();
-			auto tn = FullTypeName(t);
-
-			// Allow the captures to be modified.
-			decl = decl + tn + "& " + name + ", ";
-			}
-		}
-
-	// Add in the declaration of the frame.
-	return decl + "Frame* f__CPP";
+			p_names.emplace_back(lambda_names[id]);
 	}
 
 const ID* CPPCompile::FindParam(int i, const ProfileFunc* pf)
diff --git a/src/script_opt/CPP/Driver.cc b/src/script_opt/CPP/Driver.cc
index ccaa0a0190..7e446a302f 100644
--- a/src/script_opt/CPP/Driver.cc
+++ b/src/script_opt/CPP/Driver.cc
@@ -12,14 +12,13 @@ namespace zeek::detail
 using namespace std;
 
 CPPCompile::CPPCompile(vector<FuncInfo>& _funcs, ProfileFuncs& _pfs, const string& gen_name,
-                       const string& _addl_name, CPPHashManager& _hm, bool _update,
-                       bool _standalone, bool report_uncompilable)
-	: funcs(_funcs), pfs(_pfs), hm(_hm), update(_update), standalone(_standalone)
+                       const string& _addl_name, CPPHashManager& _hm, bool _standalone,
+                       bool report_uncompilable)
+	: funcs(_funcs), pfs(_pfs), hm(_hm), standalone(_standalone)
 	{
 	addl_name = _addl_name;
-	bool is_addl = hm.IsAppend();
-	auto target_name = is_addl ? addl_name.c_str() : gen_name.c_str();
-	auto mode = is_addl ? "a" : "w";
+	auto target_name = gen_name.c_str();
+	auto mode = "w";
 
 	write_file = fopen(target_name, mode);
 	if ( ! write_file )
@@ -27,30 +26,6 @@ CPPCompile::CPPCompile(vector<FuncInfo>& _funcs, ProfileFuncs& _pfs, const strin
 		reporter->Error("can't open C++ target file %s", target_name);
 		exit(1);
 		}
-
-	if ( is_addl )
-		{
-		// We need a unique number to associate with the name
-		// space for the code we're adding.  A convenient way to
-		// generate this safely is to use the present size of the
-		// file we're appending to.  That guarantees that every
-		// incremental compilation will wind up with a different
-		// number.
-		struct stat st;
-		if ( fstat(fileno(write_file), &st) != 0 )
-			{
-			char buf[256];
-			util::zeek_strerror_r(errno, buf, sizeof(buf));
-			reporter->Error("fstat failed on %s: %s", target_name, buf);
-			exit(1);
-			}
-
-		// We use a value of "0" to mean "we're not appending,
-		// we're generating from scratch", so make sure we're
-		// distinct from that.
-		addl_tag = st.st_size + 1;
-		}
-
 	else
 		{
 		// Create an empty "additional" file.
@@ -83,10 +58,6 @@ void CPPCompile::Compile(bool report_uncompilable)
 
 	working_dir = buf;
 
-	if ( update && addl_tag > 0 && CheckForCollisions() )
-		// Inconsistent compilation environment.
-		exit(1);
-
 	GenProlog();
 
 	// Determine which functions we can call directly, and reuse
@@ -100,9 +71,13 @@ void CPPCompile::Compile(bool report_uncompilable)
 		const char* reason;
 		if ( IsCompilable(func, &reason) )
 			compilable_funcs.insert(BodyName(func));
-		else if ( reason && report_uncompilable )
-			fprintf(stderr, "%s cannot be compiled to C++ due to %s\n", func.Func()->Name(),
-			        reason);
+		else
+			{
+			if ( reason && report_uncompilable )
+				fprintf(stderr, "%s cannot be compiled to C++ due to %s\n", func.Func()->Name(),
+				        reason);
+			not_fully_compilable.insert(func.Func()->Name());
+			}
 
 		auto h = func.Profile()->HashVal();
 		if ( hm.HasHash(h) )
@@ -119,39 +94,24 @@ void CPPCompile::Compile(bool report_uncompilable)
 		{
 		TypePtr tp{NewRef{}, (Type*)(t)};
 		types.AddKey(tp, pfs.HashType(t));
+		(void)RegisterType(tp);
 		}
 
-	for ( const auto& t : types.DistinctKeys() )
-		if ( ! types.IsInherited(t) )
-			// Type is new to this compilation, so we'll
-			// be generating it.
-			Emit("TypePtr %s;", types.KeyName(t));
+	// ### This doesn't work for -O add-C++
+	Emit("TypePtr types__CPP[%s];", Fmt(static_cast<int>(types.DistinctKeys().size())));
 
 	NL();
 
-	for ( const auto& c : pfs.Constants() )
-		AddConstant(c);
+#if 0
+	for ( auto gi : all_global_info )
+		Emit(gi->Declare());
 
 	NL();
+#endif
 
 	for ( auto& g : pfs.AllGlobals() )
 		CreateGlobal(g);
 
-	// Now that the globals are created, register their attributes,
-	// if any, and generate their initialization for use in standalone
-	// scripts.  We can't do these in CreateGlobal() because at that
-	// point it's possible that some of the globals refer to other
-	// globals not-yet-created.
-	for ( auto& g : pfs.AllGlobals() )
-		{
-		RegisterAttributes(g->GetAttrs());
-		if ( g->HasVal() )
-			{
-			auto gn = string(g->Name());
-			GenGlobalInit(g, globals[gn], g->GetVal());
-			}
-		}
-
 	for ( const auto& e : pfs.Events() )
 		if ( AddGlobal(e, "gl", false) )
 			Emit("EventHandlerPtr %s_ev;", globals[string(e)]);
@@ -201,10 +161,13 @@ void CPPCompile::Compile(bool report_uncompilable)
 		lambda_names.insert(n);
 		}
 
+	NL();
+	Emit("std::vector<CPP_RegisterBody> CPP__bodies_to_register = {");
+
 	for ( const auto& f : compiled_funcs )
 		RegisterCompiledBody(f);
 
-	GenFuncVarInits();
+	Emit("};");
 
 	GenEpilog();
 	}
@@ -217,12 +180,75 @@ void CPPCompile::GenProlog()
 		Emit("namespace zeek::detail { //\n");
 		}
 
-	Emit("namespace CPP_%s { // %s\n", Fmt(addl_tag), working_dir.c_str());
+	Emit("namespace CPP_%s { // %s\n", Fmt(addl_tag), working_dir);
 
 	// The following might-or-might-not wind up being populated/used.
 	Emit("std::vector<int> field_mapping;");
 	Emit("std::vector<int> enum_mapping;");
 	NL();
+
+	const_info[TYPE_BOOL] = CreateConstInitInfo("Bool", "ValPtr", "bool");
+	const_info[TYPE_INT] = CreateConstInitInfo("Int", "ValPtr", "bro_int_t");
+	const_info[TYPE_COUNT] = CreateConstInitInfo("Count", "ValPtr", "bro_uint_t");
+	const_info[TYPE_DOUBLE] = CreateConstInitInfo("Double", "ValPtr", "double");
+	const_info[TYPE_TIME] = CreateConstInitInfo("Time", "ValPtr", "double");
+	const_info[TYPE_INTERVAL] = CreateConstInitInfo("Interval", "ValPtr", "double");
+	const_info[TYPE_ADDR] = CreateConstInitInfo("Addr", "ValPtr", "");
+	const_info[TYPE_SUBNET] = CreateConstInitInfo("SubNet", "ValPtr", "");
+	const_info[TYPE_PORT] = CreateConstInitInfo("Port", "ValPtr", "uint32_t");
+
+	const_info[TYPE_ENUM] = CreateCompoundInitInfo("Enum", "ValPtr");
+	const_info[TYPE_STRING] = CreateCompoundInitInfo("String", "ValPtr");
+	const_info[TYPE_LIST] = CreateCompoundInitInfo("List", "ValPtr");
+	const_info[TYPE_PATTERN] = CreateCompoundInitInfo("Pattern", "ValPtr");
+	const_info[TYPE_VECTOR] = CreateCompoundInitInfo("Vector", "ValPtr");
+	const_info[TYPE_RECORD] = CreateCompoundInitInfo("Record", "ValPtr");
+	const_info[TYPE_TABLE] = CreateCompoundInitInfo("Table", "ValPtr");
+	const_info[TYPE_FUNC] = CreateCompoundInitInfo("Func", "ValPtr");
+	const_info[TYPE_FILE] = CreateCompoundInitInfo("File", "ValPtr");
+
+	type_info = CreateCompoundInitInfo("Type", "Ptr");
+	attr_info = CreateCompoundInitInfo("Attr", "Ptr");
+	attrs_info = CreateCompoundInitInfo("Attributes", "Ptr");
+
+	call_exprs_info = CreateCustomInitInfo("CallExpr", "Ptr");
+	lambda_reg_info = CreateCustomInitInfo("LambdaRegistration", "");
+	global_id_info = CreateCustomInitInfo("GlobalID", "");
+
+	NL();
+	DeclareDynCPPStmt();
+	NL();
+	}
+
+shared_ptr<CPP_InitsInfo> CPPCompile::CreateConstInitInfo(const char* tag, const char* type,
+                                                          const char* c_type)
+	{
+	auto gi = make_shared<CPP_BasicConstInitsInfo>(tag, type, c_type);
+	return RegisterInitInfo(tag, type, gi);
+	}
+
+shared_ptr<CPP_InitsInfo> CPPCompile::CreateCompoundInitInfo(const char* tag, const char* type)
+	{
+	auto gi = make_shared<CPP_CompoundInitsInfo>(tag, type);
+	return RegisterInitInfo(tag, type, gi);
+	}
+
+shared_ptr<CPP_InitsInfo> CPPCompile::CreateCustomInitInfo(const char* tag, const char* type)
+	{
+	auto gi = make_shared<CPP_CustomInitsInfo>(tag, type);
+	if ( type[0] == '\0' )
+		gi->SetCPPType("void*");
+
+	return RegisterInitInfo(tag, type, gi);
+	}
+
+shared_ptr<CPP_InitsInfo> CPPCompile::RegisterInitInfo(const char* tag, const char* type,
+                                                       shared_ptr<CPP_InitsInfo> gi)
+	{
+	string v_type = type[0] ? (string(tag) + type) : "void*";
+	Emit("std::vector<%s> CPP__%s__;", v_type, string(tag));
+	all_global_info.insert(gi);
+	return gi;
 	}
 
 void CPPCompile::RegisterCompiledBody(const string& f)
@@ -252,74 +278,135 @@ void CPPCompile::RegisterCompiledBody(const string& f)
 		// same binary).
 		h = merge_p_hashes(h, p_hash(cf_locs[f]));
 
-	auto init = string("register_body__CPP(make_intrusive<") + f + "_cl>(\"" + f + "\"), " +
-	            Fmt(p) + ", " + Fmt(h) + ", " + events + ");";
-
-	AddInit(names_to_bodies[f], init);
-
-	if ( update )
-		{
-		fprintf(hm.HashFile(), "func\n%s%s\n", scope_prefix(addl_tag).c_str(), f.c_str());
-		fprintf(hm.HashFile(), "%llu\n", h);
-		}
+	ASSERT(func_index.count(f) > 0);
+	auto type_signature = casting_index[func_index[f]];
+	Emit("\tCPP_RegisterBody(\"%s\", (void*) %s, %s, %s, %s, std::vector<std::string>(%s)),", f, f,
+	     Fmt(type_signature), Fmt(p), Fmt(h), events);
 	}
 
 void CPPCompile::GenEpilog()
 	{
 	NL();
+	for ( const auto& ii : init_infos )
+		GenInitExpr(ii.second);
 
-	for ( const auto& e : init_exprs.DistinctKeys() )
+	NL();
+	Emit("ValPtr CPPDynStmt::Exec(Frame* f, StmtFlowType& flow)");
+	StartBlock();
+	Emit("flow = FLOW_RETURN;");
+	Emit("switch ( type_signature )");
+	StartBlock();
+	for ( auto i = 0U; i < func_casting_glue.size(); ++i )
 		{
-		GenInitExpr(e);
-		if ( update )
-			init_exprs.LogIfNew(e, addl_tag, hm.HashFile());
+		Emit("case %s:", to_string(i));
+		StartBlock();
+		auto& glue = func_casting_glue[i];
+
+		auto invoke = string("(*(") + glue.cast + ")(func))(" + glue.args + ")";
+
+		if ( glue.is_hook )
+			{
+			Emit("if ( ! %s )", invoke);
+			StartBlock();
+			Emit("flow = FLOW_BREAK;");
+			EndBlock();
+			Emit("return nullptr;");
+			}
+
+		else if ( IsNativeType(glue.yield) )
+			GenInvokeBody(invoke, glue.yield);
+
+		else
+			Emit("return %s;", invoke);
+
+		EndBlock();
 		}
 
-	for ( const auto& a : attributes.DistinctKeys() )
-		{
-		GenAttrs(a);
-		if ( update )
-			attributes.LogIfNew(a, addl_tag, hm.HashFile());
-		}
+	Emit("default:");
+	Emit("\treporter->InternalError(\"invalid type in CPPDynStmt::Exec\");");
+	Emit("\treturn nullptr;");
 
-	// Generate the guts of compound types, and preserve type names
-	// if present.
-	for ( const auto& t : types.DistinctKeys() )
-		{
-		ExpandTypeVar(t);
-		if ( update )
-			types.LogIfNew(t, addl_tag, hm.HashFile());
-		}
+	EndBlock();
+	EndBlock();
 
-	InitializeEnumMappings();
+	NL();
 
-	GenPreInits();
-
-	unordered_set<const Obj*> to_do;
-	for ( const auto& oi : obj_inits )
-		to_do.insert(oi.first);
-
-	CheckInitConsistency(to_do);
-	auto nc = GenDependentInits(to_do);
+	for ( auto gi : all_global_info )
+		gi->GenerateInitializers(this);
 
 	if ( standalone )
 		GenStandaloneActivation();
 
+	NL();
+	InitializeEnumMappings();
+
+	NL();
+	InitializeFieldMappings();
+
+	NL();
+	InitializeBiFs();
+
+	NL();
+	indices_mgr.Generate(this);
+
+	NL();
+	InitializeStrings();
+
+	NL();
+	InitializeHashes();
+
+	NL();
+	InitializeConsts();
+
 	NL();
 	Emit("void init__CPP()");
 
 	StartBlock();
 
-	Emit("enum_mapping.resize(%s);\n", Fmt(int(enum_names.size())));
-	Emit("pre_init__CPP();");
+	Emit("std::vector<std::vector<int>> InitIndices;");
+	Emit("generate_indices_set(CPP__Indices__init, InitIndices);");
+
+	Emit("std::map<TypeTag, std::shared_ptr<CPP_AbstractInitAccessor>> InitConsts;");
 
 	NL();
-	for ( auto i = 1; i <= nc; ++i )
-		Emit("init_%s__CPP();", Fmt(i));
+	for ( const auto& ci : const_info )
+		{
+		auto& gi = ci.second;
+		Emit("InitConsts.emplace(%s, std::make_shared<CPP_InitAccessor<%s>>(%s));",
+		     TypeTagName(ci.first), gi->CPPType(), gi->InitsName());
+		}
+
+	Emit("InitsManager im(CPP__ConstVals, InitConsts, InitIndices, CPP__Strings, CPP__Hashes, "
+	     "CPP__Type__, CPP__Attributes__, CPP__Attr__, CPP__CallExpr__);");
+
+	NL();
+	Emit("for ( auto& b : CPP__bodies_to_register )");
+	StartBlock();
+	Emit("auto f = make_intrusive<CPPDynStmt>(b.func_name.c_str(), b.func, b.type_signature);");
+	Emit("register_body__CPP(f, b.priority, b.h, b.events);");
+	EndBlock();
+
+	NL();
+	int max_cohort = 0;
+	for ( auto gi : all_global_info )
+		max_cohort = std::max(max_cohort, gi->MaxCohort());
+
+	for ( auto c = 0; c <= max_cohort; ++c )
+		for ( auto gi : all_global_info )
+			if ( gi->CohortSize(c) > 0 )
+				Emit("%s.InitializeCohort(&im, %s);", gi->InitializersName(), Fmt(c));
+
+	NL();
+	Emit("for ( auto& b : CPP__BiF_lookups__ )");
+	Emit("\tb.ResolveBiF();");
 
 	// Populate mappings for dynamic offsets.
 	NL();
-	InitializeFieldMappings();
+	Emit("for ( auto& em : CPP__enum_mappings__ )");
+	Emit("\tenum_mapping.push_back(em.ComputeOffset(&im));");
+	NL();
+	Emit("for ( auto& fm : CPP__field_mappings__ )");
+	Emit("\tfield_mapping.push_back(fm.ComputeOffset(&im));");
 
 	if ( standalone )
 		Emit("standalone_init__CPP();");
@@ -328,10 +415,7 @@ void CPPCompile::GenEpilog()
 
 	GenInitHook();
 
-	Emit("} // %s\n\n", scope_prefix(addl_tag).c_str());
-
-	if ( update )
-		UpdateGlobalHashes();
+	Emit("} // %s\n\n", scope_prefix(addl_tag));
 
 	if ( addl_tag > 0 )
 		return;
diff --git a/src/script_opt/CPP/Emit.cc b/src/script_opt/CPP/Emit.cc
index 91a79b2a2f..84e122f9c0 100644
--- a/src/script_opt/CPP/Emit.cc
+++ b/src/script_opt/CPP/Emit.cc
@@ -13,75 +13,14 @@ using namespace std;
 
 void CPPCompile::StartBlock()
 	{
-	++block_level;
+	IndentUp();
 	Emit("{");
 	}
 
 void CPPCompile::EndBlock(bool needs_semi)
 	{
 	Emit("}%s", needs_semi ? ";" : "");
-	--block_level;
-	}
-
-string CPPCompile::GenString(const char* b, int len) const
-	{
-	return string("make_intrusive<StringVal>(") + Fmt(len) + ", " + CPPEscape(b, len) + ")";
-	}
-
-string CPPCompile::CPPEscape(const char* b, int len) const
-	{
-	string res = "\"";
-
-	for ( int i = 0; i < len; ++i )
-		{
-		unsigned char c = b[i];
-
-		switch ( c )
-			{
-			case '\a':
-				res += "\\a";
-				break;
-			case '\b':
-				res += "\\b";
-				break;
-			case '\f':
-				res += "\\f";
-				break;
-			case '\n':
-				res += "\\n";
-				break;
-			case '\r':
-				res += "\\r";
-				break;
-			case '\t':
-				res += "\\t";
-				break;
-			case '\v':
-				res += "\\v";
-				break;
-
-			case '\\':
-				res += "\\\\";
-				break;
-			case '"':
-				res += "\\\"";
-				break;
-
-			default:
-				if ( isprint(c) )
-					res += c;
-				else
-					{
-					char buf[8192];
-					snprintf(buf, sizeof buf, "%03o", c);
-					res += "\\";
-					res += buf;
-					}
-				break;
-			}
-		}
-
-	return res + "\"";
+	IndentDown();
 	}
 
 void CPPCompile::Indent() const
diff --git a/src/script_opt/CPP/Exprs.cc b/src/script_opt/CPP/Exprs.cc
index c2a9cc2753..3caf7805f3 100644
--- a/src/script_opt/CPP/Exprs.cc
+++ b/src/script_opt/CPP/Exprs.cc
@@ -232,7 +232,12 @@ string CPPCompile::GenConstExpr(const ConstExpr* c, GenType gt)
 	const auto& t = c->GetType();
 
 	if ( ! IsNativeType(t) )
-		return NativeToGT(const_vals[c->Value()], t, gt);
+		{
+		auto v = c->ValuePtr();
+		int consts_offset; // ignored
+		(void)RegisterConstant(v, consts_offset);
+		return NativeToGT(const_vals[v.get()]->Name(), t, gt);
+		}
 
 	return NativeToGT(GenVal(c->ValuePtr()), t, gt);
 	}
@@ -1177,8 +1182,10 @@ string CPPCompile::GenField(const ExprPtr& rec, int field)
 		// New mapping.
 		mapping_slot = num_rf_mappings++;
 
+		ASSERT(processed_types.count(rt) > 0);
+		auto rt_offset = processed_types[rt]->Offset();
 		string field_name = rt->FieldName(field);
-		field_decls.emplace_back(pair(rt, rt->FieldDecl(field)));
+		field_decls.emplace_back(pair(rt_offset, rt->FieldDecl(field)));
 
 		if ( record_field_mappings.count(rt) > 0 )
 			// We're already tracking this record.
@@ -1217,7 +1224,7 @@ string CPPCompile::GenEnum(const TypePtr& t, const ValPtr& ev)
 		mapping_slot = num_ev_mappings++;
 
 		string enum_name = et->Lookup(v);
-		enum_names.emplace_back(pair(et, move(enum_name)));
+		enum_names.emplace_back(pair(TypeOffset(t), move(enum_name)));
 
 		if ( enum_val_mappings.count(et) > 0 )
 			{
diff --git a/src/script_opt/CPP/GenFunc.cc b/src/script_opt/CPP/GenFunc.cc
index d0cb328f87..4cd57e7c7d 100644
--- a/src/script_opt/CPP/GenFunc.cc
+++ b/src/script_opt/CPP/GenFunc.cc
@@ -34,10 +34,8 @@ void CPPCompile::CompileLambda(const LambdaExpr* l, const ProfileFunc* pf)
 	DefineBody(l_id->GetType<FuncType>(), pf, lname, body, &ids, FUNC_FLAVOR_FUNCTION);
 	}
 
-void CPPCompile::GenInvokeBody(const string& fname, const TypePtr& t, const string& args)
+void CPPCompile::GenInvokeBody(const string& call, const TypePtr& t)
 	{
-	auto call = fname + "(" + args + ")";
-
 	if ( ! t || t->Tag() == TYPE_VOID )
 		{
 		Emit("%s;", call);
@@ -144,7 +142,7 @@ void CPPCompile::InitializeEvents(const ProfileFunc* pf)
 		// returns an EventHandlerPtr, sigh.
 		Emit("if ( event_registry->Lookup(\"%s\") )", e);
 		StartBlock();
-		Emit("%s = event_registry->Register(\"%s\");", ev_name.c_str(), e);
+		Emit("%s = event_registry->Register(\"%s\");", ev_name, e);
 		EndBlock();
 		Emit("did_init = true;");
 		EndBlock();
@@ -233,6 +231,16 @@ string CPPCompile::BodyName(const FuncInfo& func)
 	return fname + "__" + Fmt(static_cast<int>(i));
 	}
 
+p_hash_type CPPCompile::BodyHash(const Stmt* body)
+	{
+	ASSERT(body_names.count(body) > 0);
+
+	auto& body_name = body_names[body];
+	ASSERT(body_hashes.count(body_name) > 0);
+
+	return body_hashes[body_name];
+	}
+
 string CPPCompile::GenArgs(const RecordTypePtr& params, const Expr* e)
 	{
 	const auto& exprs = e->AsListExpr()->Exprs();
diff --git a/src/script_opt/CPP/HashMgr.cc b/src/script_opt/CPP/HashMgr.cc
index 4a6625391a..402b9dc012 100644
--- a/src/script_opt/CPP/HashMgr.cc
+++ b/src/script_opt/CPP/HashMgr.cc
@@ -12,28 +12,11 @@ using namespace std;
 
 VarMapper compiled_items;
 
-CPPHashManager::CPPHashManager(const char* hash_name_base, bool _append)
+CPPHashManager::CPPHashManager(const char* hash_name_base)
 	{
-	append = _append;
-
 	hash_name = string(hash_name_base) + ".dat";
 
-	if ( append )
-		{
-		hf_r = fopen(hash_name.c_str(), "r");
-		if ( ! hf_r )
-			{
-			reporter->Error("can't open auxiliary C++ hash file %s for reading", hash_name.c_str());
-			exit(1);
-			}
-
-		lock_file(hash_name, hf_r);
-		LoadHashes(hf_r);
-		}
-
-	auto mode = append ? "a" : "w";
-
-	hf_w = fopen(hash_name.c_str(), mode);
+	hf_w = fopen(hash_name.c_str(), "w");
 	if ( ! hf_w )
 		{
 		reporter->Error("can't open auxiliary C++ hash file %s for writing", hash_name.c_str());
diff --git a/src/script_opt/CPP/HashMgr.h b/src/script_opt/CPP/HashMgr.h
index 6a495b597e..2ae2e65ace 100644
--- a/src/script_opt/CPP/HashMgr.h
+++ b/src/script_opt/CPP/HashMgr.h
@@ -27,11 +27,9 @@ public:
 	// end of the file (and the hash file will be locked, to prevent
 	// overlapping updates from concurrent compilation/appends).
 	// Otherwise, the file will be generated afresh.
-	CPPHashManager(const char* hash_name_base, bool append);
+	CPPHashManager(const char* hash_name_base);
 	~CPPHashManager();
 
-	bool IsAppend() const { return append; }
-
 	// True if the given hash has already been generated.
 	bool HasHash(p_hash_type h) const { return previously_compiled.count(h) > 0; }
 
@@ -96,10 +94,6 @@ protected:
 	// names, rather than their script-level names.
 	std::unordered_map<std::string, int> gv_scopes;
 
-	// Whether we're appending to existing hash file(s), or starting
-	// afresh.
-	bool append;
-
 	// Base for file names.
 	std::string hash_name;
 
diff --git a/src/script_opt/CPP/Inits.cc b/src/script_opt/CPP/Inits.cc
index 48f3dd1cc1..61b1c18ca7 100644
--- a/src/script_opt/CPP/Inits.cc
+++ b/src/script_opt/CPP/Inits.cc
@@ -14,12 +14,30 @@ namespace zeek::detail
 
 using namespace std;
 
-void CPPCompile::GenInitExpr(const ExprPtr& e)
+std::shared_ptr<CPP_InitInfo> CPPCompile::RegisterInitExpr(const ExprPtr& ep)
+	{
+	auto ename = InitExprName(ep);
+
+	if ( init_infos.count(ename) )
+		return init_infos[ename];
+
+	auto wrapper_cl = string("wrapper_") + ename + "_cl";
+
+	auto gi = make_shared<CallExprInitInfo>(this, ep, ename, wrapper_cl);
+	call_exprs_info->AddInstance(gi);
+	init_infos[ename] = gi;
+
+	return gi;
+	}
+
+void CPPCompile::GenInitExpr(std::shared_ptr<CallExprInitInfo> ce_init)
 	{
 	NL();
 
+	const auto& e = ce_init->GetExpr();
 	const auto& t = e->GetType();
-	auto ename = InitExprName(e);
+	const auto& ename = ce_init->Name();
+	const auto& wc = ce_init->WrapperClass();
 
 	// First, create a CPPFunc that we can compile to compute 'e'.
 	auto name = string("wrapper_") + ename;
@@ -29,18 +47,17 @@ void CPPCompile::GenInitExpr(const ExprPtr& e)
 
 	// Create the Func subclass that can be used in a CallExpr to
 	// evaluate 'e'.
-	Emit("class %s_cl : public CPPFunc", name);
+	Emit("class %s : public CPPFunc", wc);
 	StartBlock();
 
 	Emit("public:");
-	Emit("%s_cl() : CPPFunc(\"%s\", %s)", name, name, e->IsPure() ? "true" : "false");
+	Emit("%s() : CPPFunc(\"%s\", %s)", wc, name, e->IsPure() ? "true" : "false");
 
 	StartBlock();
 	Emit("type = make_intrusive<FuncType>(make_intrusive<RecordType>(new type_decl_list()), %s, "
 	     "FUNC_FLAVOR_FUNCTION);",
 	     GenTypeName(t));
 
-	NoteInitDependency(e, TypeRep(t));
 	EndBlock();
 
 	Emit("ValPtr Invoke(zeek::Args* args, Frame* parent) const override final");
@@ -62,15 +79,9 @@ void CPPCompile::GenInitExpr(const ExprPtr& e)
 	EndBlock();
 
 	Emit("CallExprPtr %s;", ename);
-
-	NoteInitDependency(e, TypeRep(t));
-	AddInit(e, ename,
-	        string("make_intrusive<CallExpr>(make_intrusive<ConstExpr>(make_intrusive<FuncVal>("
-	               "make_intrusive<") +
-	            name + "_cl>())), make_intrusive<ListExpr>(), false)");
 	}
 
-bool CPPCompile::IsSimpleInitExpr(const ExprPtr& e) const
+bool CPPCompile::IsSimpleInitExpr(const ExprPtr& e)
 	{
 	switch ( e->Tag() )
 		{
@@ -101,360 +112,83 @@ string CPPCompile::InitExprName(const ExprPtr& e)
 	return init_exprs.KeyName(e);
 	}
 
-void CPPCompile::GenGlobalInit(const ID* g, string& gl, const ValPtr& v)
-	{
-	const auto& t = v->GetType();
-	auto tag = t->Tag();
-
-	if ( tag == TYPE_FUNC )
-		// This should get initialized by recognizing hash of
-		// the function's body.
-		return;
-
-	string init_val;
-	if ( tag == TYPE_OPAQUE )
-		{
-		// We can only generate these by reproducing the expression
-		// (presumably a function call) used to create the value.
-		// That isn't fully sound, since if the global's value
-		// was redef'd in terms of its original value (e.g.,
-		// "redef x = f(x)"), then we'll wind up with a broken
-		// expression.  It's difficult to detect that in full
-		// generality, so um Don't Do That.  (Note that this
-		// only affects execution of standalone compiled code,
-		// where the original scripts are replaced by load-stubs.
-		// If the scripts are available, then the HasVal() test
-		// we generate will mean we don't wind up using this
-		// expression anyway.)
-
-		// Use the final initialization expression.
-		auto& init_exprs = g->GetOptInfo()->GetInitExprs();
-		init_val = GenExpr(init_exprs.back(), GEN_VAL_PTR, false);
-		}
-	else
-		init_val = BuildConstant(g, v);
-
-	auto& attrs = g->GetAttrs();
-
-	AddInit(g, string("if ( ! ") + gl + "->HasVal() )");
-
-	if ( attrs )
-		{
-		RegisterAttributes(attrs);
-
-		AddInit(g, "\t{");
-		AddInit(g, "\t" + gl + "->SetVal(" + init_val + ");");
-		AddInit(g, "\t" + gl + "->SetAttrs(" + AttrsName(attrs) + ");");
-		AddInit(g, "\t}");
-		}
-	else
-		AddInit(g, "\t" + gl + "->SetVal(" + init_val + ");");
-	}
-
-void CPPCompile::GenFuncVarInits()
-	{
-	for ( const auto& fv_init : func_vars )
-		{
-		auto& fv = fv_init.first;
-		auto& const_name = fv_init.second;
-
-		auto f = fv->AsFunc();
-		const auto& fn = f->Name();
-		const auto& ft = f->GetType();
-
-		NoteInitDependency(fv, TypeRep(ft));
-
-		const auto& bodies = f->GetBodies();
-
-		string hashes = "{";
-
-		for ( const auto& b : bodies )
-			{
-			auto body = b.stmts.get();
-
-			ASSERT(body_names.count(body) > 0);
-
-			auto& body_name = body_names[body];
-			ASSERT(body_hashes.count(body_name) > 0);
-
-			NoteInitDependency(fv, body);
-
-			if ( hashes.size() > 1 )
-				hashes += ", ";
-
-			hashes += Fmt(body_hashes[body_name]);
-			}
-
-		hashes += "}";
-
-		auto init = string("lookup_func__CPP(\"") + fn + "\", " + hashes + ", " + GenTypeName(ft) +
-		            ")";
-
-		AddInit(fv, const_name, init);
-		}
-	}
-
-void CPPCompile::GenPreInit(const Type* t)
-	{
-	string pre_init;
-
-	switch ( t->Tag() )
-		{
-		case TYPE_ADDR:
-		case TYPE_ANY:
-		case TYPE_BOOL:
-		case TYPE_COUNT:
-		case TYPE_DOUBLE:
-		case TYPE_ERROR:
-		case TYPE_INT:
-		case TYPE_INTERVAL:
-		case TYPE_PATTERN:
-		case TYPE_PORT:
-		case TYPE_STRING:
-		case TYPE_TIME:
-		case TYPE_TIMER:
-		case TYPE_VOID:
-			pre_init = string("base_type(") + TypeTagName(t->Tag()) + ")";
-			break;
-
-		case TYPE_ENUM:
-			pre_init = string("get_enum_type__CPP(\"") + t->GetName() + "\")";
-			break;
-
-		case TYPE_SUBNET:
-			pre_init = string("make_intrusive<SubNetType>()");
-			break;
-
-		case TYPE_FILE:
-			pre_init = string("make_intrusive<FileType>(") + GenTypeName(t->AsFileType()->Yield()) +
-			           ")";
-			break;
-
-		case TYPE_OPAQUE:
-			pre_init = string("make_intrusive<OpaqueType>(\"") + t->AsOpaqueType()->Name() + "\")";
-			break;
-
-		case TYPE_RECORD:
-			{
-			string name;
-
-			if ( t->GetName() != "" )
-				name = string("\"") + t->GetName() + string("\"");
-			else
-				name = "nullptr";
-
-			pre_init = string("get_record_type__CPP(") + name + ")";
-			}
-			break;
-
-		case TYPE_LIST:
-			pre_init = string("make_intrusive<TypeList>()");
-			break;
-
-		case TYPE_TYPE:
-		case TYPE_VECTOR:
-		case TYPE_TABLE:
-		case TYPE_FUNC:
-			// Nothing to do for these, pre-initialization-wise.
-			return;
-
-		default:
-			reporter->InternalError("bad type in CPPCompile::GenType");
-		}
-
-	pre_inits.emplace_back(GenTypeName(t) + " = " + pre_init + ";");
-	}
-
-void CPPCompile::GenPreInits()
-	{
-	NL();
-	Emit("void pre_init__CPP()");
-
-	StartBlock();
-	for ( const auto& i : pre_inits )
-		Emit(i);
-	EndBlock();
-	}
-
-void CPPCompile::AddInit(const Obj* o, const string& init)
-	{
-	obj_inits[o].emplace_back(init);
-	}
-
-void CPPCompile::AddInit(const Obj* o)
-	{
-	if ( obj_inits.count(o) == 0 )
-		obj_inits[o] = {};
-	}
-
-void CPPCompile::NoteInitDependency(const Obj* o1, const Obj* o2)
-	{
-	obj_deps[o1].emplace(o2);
-	}
-
-void CPPCompile::CheckInitConsistency(unordered_set<const Obj*>& to_do)
-	{
-	for ( const auto& od : obj_deps )
-		{
-		const auto& o = od.first;
-
-		if ( to_do.count(o) == 0 )
-			{
-			fprintf(stderr, "object not in to_do: %s\n", obj_desc(o).c_str());
-			exit(1);
-			}
-
-		for ( const auto& d : od.second )
-			{
-			if ( to_do.count(d) == 0 )
-				{
-				fprintf(stderr, "dep object for %s not in to_do: %s\n", obj_desc(o).c_str(),
-				        obj_desc(d).c_str());
-				exit(1);
-				}
-			}
-		}
-	}
-
-int CPPCompile::GenDependentInits(unordered_set<const Obj*>& to_do)
-	{
-	int n = 0;
-
-	// The basic approach is fairly brute force: find elements of
-	// to_do that don't have any pending dependencies; generate those;
-	// and remove them from the to_do list, freeing up other to_do entries
-	// to now not having any pending dependencies.  Iterate until there
-	// are no more to-do items.
-	while ( to_do.size() > 0 )
-		{
-		unordered_set<const Obj*> cohort;
-
-		for ( const auto& o : to_do )
-			{
-			const auto& od = obj_deps.find(o);
-
-			bool has_pending_dep = false;
-
-			if ( od != obj_deps.end() )
-				{
-				for ( const auto& d : od->second )
-					if ( to_do.count(d) > 0 )
-						{
-						has_pending_dep = true;
-						break;
-						}
-				}
-
-			if ( has_pending_dep )
-				continue;
-
-			cohort.insert(o);
-			}
-
-		ASSERT(cohort.size() > 0);
-
-		GenInitCohort(++n, cohort);
-
-		for ( const auto& o : cohort )
-			{
-			ASSERT(to_do.count(o) > 0);
-			to_do.erase(o);
-			}
-		}
-
-	return n;
-	}
-
-void CPPCompile::GenInitCohort(int nc, unordered_set<const Obj*>& cohort)
-	{
-	NL();
-	Emit("void init_%s__CPP()", Fmt(nc));
-	StartBlock();
-
-	// If any script/BiF functions are used for initializing globals,
-	// the code generated from that will expect the presence of a
-	// frame pointer, even if nil.
-	Emit("Frame* f__CPP = nullptr;");
-
-	// The following is just for making the output readable/pretty:
-	// add space between initializations for distinct objects, taking
-	// into account that some objects have empty initializations.
-	bool did_an_init = false;
-
-	for ( auto o : cohort )
-		{
-		if ( did_an_init )
-			{
-			NL();
-			did_an_init = false;
-			}
-
-		for ( const auto& i : obj_inits.find(o)->second )
-			{
-			Emit("%s", i);
-			did_an_init = true;
-			}
-		}
-
-	EndBlock();
-	}
-
 void CPPCompile::InitializeFieldMappings()
 	{
-	Emit("int fm_offset;");
+	Emit("std::vector<CPP_FieldMapping> CPP__field_mappings__ = ");
+
+	StartBlock();
 
 	for ( const auto& mapping : field_decls )
 		{
-		auto rt = mapping.first;
+		auto rt_arg = Fmt(mapping.first);
 		auto td = mapping.second;
-		auto fn = td->id;
-		auto rt_name = GenTypeName(rt) + "->AsRecordType()";
+		auto type_arg = Fmt(TypeOffset(td->type));
+		auto attrs_arg = Fmt(AttributesOffset(td->attrs));
 
-		Emit("fm_offset = %s->FieldOffset(\"%s\");", rt_name, fn);
-		Emit("if ( fm_offset < 0 )");
-
-		StartBlock();
-		Emit("// field does not exist, create it");
-		Emit("fm_offset = %s->NumFields();", rt_name);
-		Emit("type_decl_list tl;");
-		Emit(GenTypeDecl(td));
-		Emit("%s->AddFieldsDirectly(tl);", rt_name);
-		EndBlock();
-
-		Emit("field_mapping.push_back(fm_offset);");
+		Emit("CPP_FieldMapping(%s, \"%s\", %s, %s),", rt_arg, td->id, type_arg, attrs_arg);
 		}
+
+	EndBlock(true);
 	}
 
 void CPPCompile::InitializeEnumMappings()
 	{
-	int n = 0;
+	Emit("std::vector<CPP_EnumMapping> CPP__enum_mappings__ = ");
+
+	StartBlock();
 
 	for ( const auto& mapping : enum_names )
-		InitializeEnumMappings(mapping.first, mapping.second, n++);
+		Emit("CPP_EnumMapping(%s, \"%s\"),", Fmt(mapping.first), mapping.second);
+
+	EndBlock(true);
 	}
 
-void CPPCompile::InitializeEnumMappings(const EnumType* et, const string& e_name, int index)
+void CPPCompile::InitializeBiFs()
 	{
-	AddInit(et, "{");
+	Emit("std::vector<CPP_LookupBiF> CPP__BiF_lookups__ = ");
 
-	auto et_name = GenTypeName(et) + "->AsEnumType()";
-	AddInit(et, "int em_offset = " + et_name + "->Lookup(\"" + e_name + "\");");
-	AddInit(et, "if ( em_offset < 0 )");
+	StartBlock();
 
-	AddInit(et, "\t{");
-	AddInit(et, "\tem_offset = " + et_name + "->Names().size();");
-	// The following is to catch the case where the offset is already
-	// in use due to it being specified explicitly for an existing enum.
-	AddInit(et, "\tif ( " + et_name + "->Lookup(em_offset) )");
-	AddInit(
-		et,
-		"\t\treporter->InternalError(\"enum inconsistency while initializing compiled scripts\");");
-	AddInit(et, "\t" + et_name + "->AddNameInternal(\"" + e_name + "\", em_offset);");
-	AddInit(et, "\t}");
+	for ( const auto& b : BiFs )
+		Emit("CPP_LookupBiF(%s, \"%s\"),", b.first, b.second);
 
-	AddInit(et, "enum_mapping[" + Fmt(index) + "] = em_offset;");
+	EndBlock(true);
+	}
 
-	AddInit(et, "}");
+void CPPCompile::InitializeStrings()
+	{
+	Emit("std::vector<const char*> CPP__Strings =");
+
+	StartBlock();
+
+	for ( const auto& s : ordered_tracked_strings )
+		Emit("\"%s\",", s);
+
+	EndBlock(true);
+	}
+
+void CPPCompile::InitializeHashes()
+	{
+	Emit("std::vector<p_hash_type> CPP__Hashes =");
+
+	StartBlock();
+
+	for ( const auto& h : ordered_tracked_hashes )
+		Emit(Fmt(h) + ",");
+
+	EndBlock(true);
+	}
+
+void CPPCompile::InitializeConsts()
+	{
+	Emit("std::vector<CPP_ValElem> CPP__ConstVals =");
+
+	StartBlock();
+
+	for ( const auto& c : consts )
+		Emit("CPP_ValElem(%s, %s),", TypeTagName(c.first), Fmt(c.second));
+
+	EndBlock(true);
 	}
 
 void CPPCompile::GenInitHook()
@@ -482,11 +216,13 @@ void CPPCompile::GenStandaloneActivation()
 	{
 	NL();
 
+#if 0
 	Emit("void standalone_activation__CPP()");
 	StartBlock();
 	for ( auto& a : activations )
 		Emit(a);
 	EndBlock();
+#endif
 
 	NL();
 	Emit("void standalone_init__CPP()");
diff --git a/src/script_opt/CPP/InitsInfo.cc b/src/script_opt/CPP/InitsInfo.cc
new file mode 100644
index 0000000000..4c2685afaf
--- /dev/null
+++ b/src/script_opt/CPP/InitsInfo.cc
@@ -0,0 +1,577 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/Desc.h"
+#include "zeek/RE.h"
+#include "zeek/ZeekString.h"
+#include "zeek/script_opt/CPP/Attrs.h"
+#include "zeek/script_opt/CPP/Compile.h"
+
+using namespace std;
+
+namespace zeek::detail
+	{
+
+string CPP_InitsInfo::Name(int index) const
+	{
+	return base_name + "[" + Fmt(index) + "]";
+	}
+
+void CPP_InitsInfo::AddInstance(shared_ptr<CPP_InitInfo> g)
+	{
+	auto init_cohort = g->InitCohort();
+
+	if ( static_cast<int>(instances.size()) <= init_cohort )
+		instances.resize(init_cohort + 1);
+
+	g->SetOffset(this, size++);
+
+	instances[init_cohort].push_back(move(g));
+	}
+
+string CPP_InitsInfo::Declare() const
+	{
+	return string("std::vector<") + CPPType() + "> " + base_name + ";";
+	}
+
+void CPP_InitsInfo::GenerateInitializers(CPPCompile* c)
+	{
+	BuildOffsetSet(c);
+
+	c->NL();
+
+	auto gt = InitsType();
+
+	// Declare the initializer.
+	c->Emit("%s %s = %s(%s, %s,", gt, InitializersName(), gt, base_name, Fmt(offset_set));
+
+	c->IndentUp();
+	c->Emit("{");
+
+	// Add each cohort as a vector element.
+	for ( auto& cohort : instances )
+		{
+		c->Emit("{");
+		BuildCohort(c, cohort);
+		c->Emit("},");
+		}
+
+	c->Emit("}");
+	c->IndentDown();
+	c->Emit(");");
+	}
+
+void CPP_InitsInfo::BuildOffsetSet(CPPCompile* c)
+	{
+	vector<int> offsets_vec;
+
+	for ( auto& cohort : instances )
+		{
+		// Reduce the offsets used by this cohort to an
+		// offset into the managed vector-of-indices global.
+		vector<int> offsets;
+		offsets.reserve(cohort.size());
+		for ( auto& co : cohort )
+			offsets.push_back(co->Offset());
+
+		offsets_vec.push_back(c->IndMgr().AddIndices(offsets));
+		}
+
+	// Now that we have all the offsets in a vector, reduce them, too,
+	// to an offset into the managed vector-of-indices global,
+	offset_set = c->IndMgr().AddIndices(offsets_vec);
+	}
+
+void CPP_InitsInfo::BuildCohort(CPPCompile* c, std::vector<std::shared_ptr<CPP_InitInfo>>& cohort)
+	{
+	for ( auto& co : cohort )
+		{
+		vector<string> ivs;
+		co->InitializerVals(ivs);
+		BuildCohortElement(c, co->InitializerType(), ivs);
+		}
+	}
+
+void CPP_InitsInfo::BuildCohortElement(CPPCompile* c, string init_type, vector<string>& ivs)
+	{
+	string full_init;
+	bool did_one = false;
+	for ( auto& iv : ivs )
+		{
+		if ( did_one )
+			full_init += ", ";
+		else
+			did_one = true;
+
+		full_init += iv;
+		}
+
+	c->Emit("std::make_shared<%s>(%s),", init_type, full_init);
+	}
+
+void CPP_CompoundInitsInfo::BuildCohortElement(CPPCompile* c, string init_type, vector<string>& ivs)
+	{
+	string init_line;
+	for ( auto& iv : ivs )
+		init_line += iv + ", ";
+
+	c->Emit("{ %s},", init_line);
+	}
+
+void CPP_BasicConstInitsInfo::BuildCohortElement(CPPCompile* c, string init_type,
+                                                 vector<string>& ivs)
+	{
+	ASSERT(ivs.size() == 1);
+	c->Emit(ivs[0] + ",");
+	}
+
+string CPP_InitInfo::ValElem(CPPCompile* c, ValPtr v)
+	{
+	string init_type;
+	string init_args;
+
+	if ( v )
+		{
+		int consts_offset;
+		auto gi = c->RegisterConstant(v, consts_offset);
+		init_cohort = max(init_cohort, gi->InitCohort() + 1);
+		return Fmt(consts_offset);
+		}
+	else
+		return Fmt(-1);
+	}
+
+DescConstInfo::DescConstInfo(CPPCompile* c, ValPtr v) : CPP_InitInfo()
+	{
+	ODesc d;
+	v->Describe(&d);
+	auto s = c->TrackString(d.Description());
+	init = Fmt(s);
+	}
+
+EnumConstInfo::EnumConstInfo(CPPCompile* c, ValPtr v)
+	{
+	auto ev = v->AsEnumVal();
+	auto& ev_t = ev->GetType();
+	e_type = c->TypeOffset(ev_t);
+	init_cohort = c->TypeCohort(ev_t) + 1;
+	e_val = v->AsEnum();
+	}
+
+StringConstInfo::StringConstInfo(CPPCompile* c, ValPtr v) : CPP_InitInfo()
+	{
+	auto s = v->AsString();
+	const char* b = (const char*)(s->Bytes());
+
+	len = s->Len();
+	chars = c->TrackString(CPPEscape(b, len));
+	}
+
+PatternConstInfo::PatternConstInfo(CPPCompile* c, ValPtr v) : CPP_InitInfo()
+	{
+	auto re = v->AsPatternVal()->Get();
+	pattern = c->TrackString(CPPEscape(re->OrigText()));
+	is_case_insensitive = re->IsCaseInsensitive();
+	}
+
+CompoundItemInfo::CompoundItemInfo(CPPCompile* _c, ValPtr v) : CPP_InitInfo(), c(_c)
+	{
+	auto& t = v->GetType();
+	type = c->TypeOffset(t);
+	init_cohort = c->TypeCohort(t) + 1;
+	}
+
+ListConstInfo::ListConstInfo(CPPCompile* _c, ValPtr v) : CompoundItemInfo(_c)
+	{
+	auto lv = cast_intrusive<ListVal>(v);
+	auto n = lv->Length();
+
+	for ( auto i = 0U; i < n; ++i )
+		vals.emplace_back(ValElem(c, lv->Idx(i)));
+	}
+
+VectorConstInfo::VectorConstInfo(CPPCompile* c, ValPtr v) : CompoundItemInfo(c, v)
+	{
+	auto vv = cast_intrusive<VectorVal>(v);
+	auto n = vv->Size();
+
+	for ( auto i = 0; i < n; ++i )
+		vals.emplace_back(ValElem(c, vv->ValAt(i)));
+	}
+
+RecordConstInfo::RecordConstInfo(CPPCompile* c, ValPtr v) : CompoundItemInfo(c, v)
+	{
+	auto r = cast_intrusive<RecordVal>(v);
+	auto n = r->NumFields();
+
+	type = c->TypeOffset(r->GetType());
+
+	for ( auto i = 0; i < n; ++i )
+		vals.emplace_back(ValElem(c, r->GetField(i)));
+	}
+
+TableConstInfo::TableConstInfo(CPPCompile* c, ValPtr v) : CompoundItemInfo(c, v)
+	{
+	auto tv = cast_intrusive<TableVal>(v);
+
+	for ( auto& tv_i : tv->ToMap() )
+		{
+		vals.emplace_back(ValElem(c, tv_i.first)); // index
+		vals.emplace_back(ValElem(c, tv_i.second)); // value
+		}
+	}
+
+FileConstInfo::FileConstInfo(CPPCompile* c, ValPtr v) : CompoundItemInfo(c, v)
+	{
+	auto fv = cast_intrusive<FileVal>(v);
+	auto fname = c->TrackString(fv->Get()->Name());
+	vals.emplace_back(Fmt(fname));
+	}
+
+FuncConstInfo::FuncConstInfo(CPPCompile* _c, ValPtr v) : CompoundItemInfo(_c, v), fv(v->AsFuncVal())
+	{
+	// This is slightly hacky.  There's a chance that this constant
+	// depends on a lambda being registered.  Here we use the knowledge
+	// that LambdaRegistrationInfo sets its cohort to 1 more than
+	// the function type, so we can ensure any possible lambda has
+	// been registered by setting ours to 2 more.  CompoundItemInfo
+	// has already set our cohort to 1 more.
+	++init_cohort;
+	}
+
+void FuncConstInfo::InitializerVals(std::vector<std::string>& ivs) const
+	{
+	auto f = fv->AsFunc();
+	const auto& fn = f->Name();
+
+	ivs.emplace_back(Fmt(type));
+	ivs.emplace_back(Fmt(c->TrackString(fn)));
+
+	string hashes;
+
+	if ( ! c->NotFullyCompilable(fn) )
+		{
+		const auto& bodies = f->GetBodies();
+
+		for ( const auto& b : bodies )
+			{
+			auto h = c->BodyHash(b.stmts.get());
+			auto h_o = c->TrackHash(h);
+			ivs.emplace_back(Fmt(h_o));
+			}
+		}
+	}
+
+AttrInfo::AttrInfo(CPPCompile* _c, const AttrPtr& attr) : CompoundItemInfo(_c)
+	{
+	vals.emplace_back(Fmt(static_cast<int>(attr->Tag())));
+	auto a_e = attr->GetExpr();
+
+	if ( a_e )
+		{
+		auto gi = c->RegisterType(a_e->GetType());
+		init_cohort = max(init_cohort, gi->InitCohort() + 1);
+
+		if ( ! CPPCompile::IsSimpleInitExpr(a_e) )
+			{
+			gi = c->RegisterInitExpr(a_e);
+			init_cohort = max(init_cohort, gi->InitCohort() + 1);
+
+			vals.emplace_back(Fmt(static_cast<int>(AE_CALL)));
+			vals.emplace_back(Fmt(gi->Offset()));
+			}
+
+		else if ( a_e->Tag() == EXPR_CONST )
+			{
+			auto v = a_e->AsConstExpr()->ValuePtr();
+			vals.emplace_back(Fmt(static_cast<int>(AE_CONST)));
+			vals.emplace_back(ValElem(c, v));
+			}
+
+		else if ( a_e->Tag() == EXPR_NAME )
+			{
+			auto g = a_e->AsNameExpr()->Id();
+			auto gi = c->RegisterGlobal(g);
+			init_cohort = max(init_cohort, gi->InitCohort() + 1);
+
+			vals.emplace_back(Fmt(static_cast<int>(AE_NAME)));
+			vals.emplace_back(Fmt(c->TrackString(g->Name())));
+			}
+
+		else
+			{
+			ASSERT(a_e->Tag() == EXPR_RECORD_COERCE);
+			vals.emplace_back(Fmt(static_cast<int>(AE_RECORD)));
+			vals.emplace_back(Fmt(gi->Offset()));
+			}
+		}
+
+	else
+		vals.emplace_back(Fmt(static_cast<int>(AE_NONE)));
+	}
+
+AttrsInfo::AttrsInfo(CPPCompile* _c, const AttributesPtr& _attrs) : CompoundItemInfo(_c)
+	{
+	for ( const auto& a : _attrs->GetAttrs() )
+		{
+		ASSERT(c->ProcessedAttr().count(a.get()) > 0);
+		auto gi = c->ProcessedAttr()[a.get()];
+		init_cohort = max(init_cohort, gi->InitCohort() + 1);
+		vals.emplace_back(Fmt(gi->Offset()));
+		}
+	}
+
+GlobalInitInfo::GlobalInitInfo(CPPCompile* c, const ID* g, string _CPP_name)
+	: CPP_InitInfo(), CPP_name(move(_CPP_name))
+	{
+	Zeek_name = g->Name();
+
+	auto gi = c->RegisterType(g->GetType());
+	init_cohort = max(init_cohort, gi->InitCohort() + 1);
+	type = gi->Offset();
+
+	gi = c->RegisterAttributes(g->GetAttrs());
+	if ( gi )
+		{
+		init_cohort = max(init_cohort, gi->InitCohort() + 1);
+		attrs = gi->Offset();
+		}
+	else
+		attrs = -1;
+
+	exported = g->IsExport();
+
+	val = ValElem(c, g->GetVal());
+	}
+
+void GlobalInitInfo::InitializerVals(std::vector<std::string>& ivs) const
+	{
+	ivs.push_back(CPP_name);
+	ivs.push_back(string("\"") + Zeek_name + "\"");
+	ivs.push_back(Fmt(type));
+	ivs.push_back(Fmt(attrs));
+	ivs.push_back(val);
+	ivs.push_back(Fmt(exported));
+	}
+
+CallExprInitInfo::CallExprInitInfo(CPPCompile* c, ExprPtr _e, string _e_name, string _wrapper_class)
+	: e(move(_e)), e_name(move(_e_name)), wrapper_class(move(_wrapper_class))
+	{
+	auto gi = c->RegisterType(e->GetType());
+	init_cohort = max(init_cohort, gi->InitCohort() + 1);
+	}
+
+LambdaRegistrationInfo::LambdaRegistrationInfo(CPPCompile* c, string _name, FuncTypePtr ft,
+                                               string _wrapper_class, p_hash_type _h,
+                                               bool _has_captures)
+	: name(move(_name)), wrapper_class(move(_wrapper_class)), h(_h), has_captures(_has_captures)
+	{
+	auto gi = c->RegisterType(ft);
+	init_cohort = max(init_cohort, gi->InitCohort() + 1);
+	func_type = gi->Offset();
+	}
+
+void LambdaRegistrationInfo::InitializerVals(std::vector<std::string>& ivs) const
+	{
+	ivs.emplace_back(string("\"") + name + "\"");
+	ivs.emplace_back(Fmt(func_type));
+	ivs.emplace_back(Fmt(h));
+	ivs.emplace_back(has_captures ? "true" : "false");
+	}
+
+void EnumTypeInfo::AddInitializerVals(std::vector<std::string>& ivs) const
+	{
+	ivs.emplace_back(Fmt(c->TrackString(t->GetName())));
+
+	auto et = t->AsEnumType();
+
+	for ( const auto& name_pair : et->Names() )
+		{
+		ivs.emplace_back(Fmt(c->TrackString(name_pair.first)));
+		ivs.emplace_back(Fmt(int(name_pair.second)));
+		}
+	}
+
+void OpaqueTypeInfo::AddInitializerVals(std::vector<std::string>& ivs) const
+	{
+	ivs.emplace_back(Fmt(c->TrackString(t->GetName())));
+	}
+
+TypeTypeInfo::TypeTypeInfo(CPPCompile* _c, TypePtr _t) : AbstractTypeInfo(_c, move(_t))
+	{
+	tt = t->AsTypeType()->GetType();
+	auto gi = c->RegisterType(tt);
+	if ( gi )
+		init_cohort = gi->InitCohort();
+	}
+
+void TypeTypeInfo::AddInitializerVals(std::vector<std::string>& ivs) const
+	{
+	ivs.emplace_back(to_string(c->TypeOffset(tt)));
+	}
+
+VectorTypeInfo::VectorTypeInfo(CPPCompile* _c, TypePtr _t) : AbstractTypeInfo(_c, move(_t))
+	{
+	yield = t->Yield();
+	auto gi = c->RegisterType(yield);
+	if ( gi )
+		init_cohort = gi->InitCohort();
+	}
+
+void VectorTypeInfo::AddInitializerVals(std::vector<std::string>& ivs) const
+	{
+	ivs.emplace_back(to_string(c->TypeOffset(yield)));
+	}
+
+ListTypeInfo::ListTypeInfo(CPPCompile* _c, TypePtr _t)
+	: AbstractTypeInfo(_c, move(_t)), types(t->AsTypeList()->GetTypes())
+	{
+	for ( auto& tl_i : types )
+		{
+		auto gi = c->RegisterType(tl_i);
+		if ( gi )
+			init_cohort = max(init_cohort, gi->InitCohort());
+		}
+	}
+
+void ListTypeInfo::AddInitializerVals(std::vector<std::string>& ivs) const
+	{
+	string type_list;
+	for ( auto& t : types )
+		ivs.emplace_back(Fmt(c->TypeOffset(t)));
+	}
+
+TableTypeInfo::TableTypeInfo(CPPCompile* _c, TypePtr _t) : AbstractTypeInfo(_c, move(_t))
+	{
+	auto tbl = t->AsTableType();
+
+	auto gi = c->RegisterType(tbl->GetIndices());
+	ASSERT(gi);
+	indices = gi->Offset();
+	init_cohort = gi->InitCohort();
+
+	yield = tbl->Yield();
+
+	if ( yield )
+		{
+		gi = c->RegisterType(yield);
+		if ( gi )
+			init_cohort = max(init_cohort, gi->InitCohort());
+		}
+	}
+
+void TableTypeInfo::AddInitializerVals(std::vector<std::string>& ivs) const
+	{
+	ivs.emplace_back(Fmt(indices));
+	ivs.emplace_back(Fmt(yield ? c->TypeOffset(yield) : -1));
+	}
+
+FuncTypeInfo::FuncTypeInfo(CPPCompile* _c, TypePtr _t) : AbstractTypeInfo(_c, move(_t))
+	{
+	auto f = t->AsFuncType();
+
+	flavor = f->Flavor();
+	params = f->Params();
+	yield = f->Yield();
+
+	auto gi = c->RegisterType(f->Params());
+	if ( gi )
+		init_cohort = gi->InitCohort();
+
+	if ( yield )
+		{
+		gi = c->RegisterType(f->Yield());
+		if ( gi )
+			init_cohort = max(init_cohort, gi->InitCohort());
+		}
+	}
+
+void FuncTypeInfo::AddInitializerVals(std::vector<std::string>& ivs) const
+	{
+	ivs.emplace_back(Fmt(c->TypeOffset(params)));
+	ivs.emplace_back(Fmt(yield ? c->TypeOffset(yield) : -1));
+	ivs.emplace_back(Fmt(static_cast<int>(flavor)));
+	}
+
+RecordTypeInfo::RecordTypeInfo(CPPCompile* _c, TypePtr _t) : AbstractTypeInfo(_c, move(_t))
+	{
+	auto r = t->AsRecordType()->Types();
+
+	if ( ! r )
+		return;
+
+	for ( const auto& r_i : *r )
+		{
+		field_names.emplace_back(r_i->id);
+
+		auto gi = c->RegisterType(r_i->type);
+		if ( gi )
+			init_cohort = max(init_cohort, gi->InitCohort());
+		// else it's a recursive type, no need to adjust cohort here
+
+		field_types.push_back(r_i->type);
+
+		if ( r_i->attrs )
+			{
+			gi = c->RegisterAttributes(r_i->attrs);
+			init_cohort = max(init_cohort, gi->InitCohort() + 1);
+			field_attrs.push_back(gi->Offset());
+			}
+		else
+			field_attrs.push_back(-1);
+		}
+	}
+
+void RecordTypeInfo::AddInitializerVals(std::vector<std::string>& ivs) const
+	{
+	ivs.emplace_back(Fmt(c->TrackString(t->GetName())));
+
+	auto n = field_names.size();
+
+	for ( auto i = 0U; i < n; ++i )
+		{
+		ivs.emplace_back(Fmt(c->TrackString(field_names[i])));
+
+		// Because RecordType's can be recursively defined,
+		// during construction we couldn't reliably access
+		// the field type's offsets.  At this point, though,
+		// they should all be available.
+		ivs.emplace_back(Fmt(c->TypeOffset(field_types[i])));
+		ivs.emplace_back(Fmt(field_attrs[i]));
+		}
+	}
+
+void IndicesManager::Generate(CPPCompile* c)
+	{
+	c->Emit("int CPP__Indices__init[] =");
+	c->StartBlock();
+
+	int nset = 0;
+	for ( auto& is : indices_set )
+		{
+		// Track the offsets into the raw vector, to make it
+		// easier to debug problems.
+		auto line = string("/* ") + to_string(nset++) + " */ ";
+
+		// We first record the size, then the values.
+		line += to_string(is.size()) + ", ";
+
+		auto n = 1;
+		for ( auto i : is )
+			{
+			line += to_string(i) + ", ";
+			if ( ++n % 10 == 0 )
+				{
+				c->Emit(line);
+				line.clear();
+				}
+			}
+
+		if ( line.size() > 0 )
+			c->Emit(line);
+		}
+
+	c->Emit("-1");
+	c->EndBlock(true);
+	}
+
+	} // zeek::detail
diff --git a/src/script_opt/CPP/InitsInfo.h b/src/script_opt/CPP/InitsInfo.h
new file mode 100644
index 0000000000..b8453b8135
--- /dev/null
+++ b/src/script_opt/CPP/InitsInfo.h
@@ -0,0 +1,693 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Classes for tracking information for initializing C++ values used by the
+// generated code.
+
+// Initialization is probably the most complex part of the entire compiler,
+// as there are a lot of considerations.  There are two basic parts: (1) the
+// generation of C++ code for doing run-time initialization, which is covered
+// by the classes in this file, and (2) the execution of that code to do the
+// actual initialization, which is covered by the classes in RuntimeInits.h.
+//
+// There are two fundamental types of initialization, those that create values
+// (such as Zeek Type and Val objects) that will be used during the execution
+// of compiled scripts, and those that perform actions such as registering
+// the presence of a global or a lambda.  In addition, for the former (values
+// used at run-time), some are grouped together into vectors, with the compiled
+// code using a hardwired index to get to a particular value; and some have
+// standalone globals (for example, one for each BiF that a compiled script
+// may call).
+//
+// For each of these types of initialization, our general approach is to a
+// class that manages a single instance of that type, and an an object that
+// manages all of those instances collectively.  The latter object will, for
+// example, attend to determining the offset into the run-time vector associated
+// with a particular initialized value.
+//
+// An additional complexity is that often the initialization of a particular
+// value will depend on *other* values having already been initialized.  For
+// example, a record type might have a field that is a table, and thus the
+// type corresponding to the table needs to be available before we can create
+// the record type.  However, the table might have a set of attributes
+// associated with it, which have to be initialized before we can create the
+// table type, those in turn requiring the initialization of each of the
+// individual attributes in the set.  One of those attributes might specify
+// a &default function for the table, requiring initializing *that* value
+// (not just the type, but also a way to refer to the particular instance of
+// the function) before initializing the attribute, etc.  Worse, record types
+// can be *indirectly recursive*, which requires first initializing a "stub"
+// for the record type before doing the final initialization.
+//
+// The general strategy for dealing with all of these dependencies is to
+// compute for each initialization its "cohort".  An initialization that
+// doesn't depend on any others is in cohort 0.  An initialization X that
+// depends on an initialization Y will have cohort(X) = cohort(Y) + 1; or,
+// in general, one more than the highest cohort of any initialization it
+// depends on.  (We cut a corner in that, due to how initialization information
+// is constructed, if X and Y are for the same type of object then we can
+// safely use cohort(X) = cohort(Y).)  We then execute run-time initialization
+// in waves, one cohort at a time.
+//
+// Because C++ compilers can struggle when trying to optimize large quantities
+// of code - clang in particular could take many CPU *hours* back when our
+// compiler just generated C++ code snippets for each initialization - rather
+// than producing code that directly executes each given initialization, we
+// instead employ a table-driven approach.  The C++ initializers for the
+// tables contain simple values - often just vectors of integers - that compile
+// quickly.  At run-time we then spin through the elements of the tables (one
+// cohort at a time) to obtain the information needed to initialize any given
+// item.
+//
+// Many forms of initialization are specified in terms of indices into globals
+// that hold items of various types.  Thus, the most common initialization
+// information is a vector of integers/indices.  These data structures can
+// be recursive, too, namely we sometimes associate an index with a vector
+// of integers/indices and then we can track multiple such vectors using
+// another vector of integers/indices.
+
+#include "zeek/File.h"
+#include "zeek/Val.h"
+#include "zeek/script_opt/ProfileFunc.h"
+
+#pragma once
+
+namespace zeek::detail
+	{
+
+class CPPCompile;
+
+// Abstract class for tracking information about a single initialization item.
+class CPP_InitInfo;
+
+// Abstract class for tracking information about a collection of initialization
+// items.
+class CPP_InitsInfo
+	{
+public:
+	CPP_InitsInfo(std::string _tag, std::string type) : tag(std::move(_tag))
+		{
+		base_name = std::string("CPP__") + tag + "__";
+		CPP_type = tag + type;
+		}
+
+	virtual ~CPP_InitsInfo() { }
+
+	// Returns the name of the C++ global that will hold the items' values
+	// at run-time, once initialized.  These are all vectors, for which
+	// the generated code accesses a particular item by indexing the vector.
+	const std::string& InitsName() const { return base_name; }
+
+	// Returns the name of the C++ global used to hold the table we employ
+	// for table-driven initialization.
+	std::string InitializersName() const { return base_name + "init"; }
+
+	// Returns the "name" of the given element in the run-time vector
+	// associated with this collection of initialization items.  It's not
+	// really a name but rather a vector index, so for example Name(12)
+	// might return "CPP__Pattern__[12]", but we use the term Name because
+	// the representation used to be individualized globals, such as
+	// "CPP__Pattern__12".
+	std::string Name(int index) const;
+
+	// Returns the name that will correspond to the next item added to
+	// this set.
+	std::string NextName() const { return Name(size); }
+
+	// The largest initialization cohort of any item in this collection.
+	int MaxCohort() const { return static_cast<int>(instances.size()) - 1; }
+
+	// Returns the number of initializations in this collection that below
+	// to the given cohort c.
+	int CohortSize(int c) const { return c > MaxCohort() ? 0 : instances[c].size(); }
+
+	// Returns the C++ type associated with this collection's run-time vector.
+	// This might be, for example, "PatternVal"
+	const std::string& CPPType() const { return CPP_type; }
+
+	// Sets the associated C++ type.
+	virtual void SetCPPType(std::string ct) { CPP_type = std::move(ct); }
+
+	// Returns the type associated with the table used for initialization
+	// (i.e., this is the type of the global returned by InitializersName()).
+	std::string InitsType() const { return inits_type; }
+
+	// Add a new initialization instance to the collection.
+	void AddInstance(std::shared_ptr<CPP_InitInfo> g);
+
+	// Emit code to populate the table used to initialize this collection.
+	void GenerateInitializers(CPPCompile* c);
+
+protected:
+	// Computes offset_set - see below.
+	void BuildOffsetSet(CPPCompile* c);
+
+	// Returns a declaration suitable for the run-time vector that holds
+	// the initialized items in the collection.
+	std::string Declare() const;
+
+	// For a given cohort, generates the associated table elements for
+	// creating it.
+	void BuildCohort(CPPCompile* c, std::vector<std::shared_ptr<CPP_InitInfo>>& cohort);
+
+	// Given the initialization type and initializers for with a given
+	// cohort element, build the associated table element.
+	virtual void BuildCohortElement(CPPCompile* c, std::string init_type,
+	                                std::vector<std::string>& ivs);
+
+	// Total number of initializers.
+	int size = 0;
+
+	// Each cohort is represented by a vector whose elements correspond
+	// to the initialization information for a single item.  This variable
+	// holds a vector of cohorts, indexed by the number of the cohort.
+	// (Note, some cohorts may be empty.)
+	std::vector<std::vector<std::shared_ptr<CPP_InitInfo>>> instances;
+
+	// Each cohort has associated with it a vector of offsets, specifying
+	// positions in the run-time vector of the items in the cohort.
+	//
+	// We reduce each such vector to an index into the collection of
+	// such vectors (as managed by an IndicesManager - see below).
+	//
+	// Once we've done that reduction, we can represent each cohort
+	// using a single index, and thus all of the cohorts using a vector
+	// of indices.  We then reduce *that* vector to a single index,
+	// again using the IndicesManager.  We store that single index
+	// in the "offset_set" variable.
+	int offset_set = 0;
+
+	// Tag used to distinguish a particular collection of constants.
+	std::string tag;
+
+	// C++ name for this collection of constants.
+	std::string base_name;
+
+	// C++ type associated with a single instance of these constants.
+	std::string CPP_type;
+
+	// C++ type associated with the collection of initializers.
+	std::string inits_type;
+	};
+
+// A class for a collection of initialization items for which each item
+// has a "custom" initializer (that is, a bespoke C++ object, rather than
+// a simple C++ type or a vector of indices).
+class CPP_CustomInitsInfo : public CPP_InitsInfo
+	{
+public:
+	CPP_CustomInitsInfo(std::string _tag, std::string _type)
+		: CPP_InitsInfo(std::move(_tag), std::move(_type))
+		{
+		BuildInitType();
+		}
+
+	void SetCPPType(std::string ct) override
+		{
+		CPP_InitsInfo::SetCPPType(std::move(ct));
+		BuildInitType();
+		}
+
+private:
+	void BuildInitType() { inits_type = std::string("CPP_CustomInits<") + CPPType() + ">"; }
+	};
+
+// A class for a collection of initialization items corresponding to "basic"
+// constants, i.e., those that can be represented either directly as C++
+// constants, or as indices into a vector of C++ objects.
+class CPP_BasicConstInitsInfo : public CPP_CustomInitsInfo
+	{
+public:
+	// In the following, if "c_type" is non-empty then it specifes the
+	// C++ type used to directly represent the constant.  If empty, it
+	// indicates that we instead use an index into a separate vector.
+	CPP_BasicConstInitsInfo(std::string _tag, std::string type, std::string c_type)
+		: CPP_CustomInitsInfo(std::move(_tag), std::move(type))
+		{
+		if ( c_type.empty() )
+			inits_type = std::string("CPP_") + tag + "Consts";
+		else
+			inits_type = std::string("CPP_BasicConsts<") + CPP_type + ", " + c_type + ", " + tag +
+			             "Val>";
+		}
+
+	void BuildCohortElement(CPPCompile* c, std::string init_type,
+	                        std::vector<std::string>& ivs) override;
+	};
+
+// A class for a collection of initialization items that are defined using
+// other initialization items.
+class CPP_CompoundInitsInfo : public CPP_InitsInfo
+	{
+public:
+	CPP_CompoundInitsInfo(std::string _tag, std::string type)
+		: CPP_InitsInfo(std::move(_tag), std::move(type))
+		{
+		if ( tag == "Type" )
+			// These need a refined version of CPP_IndexedInits
+			// in order to build different types dynamically.
+			inits_type = "CPP_TypeInits";
+		else
+			inits_type = std::string("CPP_IndexedInits<") + CPPType() + ">";
+		}
+
+	void BuildCohortElement(CPPCompile* c, std::string init_type,
+	                        std::vector<std::string>& ivs) override;
+	};
+
+// Abstract class for tracking information about a single initialization item.
+class CPP_InitInfo
+	{
+public:
+	// No constructor - basic initialization happens when the object is
+	// added via AddInstance() to a CPP_InitsInfo object, which in turn
+	// will lead to invocation of this object's SetOffset() method.
+
+	virtual ~CPP_InitInfo() { }
+
+	// Associates this item with an initialization collection and run-time
+	// vector offset.
+	void SetOffset(const CPP_InitsInfo* _inits_collection, int _offset)
+		{
+		inits_collection = _inits_collection;
+		offset = _offset;
+		}
+
+	// Returns the offset for this item into the associated run-time vector.
+	int Offset() const { return offset; }
+
+	// Returns the name that should be used for referring to this
+	// value in the generated code.
+	std::string Name() const { return inits_collection->Name(offset); }
+
+	// Returns this item's initialization cohort.
+	int InitCohort() const { return init_cohort; }
+
+	// Returns the type used for this initializer.
+	virtual std::string InitializerType() const { return "<shouldn't-be-used>"; }
+
+	// Returns values used for creating this value, one element per
+	// constructor parameter.
+	virtual void InitializerVals(std::vector<std::string>& ivs) const = 0;
+
+protected:
+	// Returns an offset (into the run-time vector holding all Zeek
+	// constant values) corresponding to the given value.  Registers
+	// the constant if needed.
+	std::string ValElem(CPPCompile* c, ValPtr v);
+
+	// By default, values have no dependencies on other values
+	// being first initialized.  Those that do must increase this
+	// value in their constructors.
+	int init_cohort = 0;
+
+	// Tracks the collection to which this item belongs.
+	const CPP_InitsInfo* inits_collection = nullptr;
+
+	// Offset of this item in the collection, or -1 if no association.
+	int offset = -1;
+	};
+
+// Information associated with initializing a basic (non-compound) constant.
+class BasicConstInfo : public CPP_InitInfo
+	{
+public:
+	BasicConstInfo(std::string _val) : val(std::move(_val)) { }
+
+	void InitializerVals(std::vector<std::string>& ivs) const override { ivs.emplace_back(val); }
+
+private:
+	// All we need to track is the C++ representation of the constant.
+	std::string val;
+	};
+
+// Information associated with initializing a constant whose Val constructor
+// takes a string.
+class DescConstInfo : public CPP_InitInfo
+	{
+public:
+	DescConstInfo(CPPCompile* c, ValPtr v);
+
+	void InitializerVals(std::vector<std::string>& ivs) const override { ivs.emplace_back(init); }
+
+private:
+	std::string init;
+	};
+
+class EnumConstInfo : public CPP_InitInfo
+	{
+public:
+	EnumConstInfo(CPPCompile* c, ValPtr v);
+
+	void InitializerVals(std::vector<std::string>& ivs) const override
+		{
+		ivs.emplace_back(std::to_string(e_type));
+		ivs.emplace_back(std::to_string(e_val));
+		}
+
+private:
+	int e_type; // an index into the enum's Zeek type
+	int e_val; // integer value of the enum
+	};
+
+class StringConstInfo : public CPP_InitInfo
+	{
+public:
+	StringConstInfo(CPPCompile* c, ValPtr v);
+
+	void InitializerVals(std::vector<std::string>& ivs) const override
+		{
+		ivs.emplace_back(std::to_string(chars));
+		ivs.emplace_back(std::to_string(len));
+		}
+
+private:
+	int chars; // index into vector of char*'s
+	int len; // length of the string
+	};
+
+class PatternConstInfo : public CPP_InitInfo
+	{
+public:
+	PatternConstInfo(CPPCompile* c, ValPtr v);
+
+	void InitializerVals(std::vector<std::string>& ivs) const override
+		{
+		ivs.emplace_back(std::to_string(pattern));
+		ivs.emplace_back(std::to_string(is_case_insensitive));
+		}
+
+private:
+	int pattern; // index into string representation of pattern
+	int is_case_insensitive; // case-insensitivity flag, 0 or 1
+	};
+
+class PortConstInfo : public CPP_InitInfo
+	{
+public:
+	PortConstInfo(ValPtr v) : p(static_cast<UnsignedValImplementation*>(v->AsPortVal())->Get()) { }
+
+	void InitializerVals(std::vector<std::string>& ivs) const override
+		{
+		ivs.emplace_back(std::to_string(p) + "U");
+		}
+
+private:
+	bro_uint_t p;
+	};
+
+// Abstract class for compound items (those defined in terms of other items).
+class CompoundItemInfo : public CPP_InitInfo
+	{
+public:
+	// The first of these is used for items with custom Zeek types,
+	// the second when the type is generic/inapplicable.
+	CompoundItemInfo(CPPCompile* c, ValPtr v);
+	CompoundItemInfo(CPPCompile* _c) : c(_c) { type = -1; }
+
+	void InitializerVals(std::vector<std::string>& ivs) const override
+		{
+		if ( type >= 0 )
+			ivs.emplace_back(std::to_string(type));
+
+		for ( auto& v : vals )
+			ivs.push_back(v);
+		}
+
+protected:
+	CPPCompile* c;
+	int type;
+	std::vector<std::string> vals; // initialization values
+	};
+
+// This next set corresponds to compound Zeek constants of various types.
+class ListConstInfo : public CompoundItemInfo
+	{
+public:
+	ListConstInfo(CPPCompile* c, ValPtr v);
+	};
+
+class VectorConstInfo : public CompoundItemInfo
+	{
+public:
+	VectorConstInfo(CPPCompile* c, ValPtr v);
+	};
+
+class RecordConstInfo : public CompoundItemInfo
+	{
+public:
+	RecordConstInfo(CPPCompile* c, ValPtr v);
+	};
+
+class TableConstInfo : public CompoundItemInfo
+	{
+public:
+	TableConstInfo(CPPCompile* c, ValPtr v);
+	};
+
+class FileConstInfo : public CompoundItemInfo
+	{
+public:
+	FileConstInfo(CPPCompile* c, ValPtr v);
+	};
+
+class FuncConstInfo : public CompoundItemInfo
+	{
+public:
+	FuncConstInfo(CPPCompile* _c, ValPtr v);
+
+	void InitializerVals(std::vector<std::string>& ivs) const override;
+
+private:
+	FuncVal* fv;
+	};
+
+// Initialization information for single attributes and sets of attributes.
+class AttrInfo : public CompoundItemInfo
+	{
+public:
+	AttrInfo(CPPCompile* c, const AttrPtr& attr);
+	};
+
+class AttrsInfo : public CompoundItemInfo
+	{
+public:
+	AttrsInfo(CPPCompile* c, const AttributesPtr& attrs);
+	};
+
+// Information for initialization a Zeek global.
+class GlobalInitInfo : public CPP_InitInfo
+	{
+public:
+	GlobalInitInfo(CPPCompile* c, const ID* g, std::string CPP_name);
+
+	std::string InitializerType() const override { return "CPP_GlobalInit"; }
+	void InitializerVals(std::vector<std::string>& ivs) const override;
+
+protected:
+	std::string Zeek_name;
+	std::string CPP_name;
+	int type;
+	int attrs;
+	std::string val;
+	bool exported;
+	};
+
+// Information for initializing an item corresponding to a Zeek function
+// call, needed to associate complex expressions with attributes.
+class CallExprInitInfo : public CPP_InitInfo
+	{
+public:
+	CallExprInitInfo(CPPCompile* c, ExprPtr e, std::string e_name, std::string wrapper_class);
+
+	std::string InitializerType() const override
+		{
+		return std::string("CPP_CallExprInit<") + wrapper_class + ">";
+		}
+	void InitializerVals(std::vector<std::string>& ivs) const override { ivs.emplace_back(e_name); }
+
+	// Accessors, since code to initialize these is generated separately
+	// from that of most initialization collections.
+	const ExprPtr& GetExpr() const { return e; }
+	const std::string& Name() const { return e_name; }
+	const std::string& WrapperClass() const { return wrapper_class; }
+
+protected:
+	ExprPtr e;
+	std::string e_name;
+	std::string wrapper_class;
+	};
+
+// Information for registering the class/function assocaited with a lambda.
+class LambdaRegistrationInfo : public CPP_InitInfo
+	{
+public:
+	LambdaRegistrationInfo(CPPCompile* c, std::string name, FuncTypePtr ft,
+	                       std::string wrapper_class, p_hash_type h, bool has_captures);
+
+	std::string InitializerType() const override
+		{
+		return std::string("CPP_LambdaRegistration<") + wrapper_class + ">";
+		}
+	void InitializerVals(std::vector<std::string>& ivs) const override;
+
+protected:
+	std::string name;
+	int func_type;
+	std::string wrapper_class;
+	p_hash_type h;
+	bool has_captures;
+	};
+
+// Abstract class for representing information for initializing a Zeek type.
+class AbstractTypeInfo : public CPP_InitInfo
+	{
+public:
+	AbstractTypeInfo(CPPCompile* _c, TypePtr _t) : c(_c), t(std::move(_t)) { }
+
+	void InitializerVals(std::vector<std::string>& ivs) const override
+		{
+		ivs.emplace_back(std::to_string(static_cast<int>(t->Tag())));
+		AddInitializerVals(ivs);
+		}
+
+	virtual void AddInitializerVals(std::vector<std::string>& ivs) const { }
+
+protected:
+	CPPCompile* c;
+	TypePtr t; // the type we're initializing
+	};
+
+// The following capture information for different Zeek types.
+class BaseTypeInfo : public AbstractTypeInfo
+	{
+public:
+	BaseTypeInfo(CPPCompile* _c, TypePtr _t) : AbstractTypeInfo(_c, std::move(_t)) { }
+	};
+
+class EnumTypeInfo : public AbstractTypeInfo
+	{
+public:
+	EnumTypeInfo(CPPCompile* _c, TypePtr _t) : AbstractTypeInfo(_c, std::move(_t)) { }
+
+	void AddInitializerVals(std::vector<std::string>& ivs) const override;
+	};
+
+class OpaqueTypeInfo : public AbstractTypeInfo
+	{
+public:
+	OpaqueTypeInfo(CPPCompile* _c, TypePtr _t) : AbstractTypeInfo(_c, std::move(_t)) { }
+
+	void AddInitializerVals(std::vector<std::string>& ivs) const override;
+	};
+
+class TypeTypeInfo : public AbstractTypeInfo
+	{
+public:
+	TypeTypeInfo(CPPCompile* c, TypePtr _t);
+
+	void AddInitializerVals(std::vector<std::string>& ivs) const override;
+
+private:
+	TypePtr tt; // the type referred to by t
+	};
+
+class VectorTypeInfo : public AbstractTypeInfo
+	{
+public:
+	VectorTypeInfo(CPPCompile* c, TypePtr _t);
+
+	void AddInitializerVals(std::vector<std::string>& ivs) const override;
+
+private:
+	TypePtr yield;
+	};
+
+class ListTypeInfo : public AbstractTypeInfo
+	{
+public:
+	ListTypeInfo(CPPCompile* c, TypePtr _t);
+
+	void AddInitializerVals(std::vector<std::string>& ivs) const override;
+
+private:
+	const std::vector<TypePtr>& types;
+	};
+
+class TableTypeInfo : public AbstractTypeInfo
+	{
+public:
+	TableTypeInfo(CPPCompile* c, TypePtr _t);
+
+	void AddInitializerVals(std::vector<std::string>& ivs) const override;
+
+private:
+	int indices;
+	TypePtr yield;
+	};
+
+class FuncTypeInfo : public AbstractTypeInfo
+	{
+public:
+	FuncTypeInfo(CPPCompile* c, TypePtr _t);
+
+	void AddInitializerVals(std::vector<std::string>& ivs) const override;
+
+private:
+	FunctionFlavor flavor;
+	TypePtr params;
+	TypePtr yield;
+	};
+
+class RecordTypeInfo : public AbstractTypeInfo
+	{
+public:
+	RecordTypeInfo(CPPCompile* c, TypePtr _t);
+
+	void AddInitializerVals(std::vector<std::string>& ivs) const override;
+
+private:
+	std::vector<std::string> field_names;
+	std::vector<TypePtr> field_types;
+	std::vector<int> field_attrs;
+	};
+
+// Much of the table-driven initialization is based on vectors of indices,
+// which we represent as vectors of int's, where each int is used to index a
+// global C++ vector.  This class manages such vectors.  In particular, it
+// reduces a given vector-of-indices to a single value, itself an index, that
+// can be used at run-time to retrieve a reference to the original vector.
+//
+// Note that the notion recurses: if we have several vector-of-indices, we can
+// reduce each to an index, and then take the resulting vector-of-meta-indices
+// and reduce it further to an index.  Doing so allows us to concisely refer
+// to a potentially large, deep set of indices using a single value - such as
+// for CPP_InitsInfo's "offset_set" member variable.
+
+class IndicesManager
+	{
+public:
+	IndicesManager() { }
+
+	// Adds a new vector-of-indices to the collection we're tracking,
+	// returning the offset that will be associated with it at run-time.
+	int AddIndices(std::vector<int> indices)
+		{
+		int n = indices_set.size();
+		indices_set.emplace_back(std::move(indices));
+		return n;
+		}
+
+	// Generates the initializations used to construct the managed
+	// vectors at run-time.
+	void Generate(CPPCompile* c);
+
+private:
+	// Each vector-of-indices being tracked.  We could obtain some
+	// space and time savings by recognizing duplicate vectors
+	// (for example, empty vectors are very common), but as long
+	// as the code compiles and executes without undue overhead,
+	// this doesn't appear necessary.
+	std::vector<std::vector<int>> indices_set;
+	};
+
+	} // zeek::detail
diff --git a/src/script_opt/CPP/Runtime.h b/src/script_opt/CPP/Runtime.h
index 258d24d673..d872c1d9e3 100644
--- a/src/script_opt/CPP/Runtime.h
+++ b/src/script_opt/CPP/Runtime.h
@@ -17,18 +17,21 @@
 #include "zeek/ZeekString.h"
 #include "zeek/module_util.h"
 #include "zeek/script_opt/CPP/Func.h"
-#include "zeek/script_opt/CPP/RuntimeInit.h"
+#include "zeek/script_opt/CPP/RuntimeInitSupport.h"
+#include "zeek/script_opt/CPP/RuntimeInits.h"
 #include "zeek/script_opt/CPP/RuntimeOps.h"
 #include "zeek/script_opt/CPP/RuntimeVec.h"
 #include "zeek/script_opt/ScriptOpt.h"
 
-namespace zeek
+namespace zeek::detail
 	{
 
 using BoolValPtr = IntrusivePtr<zeek::BoolVal>;
+using IntValPtr = IntrusivePtr<zeek::IntVal>;
 using CountValPtr = IntrusivePtr<zeek::CountVal>;
 using DoubleValPtr = IntrusivePtr<zeek::DoubleVal>;
 using StringValPtr = IntrusivePtr<zeek::StringVal>;
+using TimeValPtr = IntrusivePtr<zeek::TimeVal>;
 using IntervalValPtr = IntrusivePtr<zeek::IntervalVal>;
 using PatternValPtr = IntrusivePtr<zeek::PatternVal>;
 using FuncValPtr = IntrusivePtr<zeek::FuncVal>;
diff --git a/src/script_opt/CPP/RuntimeInit.cc b/src/script_opt/CPP/RuntimeInitSupport.cc
similarity index 89%
rename from src/script_opt/CPP/RuntimeInit.cc
rename to src/script_opt/CPP/RuntimeInitSupport.cc
index f98718dce0..87a7fb484e 100644
--- a/src/script_opt/CPP/RuntimeInit.cc
+++ b/src/script_opt/CPP/RuntimeInitSupport.cc
@@ -1,6 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "zeek/script_opt/CPP/RuntimeInit.h"
+#include "zeek/script_opt/CPP/RuntimeInitSupport.h"
 
 #include "zeek/EventRegistry.h"
 #include "zeek/module_util.h"
@@ -49,7 +49,7 @@ static int flag_init_CPP()
 
 static int dummy = flag_init_CPP();
 
-void register_type__CPP(TypePtr t, const std::string& name)
+void register_type__CPP(TypePtr t, const string& name)
 	{
 	if ( t->GetName().size() > 0 )
 		// Already registered.
@@ -113,8 +113,8 @@ void activate_bodies__CPP(const char* fn, const char* module, bool exported, Typ
 	auto v = fg->GetVal();
 	if ( ! v )
 		{ // Create it.
-		std::vector<StmtPtr> no_bodies;
-		std::vector<int> no_priorities;
+		vector<StmtPtr> no_bodies;
+		vector<int> no_priorities;
 		auto sf = make_intrusive<ScriptFunc>(fn, ft, no_bodies, no_priorities);
 
 		v = make_intrusive<FuncVal>(move(sf));
@@ -193,6 +193,28 @@ FuncValPtr lookup_func__CPP(string name, vector<p_hash_type> hashes, const TypeP
 	{
 	auto ft = cast_intrusive<FuncType>(t);
 
+	if ( hashes.empty() )
+		{
+		// This happens for functions that have at least one
+		// uncompilable body.
+		auto gl = lookup_ID(name.c_str(), GLOBAL_MODULE_NAME, false, false, false);
+		if ( ! gl )
+			{
+			reporter->CPPRuntimeError("non-compiled function %s missing", name.c_str());
+			exit(1);
+			}
+
+		auto v = gl->GetVal();
+		if ( ! v || v->GetType()->Tag() != TYPE_FUNC )
+			{
+			reporter->CPPRuntimeError("non-compiled function %s has an invalid value",
+			                          name.c_str());
+			exit(1);
+			}
+
+		return cast_intrusive<FuncVal>(v);
+		}
+
 	vector<StmtPtr> bodies;
 	vector<int> priorities;
 
diff --git a/src/script_opt/CPP/RuntimeInit.h b/src/script_opt/CPP/RuntimeInitSupport.h
similarity index 98%
rename from src/script_opt/CPP/RuntimeInit.h
rename to src/script_opt/CPP/RuntimeInitSupport.h
index fbc44a32dc..284290c95b 100644
--- a/src/script_opt/CPP/RuntimeInit.h
+++ b/src/script_opt/CPP/RuntimeInitSupport.h
@@ -5,6 +5,7 @@
 #pragma once
 
 #include "zeek/Val.h"
+#include "zeek/script_opt/CPP/Attrs.h"
 #include "zeek/script_opt/CPP/Func.h"
 
 namespace zeek
diff --git a/src/script_opt/CPP/RuntimeInits.cc b/src/script_opt/CPP/RuntimeInits.cc
new file mode 100644
index 0000000000..ef795f4942
--- /dev/null
+++ b/src/script_opt/CPP/RuntimeInits.cc
@@ -0,0 +1,528 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/script_opt/CPP/RunTimeInits.h"
+
+#include "zeek/Desc.h"
+#include "zeek/File.h"
+#include "zeek/RE.h"
+#include "zeek/ZeekString.h"
+#include "zeek/script_opt/CPP/RunTimeInitSupport.h"
+
+using namespace std;
+
+namespace zeek::detail
+	{
+
+template <class T>
+void CPP_IndexedInits<T>::InitializeCohortWithOffsets(InitsManager* im, int cohort,
+                                                      const std::vector<int>& cohort_offsets)
+	{
+	auto& co = this->inits[cohort];
+	for ( auto i = 0U; i < co.size(); ++i )
+		Generate(im, this->inits_vec, cohort_offsets[i], co[i]);
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<EnumValPtr>& ivec, int offset,
+                                   ValElemVec& init_vals)
+	{
+	auto& e_type = im->Types(init_vals[0]);
+	int val = init_vals[1];
+	ivec[offset] = make_enum__CPP(e_type, val);
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<StringValPtr>& ivec, int offset,
+                                   ValElemVec& init_vals)
+	{
+	auto chars = im->Strings(init_vals[0]);
+	int len = init_vals[1];
+	ivec[offset] = make_intrusive<StringVal>(len, chars);
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<PatternValPtr>& ivec, int offset,
+                                   ValElemVec& init_vals)
+	{
+	auto re = new RE_Matcher(im->Strings(init_vals[0]));
+	if ( init_vals[1] )
+		re->MakeCaseInsensitive();
+
+	re->Compile();
+
+	ivec[offset] = make_intrusive<PatternVal>(re);
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<ListValPtr>& ivec, int offset,
+                                   ValElemVec& init_vals) const
+	{
+	auto n = init_vals.size();
+	auto i = 0U;
+
+	auto l = make_intrusive<ListVal>(TYPE_ANY);
+
+	while ( i < n )
+		l->Append(im->ConstVals(init_vals[i++]));
+
+	ivec[offset] = l;
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<VectorValPtr>& ivec, int offset,
+                                   ValElemVec& init_vals) const
+	{
+	auto n = init_vals.size();
+	auto i = 0U;
+	auto t = init_vals[i++];
+
+	auto vt = cast_intrusive<VectorType>(im->Types(t));
+	auto vv = make_intrusive<VectorVal>(vt);
+
+	while ( i < n )
+		vv->Append(im->ConstVals(init_vals[i++]));
+
+	ivec[offset] = vv;
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<RecordValPtr>& ivec, int offset,
+                                   ValElemVec& init_vals) const
+	{
+	auto n = init_vals.size();
+	auto i = 0U;
+	auto t = init_vals[i++];
+
+	auto rt = cast_intrusive<RecordType>(im->Types(t));
+	auto rv = make_intrusive<RecordVal>(rt);
+
+	while ( i < n )
+		{
+		auto v = init_vals[i];
+		if ( v >= 0 )
+			rv->Assign(i - 1, im->ConstVals(v));
+		++i;
+		}
+
+	ivec[offset] = rv;
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<TableValPtr>& ivec, int offset,
+                                   ValElemVec& init_vals) const
+	{
+	auto n = init_vals.size();
+	auto i = 0U;
+	auto t = init_vals[i++];
+
+	auto tt = cast_intrusive<TableType>(im->Types(t));
+	auto tv = make_intrusive<TableVal>(tt);
+
+	while ( i < n )
+		{
+		auto index = im->ConstVals(init_vals[i++]);
+		auto v = init_vals[i++];
+		auto value = v >= 0 ? im->ConstVals(v) : nullptr;
+		tv->Assign(index, value);
+		}
+
+	ivec[offset] = tv;
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<FileValPtr>& ivec, int offset,
+                                   ValElemVec& init_vals) const
+	{
+	auto n = init_vals.size();
+	auto i = 0U;
+	auto t = init_vals[i++]; // not used
+
+	auto fn = im->Strings(init_vals[i++]);
+	auto fv = make_intrusive<FileVal>(make_intrusive<File>(fn, "w"));
+
+	ivec[offset] = fv;
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<FuncValPtr>& ivec, int offset,
+                                   ValElemVec& init_vals) const
+	{
+	auto n = init_vals.size();
+	auto i = 0U;
+	auto t = init_vals[i++];
+
+	auto fn = im->Strings(init_vals[i++]);
+
+	std::vector<p_hash_type> hashes;
+
+	while ( i < n )
+		hashes.push_back(im->Hashes(init_vals[i++]));
+
+	ivec[offset] = lookup_func__CPP(fn, hashes, im->Types(t));
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<AttrPtr>& ivec, int offset,
+                                   ValElemVec& init_vals) const
+	{
+	auto tag = static_cast<AttrTag>(init_vals[0]);
+	auto ae_tag = static_cast<AttrExprType>(init_vals[1]);
+
+	ExprPtr e;
+	auto e_arg = init_vals[2];
+
+	switch ( ae_tag )
+		{
+		case AE_NONE:
+			break;
+
+		case AE_CONST:
+			e = make_intrusive<ConstExpr>(im->ConstVals(e_arg));
+			break;
+
+		case AE_NAME:
+			{
+			auto name = im->Strings(e_arg);
+			auto gl = lookup_ID(name, GLOBAL_MODULE_NAME, false, false, false);
+			ASSERT(gl);
+			e = make_intrusive<NameExpr>(gl);
+			break;
+			}
+
+		case AE_RECORD:
+			{
+			auto t = im->Types(e_arg);
+			auto rt = cast_intrusive<RecordType>(t);
+			auto empty_vals = make_intrusive<ListExpr>();
+			auto construct = make_intrusive<RecordConstructorExpr>(empty_vals);
+			e = make_intrusive<RecordCoerceExpr>(construct, rt);
+			break;
+			}
+
+		case AE_CALL:
+			e = im->CallExprs(e_arg);
+			break;
+		}
+
+	ivec[offset] = make_intrusive<Attr>(tag, e);
+	}
+
+template <class T>
+void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<AttributesPtr>& ivec, int offset,
+                                   ValElemVec& init_vals) const
+	{
+	auto n = init_vals.size();
+	auto i = 0U;
+
+	std::vector<AttrPtr> a_list;
+	while ( i < n )
+		a_list.emplace_back(im->Attrs(init_vals[i++]));
+
+	ivec[offset] = make_intrusive<Attributes>(a_list, nullptr, false, false);
+	}
+
+// Instantiate the templates we'll need.
+
+template class CPP_IndexedInits<EnumValPtr>;
+template class CPP_IndexedInits<StringValPtr>;
+template class CPP_IndexedInits<PatternValPtr>;
+template class CPP_IndexedInits<ListValPtr>;
+template class CPP_IndexedInits<VectorValPtr>;
+template class CPP_IndexedInits<RecordValPtr>;
+template class CPP_IndexedInits<TableValPtr>;
+template class CPP_IndexedInits<FileValPtr>;
+template class CPP_IndexedInits<FuncValPtr>;
+template class CPP_IndexedInits<AttrPtr>;
+template class CPP_IndexedInits<AttributesPtr>;
+template class CPP_IndexedInits<TypePtr>;
+
+void CPP_TypeInits::DoPreInits(InitsManager* im, const std::vector<int>& offsets_vec)
+	{
+	for ( auto cohort = 0U; cohort < offsets_vec.size(); ++cohort )
+		{
+		auto& co = inits[cohort];
+		auto& cohort_offsets = im->Indices(offsets_vec[cohort]);
+		for ( auto i = 0U; i < co.size(); ++i )
+			PreInit(im, cohort_offsets[i], co[i]);
+		}
+	}
+
+void CPP_TypeInits::PreInit(InitsManager* im, int offset, ValElemVec& init_vals)
+	{
+	auto tag = static_cast<TypeTag>(init_vals[0]);
+
+	if ( tag == TYPE_LIST )
+		inits_vec[offset] = make_intrusive<TypeList>();
+
+	else if ( tag == TYPE_RECORD )
+		{
+		auto name = im->Strings(init_vals[1]);
+		if ( name[0] )
+			inits_vec[offset] = get_record_type__CPP(name);
+		else
+			inits_vec[offset] = get_record_type__CPP(nullptr);
+		}
+
+	// else no pre-initialization needed
+	}
+
+void CPP_TypeInits::Generate(InitsManager* im, vector<TypePtr>& ivec, int offset,
+                             ValElemVec& init_vals) const
+	{
+	auto tag = static_cast<TypeTag>(init_vals[0]);
+	TypePtr t;
+	switch ( tag )
+		{
+		case TYPE_ADDR:
+		case TYPE_ANY:
+		case TYPE_BOOL:
+		case TYPE_COUNT:
+		case TYPE_DOUBLE:
+		case TYPE_ERROR:
+		case TYPE_INT:
+		case TYPE_INTERVAL:
+		case TYPE_PATTERN:
+		case TYPE_PORT:
+		case TYPE_STRING:
+		case TYPE_TIME:
+		case TYPE_TIMER:
+		case TYPE_VOID:
+		case TYPE_SUBNET:
+		case TYPE_FILE:
+			t = base_type(tag);
+			break;
+
+		case TYPE_ENUM:
+			t = BuildEnumType(im, init_vals);
+			break;
+
+		case TYPE_OPAQUE:
+			t = BuildOpaqueType(im, init_vals);
+			break;
+
+		case TYPE_TYPE:
+			t = BuildTypeType(im, init_vals);
+			break;
+
+		case TYPE_VECTOR:
+			t = BuildVectorType(im, init_vals);
+			break;
+
+		case TYPE_LIST:
+			t = BuildTypeList(im, init_vals, offset);
+			break;
+
+		case TYPE_TABLE:
+			t = BuildTableType(im, init_vals);
+			break;
+
+		case TYPE_FUNC:
+			t = BuildFuncType(im, init_vals);
+			break;
+
+		case TYPE_RECORD:
+			t = BuildRecordType(im, init_vals, offset);
+			break;
+
+		default:
+			ASSERT(0);
+		}
+
+	ivec[offset] = t;
+	}
+
+TypePtr CPP_TypeInits::BuildEnumType(InitsManager* im, ValElemVec& init_vals) const
+	{
+	auto name = im->Strings(init_vals[1]);
+	auto et = get_enum_type__CPP(name);
+
+	if ( et->Names().empty() )
+		{
+		auto n = init_vals.size();
+		auto i = 2U;
+
+		while ( i < n )
+			{
+			auto e_name = im->Strings(init_vals[i++]);
+			auto e_val = init_vals[i++];
+			et->AddNameInternal(e_name, e_val);
+			}
+		}
+
+	return et;
+	}
+
+TypePtr CPP_TypeInits::BuildOpaqueType(InitsManager* im, ValElemVec& init_vals) const
+	{
+	auto name = im->Strings(init_vals[1]);
+	return make_intrusive<OpaqueType>(name);
+	}
+
+TypePtr CPP_TypeInits::BuildTypeType(InitsManager* im, ValElemVec& init_vals) const
+	{
+	auto& t = im->Types(init_vals[1]);
+	return make_intrusive<TypeType>(t);
+	}
+
+TypePtr CPP_TypeInits::BuildVectorType(InitsManager* im, ValElemVec& init_vals) const
+	{
+	auto& t = im->Types(init_vals[1]);
+	return make_intrusive<VectorType>(t);
+	}
+
+TypePtr CPP_TypeInits::BuildTypeList(InitsManager* im, ValElemVec& init_vals, int offset) const
+	{
+	const auto& tl = cast_intrusive<TypeList>(inits_vec[offset]);
+
+	auto n = init_vals.size();
+	auto i = 1U;
+
+	while ( i < n )
+		tl->Append(im->Types(init_vals[i++]));
+
+	return tl;
+	}
+
+TypePtr CPP_TypeInits::BuildTableType(InitsManager* im, ValElemVec& init_vals) const
+	{
+	auto index = cast_intrusive<TypeList>(im->Types(init_vals[1]));
+	auto yield_i = init_vals[2];
+	auto yield = yield_i >= 0 ? im->Types(yield_i) : nullptr;
+
+	return make_intrusive<TableType>(index, yield);
+	}
+
+TypePtr CPP_TypeInits::BuildFuncType(InitsManager* im, ValElemVec& init_vals) const
+	{
+	auto p = cast_intrusive<RecordType>(im->Types(init_vals[1]));
+	auto yield_i = init_vals[2];
+	auto flavor = static_cast<FunctionFlavor>(init_vals[3]);
+
+	TypePtr y;
+
+	if ( yield_i >= 0 )
+		y = im->Types(yield_i);
+
+	else if ( flavor == FUNC_FLAVOR_FUNCTION || flavor == FUNC_FLAVOR_HOOK )
+		y = base_type(TYPE_VOID);
+
+	return make_intrusive<FuncType>(p, y, flavor);
+	}
+
+TypePtr CPP_TypeInits::BuildRecordType(InitsManager* im, ValElemVec& init_vals, int offset) const
+	{
+	auto r = cast_intrusive<RecordType>(inits_vec[offset]);
+	ASSERT(r);
+
+	if ( r->NumFields() == 0 )
+		{
+		type_decl_list tl;
+
+		auto n = init_vals.size();
+		auto i = 2U;
+
+		while ( i < n )
+			{
+			auto s = im->Strings(init_vals[i++]);
+			auto id = util::copy_string(s);
+			auto type = im->Types(init_vals[i++]);
+			auto attrs_i = init_vals[i++];
+
+			AttributesPtr attrs;
+			if ( attrs_i >= 0 )
+				attrs = im->Attributes(attrs_i);
+
+			tl.append(new TypeDecl(id, type, attrs));
+			}
+
+		r->AddFieldsDirectly(tl);
+		}
+
+	return r;
+	}
+
+int CPP_FieldMapping::ComputeOffset(InitsManager* im) const
+	{
+	auto r = im->Types(rec)->AsRecordType();
+	auto fm_offset = r->FieldOffset(field_name.c_str());
+
+	if ( fm_offset < 0 )
+		{ // field does not exist, create it
+		fm_offset = r->NumFields();
+
+		auto id = util::copy_string(field_name.c_str());
+		auto type = im->Types(field_type);
+
+		AttributesPtr attrs;
+		if ( field_attrs >= 0 )
+			attrs = im->Attributes(field_attrs);
+
+		type_decl_list tl;
+		tl.append(new TypeDecl(id, type, attrs));
+
+		r->AddFieldsDirectly(tl);
+		}
+
+	return fm_offset;
+	}
+
+int CPP_EnumMapping::ComputeOffset(InitsManager* im) const
+	{
+	auto e = im->Types(e_type)->AsEnumType();
+
+	auto em_offset = e->Lookup(e_name);
+	if ( em_offset < 0 )
+		{ // enum constant does not exist, create it
+		em_offset = e->Names().size();
+		if ( e->Lookup(em_offset) )
+			reporter->InternalError("enum inconsistency while initializing compiled scripts");
+		e->AddNameInternal(e_name, em_offset);
+		}
+
+	return em_offset;
+	}
+
+void CPP_GlobalInit::Generate(InitsManager* im, std::vector<void*>& /* inits_vec */,
+                              int /* offset */) const
+	{
+	global = lookup_global__CPP(name, im->Types(type), exported);
+
+	if ( ! global->HasVal() && val >= 0 )
+		{
+		global->SetVal(im->ConstVals(val));
+		if ( attrs >= 0 )
+			global->SetAttrs(im->Attributes(attrs));
+		}
+	}
+
+void generate_indices_set(int* inits, std::vector<std::vector<int>>& indices_set)
+	{
+	// First figure out how many groups of indices there are, so we
+	// can pre-allocate the outer vector.
+	auto i_ptr = inits;
+	int num_inits = 0;
+	while ( *i_ptr >= 0 )
+		{
+		++num_inits;
+		int n = *i_ptr;
+		i_ptr += n + 1; // skip over vector elements
+		}
+
+	indices_set.reserve(num_inits);
+
+	i_ptr = inits;
+	while ( *i_ptr >= 0 )
+		{
+		int n = *i_ptr;
+		++i_ptr;
+		std::vector<int> indices;
+		indices.reserve(n);
+		for ( int i = 0; i < n; ++i )
+			indices.push_back(i_ptr[i]);
+		i_ptr += n;
+
+		indices_set.emplace_back(move(indices));
+		}
+	}
+
+	} // zeek::detail
diff --git a/src/script_opt/CPP/RuntimeInits.h b/src/script_opt/CPP/RuntimeInits.h
new file mode 100644
index 0000000000..031208a1ce
--- /dev/null
+++ b/src/script_opt/CPP/RuntimeInits.h
@@ -0,0 +1,542 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+// Classes for run-time initialization and management of C++ values used
+// by the generated code.
+
+// See InitsInfo.h for a discussion of initialization issues and the
+// associated strategies for dealing with them.
+
+#include "zeek/Expr.h"
+#include "zeek/module_util.h"
+#include "zeek/script_opt/CPP/RuntimeInitSupport.h"
+
+#pragma once
+
+namespace zeek::detail
+	{
+
+using FileValPtr = IntrusivePtr<FileVal>;
+using FuncValPtr = IntrusivePtr<FuncVal>;
+
+class InitsManager;
+
+// An abstract helper class used to access elements of an initialization vector.
+// We need the abstraction because InitsManager below needs to be able to refer
+// to any of a range of templated classes.
+class CPP_AbstractInitAccessor
+	{
+public:
+	virtual ~CPP_AbstractInitAccessor() { }
+	virtual ValPtr Get(int index) const { return nullptr; }
+	};
+
+// Convenient way to refer to an offset associated with a particular Zeek type.
+using CPP_ValElem = std::pair<TypeTag, int>;
+
+// This class groups together all of the vectors needed for run-time
+// initialization.  We gather them together into a single object so as
+// to avoid wiring in a set of globals that the various initialization
+// methods have to know about.
+class InitsManager
+	{
+public:
+	InitsManager(std::vector<CPP_ValElem>& _const_vals,
+	             std::map<TypeTag, std::shared_ptr<CPP_AbstractInitAccessor>>& _consts,
+	             std::vector<std::vector<int>>& _indices, std::vector<const char*>& _strings,
+	             std::vector<p_hash_type>& _hashes, std::vector<TypePtr>& _types,
+	             std::vector<AttributesPtr>& _attributes, std::vector<AttrPtr>& _attrs,
+	             std::vector<CallExprPtr>& _call_exprs)
+		: const_vals(_const_vals), consts(_consts), indices(_indices), strings(_strings),
+		  hashes(_hashes), types(_types), attributes(_attributes), attrs(_attrs),
+		  call_exprs(_call_exprs)
+		{
+		}
+
+	// Providse generic access to Zeek constant values based on a single
+	// index.
+	ValPtr ConstVals(int offset) const
+		{
+		auto& cv = const_vals[offset];
+		return Consts(cv.first, cv.second);
+		}
+
+	// Retrieves the Zeek constant value for a particular Zeek type.
+	ValPtr Consts(TypeTag tag, int index) const { return consts[tag]->Get(index); }
+
+	// Accessors for the sundry initialization vectors, each retrieving
+	// a specific element identified by an index/offset.
+	const std::vector<int>& Indices(int offset) const { return indices[offset]; }
+	const char* Strings(int offset) const { return strings[offset]; }
+	const p_hash_type Hashes(int offset) const { return hashes[offset]; }
+	const TypePtr& Types(int offset) const { return types[offset]; }
+	const AttributesPtr& Attributes(int offset) const { return attributes[offset]; }
+	const AttrPtr& Attrs(int offset) const { return attrs[offset]; }
+	const CallExprPtr& CallExprs(int offset) const { return call_exprs[offset]; }
+
+private:
+	std::vector<CPP_ValElem>& const_vals;
+	std::map<TypeTag, std::shared_ptr<CPP_AbstractInitAccessor>>& consts;
+	std::vector<std::vector<int>>& indices;
+	std::vector<const char*>& strings;
+	std::vector<p_hash_type>& hashes;
+	std::vector<TypePtr>& types;
+	std::vector<AttributesPtr>& attributes;
+	std::vector<AttrPtr>& attrs;
+	std::vector<CallExprPtr>& call_exprs;
+	};
+
+// Manages an initialization vector of the given type.
+template <class T> class CPP_Init
+	{
+public:
+	virtual ~CPP_Init() { }
+
+	// Pre-initializes the given element of the vector, if necessary.
+	virtual void PreInit(InitsManager* im, std::vector<T>& inits_vec, int offset) const { }
+
+	// Initializes the given element of the vector.
+	virtual void Generate(InitsManager* im, std::vector<T>& inits_vec, int offset) const { }
+	};
+
+// Abstract class for creating a collection of initializers.  T1 is
+// the type of the generated vector, T2 the type of its initializers.
+template <class T1, class T2> class CPP_AbstractInits
+	{
+public:
+	CPP_AbstractInits(std::vector<T1>& _inits_vec, int _offsets_set, std::vector<T2> _inits)
+		: inits_vec(_inits_vec), offsets_set(_offsets_set), inits(std::move(_inits))
+		{
+		// Compute how big to make the vector.
+		int num_inits = 0;
+
+		for ( const auto& cohort : inits )
+			num_inits += cohort.size();
+
+		inits_vec.resize(num_inits);
+		}
+
+	// Initialize the given cohort of elements.
+	void InitializeCohort(InitsManager* im, int cohort)
+		{
+		// Get this object's vector-of-vector-of-indices.
+		auto& offsets_vec = im->Indices(offsets_set);
+
+		if ( cohort == 0 )
+			DoPreInits(im, offsets_vec);
+
+		// Get the vector-of-indices for this cohort.
+		auto& cohort_offsets = im->Indices(offsets_vec[cohort]);
+
+		InitializeCohortWithOffsets(im, cohort, cohort_offsets);
+		}
+
+protected:
+	virtual void InitializeCohortWithOffsets(InitsManager* im, int cohort,
+	                                         const std::vector<int>& cohort_offsets)
+		{
+		}
+
+	// Pre-initialize all elements requiring it.
+	virtual void DoPreInits(InitsManager* im, const std::vector<int>& offsets_vec) { }
+
+	// Generate a single element.
+	virtual void GenerateElement(InitsManager* im, T2& init, int offset) { }
+
+	// The initialization vector in its entirety.
+	std::vector<T1>& inits_vec;
+
+	// A meta-index for retrieving the vector-of-vector-of-indices.
+	int offsets_set;
+
+	// Indexed by cohort.
+	std::vector<T2> inits;
+	};
+
+// Manages an initialization vector that uses "custom" initializers
+// (tailored ones rather than initializers based on indexing).
+template <class T> using CPP_InitVec = std::vector<std::shared_ptr<CPP_Init<T>>>;
+template <class T> class CPP_CustomInits : public CPP_AbstractInits<T, CPP_InitVec<T>>
+	{
+public:
+	CPP_CustomInits(std::vector<T>& _inits_vec, int _offsets_set,
+	                std::vector<CPP_InitVec<T>> _inits)
+		: CPP_AbstractInits<T, CPP_InitVec<T>>(_inits_vec, _offsets_set, std::move(_inits))
+		{
+		}
+
+private:
+	void DoPreInits(InitsManager* im, const std::vector<int>& offsets_vec) override
+		{
+		int cohort = 0;
+		for ( const auto& co : this->inits )
+			{
+			auto& cohort_offsets = im->Indices(offsets_vec[cohort]);
+			for ( auto i = 0U; i < co.size(); ++i )
+				co[i]->PreInit(im, this->inits_vec, cohort_offsets[i]);
+			++cohort;
+			}
+		}
+
+	void InitializeCohortWithOffsets(InitsManager* im, int cohort,
+	                                 const std::vector<int>& cohort_offsets) override
+		{
+		// Loop over the cohort's elements to initialize them.
+		auto& co = this->inits[cohort];
+		for ( auto i = 0U; i < co.size(); ++i )
+			co[i]->Generate(im, this->inits_vec, cohort_offsets[i]);
+		}
+	};
+
+// Provides access to elements of an initialization vector of the given type.
+template <class T> class CPP_InitAccessor : public CPP_AbstractInitAccessor
+	{
+public:
+	CPP_InitAccessor(std::vector<T>& _inits_vec) : inits_vec(_inits_vec) { }
+
+	ValPtr Get(int index) const override { return inits_vec[index]; }
+
+private:
+	std::vector<T>& inits_vec;
+	};
+
+// A type used for initializations that are based on indices into
+// initialization vectors.
+using ValElemVec = std::vector<int>;
+using ValElemVecVec = std::vector<ValElemVec>;
+
+// Manages an initialization vector of the given type whose elements are
+// built up from previously constructed values in other initialization vectors.
+template <class T> class CPP_IndexedInits : public CPP_AbstractInits<T, ValElemVecVec>
+	{
+public:
+	CPP_IndexedInits(std::vector<T>& _inits_vec, int _offsets_set,
+	                 std::vector<ValElemVecVec> _inits)
+		: CPP_AbstractInits<T, ValElemVecVec>(_inits_vec, _offsets_set, std::move(_inits))
+		{
+		}
+
+protected:
+	void InitializeCohortWithOffsets(InitsManager* im, int cohort,
+	                                 const std::vector<int>& cohort_offsets) override;
+
+	// Note, in the following we pass in the inits_vec, even though
+	// the method will have direct access to it, because we want to
+	// use overloading to dispatch to custom generation for different
+	// types of values.
+	void Generate(InitsManager* im, std::vector<EnumValPtr>& ivec, int offset,
+	              ValElemVec& init_vals);
+	void Generate(InitsManager* im, std::vector<StringValPtr>& ivec, int offset,
+	              ValElemVec& init_vals);
+	void Generate(InitsManager* im, std::vector<PatternValPtr>& ivec, int offset,
+	              ValElemVec& init_vals);
+	void Generate(InitsManager* im, std::vector<ListValPtr>& ivec, int offset,
+	              ValElemVec& init_vals) const;
+	void Generate(InitsManager* im, std::vector<VectorValPtr>& ivec, int offset,
+	              ValElemVec& init_vals) const;
+	void Generate(InitsManager* im, std::vector<RecordValPtr>& ivec, int offset,
+	              ValElemVec& init_vals) const;
+	void Generate(InitsManager* im, std::vector<TableValPtr>& ivec, int offset,
+	              ValElemVec& init_vals) const;
+	void Generate(InitsManager* im, std::vector<FileValPtr>& ivec, int offset,
+	              ValElemVec& init_vals) const;
+	void Generate(InitsManager* im, std::vector<FuncValPtr>& ivec, int offset,
+	              ValElemVec& init_vals) const;
+	void Generate(InitsManager* im, std::vector<AttrPtr>& ivec, int offset,
+	              ValElemVec& init_vals) const;
+	void Generate(InitsManager* im, std::vector<AttributesPtr>& ivec, int offset,
+	              ValElemVec& init_vals) const;
+
+	// The TypePtr initialization vector requires special treatment, since
+	// it has to dispatch on subclasses of TypePtr.
+	virtual void Generate(InitsManager* im, std::vector<TypePtr>& ivec, int offset,
+	                      ValElemVec& init_vals) const
+		{
+		ASSERT(0);
+		}
+	};
+
+// A specialization of CPP_IndexedInits that supports initializing based
+// on subclasses of TypePtr.
+class CPP_TypeInits : public CPP_IndexedInits<TypePtr>
+	{
+public:
+	CPP_TypeInits(std::vector<TypePtr>& _inits_vec, int _offsets_set,
+	              std::vector<std::vector<ValElemVec>> _inits)
+		: CPP_IndexedInits<TypePtr>(_inits_vec, _offsets_set, _inits)
+		{
+		}
+
+protected:
+	void DoPreInits(InitsManager* im, const std::vector<int>& offsets_vec) override;
+	void PreInit(InitsManager* im, int offset, ValElemVec& init_vals);
+
+	void Generate(InitsManager* im, std::vector<TypePtr>& ivec, int offset,
+	              ValElemVec& init_vals) const override;
+
+	TypePtr BuildEnumType(InitsManager* im, ValElemVec& init_vals) const;
+	TypePtr BuildOpaqueType(InitsManager* im, ValElemVec& init_vals) const;
+	TypePtr BuildTypeType(InitsManager* im, ValElemVec& init_vals) const;
+	TypePtr BuildVectorType(InitsManager* im, ValElemVec& init_vals) const;
+	TypePtr BuildTypeList(InitsManager* im, ValElemVec& init_vals, int offset) const;
+	TypePtr BuildTableType(InitsManager* im, ValElemVec& init_vals) const;
+	TypePtr BuildFuncType(InitsManager* im, ValElemVec& init_vals) const;
+	TypePtr BuildRecordType(InitsManager* im, ValElemVec& init_vals, int offset) const;
+	};
+
+// Abstract class for initializing basic (non-compound) constants.  T1 is
+// the Zeek type for the constructed constant, T2 is the C++ type of its
+// initializer.
+//
+// In principle we could derive this from CPP_AbstractInits, though to do so
+// we'd need to convert the initializers to a vector-of-vector-of-T2, which
+// would trade complexity here for complexity in InitsInfo.  So we instead
+// keep this class distinct, since at heart it's a simpler set of methods
+// and that way we can keep them as such here.
+template <class T1, typename T2> class CPP_AbstractBasicConsts
+	{
+public:
+	CPP_AbstractBasicConsts(std::vector<T1>& _inits_vec, int _offsets_set, std::vector<T2> _inits)
+		: inits_vec(_inits_vec), offsets_set(_offsets_set), inits(std::move(_inits))
+		{
+		inits_vec.resize(inits.size());
+		}
+
+	void InitializeCohort(InitsManager* im, int cohort)
+		{
+		ASSERT(cohort == 0);
+		auto& offsets_vec = im->Indices(offsets_set);
+		auto& cohort_offsets = im->Indices(offsets_vec[cohort]);
+		for ( auto i = 0U; i < inits.size(); ++i )
+			InitElem(im, cohort_offsets[i], i);
+		}
+
+protected:
+	virtual void InitElem(InitsManager* im, int offset, int index) { ASSERT(0); }
+
+protected:
+	// See CPP_AbstractInits for the nature of these.
+	std::vector<T1>& inits_vec;
+	int offsets_set;
+	std::vector<T2> inits;
+	};
+
+// Class for initializing a basic constant of Zeek type T1, using initializers
+// of C++ type T2.  T1 is an intrusive pointer to a T3 type; for example, if
+// T1 is a BoolValPtr then T3 will be BoolVal.
+template <class T1, typename T2, class T3>
+class CPP_BasicConsts : public CPP_AbstractBasicConsts<T1, T2>
+	{
+public:
+	CPP_BasicConsts(std::vector<T1>& _inits_vec, int _offsets_set, std::vector<T2> _inits)
+		: CPP_AbstractBasicConsts<T1, T2>(_inits_vec, _offsets_set, std::move(_inits))
+		{
+		}
+
+	void InitElem(InitsManager* /* im */, int offset, int index) override
+		{
+		this->inits_vec[offset] = make_intrusive<T3>(this->inits[index]);
+		}
+	};
+
+// Specific classes for basic constants that use string-based constructors.
+class CPP_AddrConsts : public CPP_AbstractBasicConsts<AddrValPtr, int>
+	{
+public:
+	CPP_AddrConsts(std::vector<AddrValPtr>& _inits_vec, int _offsets_set, std::vector<int> _inits)
+		: CPP_AbstractBasicConsts<AddrValPtr, int>(_inits_vec, _offsets_set, std::move(_inits))
+		{
+		}
+
+	void InitElem(InitsManager* im, int offset, int index) override
+		{
+		auto s = im->Strings(this->inits[index]);
+		this->inits_vec[offset] = make_intrusive<AddrVal>(s);
+		}
+	};
+
+class CPP_SubNetConsts : public CPP_AbstractBasicConsts<SubNetValPtr, int>
+	{
+public:
+	CPP_SubNetConsts(std::vector<SubNetValPtr>& _inits_vec, int _offsets_set,
+	                 std::vector<int> _inits)
+		: CPP_AbstractBasicConsts<SubNetValPtr, int>(_inits_vec, _offsets_set, std::move(_inits))
+		{
+		}
+
+	void InitElem(InitsManager* im, int offset, int index) override
+		{
+		auto s = im->Strings(this->inits[index]);
+		this->inits_vec[offset] = make_intrusive<SubNetVal>(s);
+		}
+	};
+
+// Class for initializing a Zeek global.  These don't go into an initialization
+// vector, so we use void* as the underlying type.
+class CPP_GlobalInit : public CPP_Init<void*>
+	{
+public:
+	CPP_GlobalInit(IDPtr& _global, const char* _name, int _type, int _attrs, int _val,
+	               bool _exported)
+		: CPP_Init<void*>(), global(_global), name(_name), type(_type), attrs(_attrs), val(_val),
+		  exported(_exported)
+		{
+		}
+
+	void Generate(InitsManager* im, std::vector<void*>& /* inits_vec */,
+	              int /* offset */) const override;
+
+protected:
+	IDPtr& global;
+	const char* name;
+	int type;
+	int attrs;
+	int val;
+	bool exported;
+	};
+
+// Abstract class for constructing a CallExpr to evaluate a Zeek expression.
+class CPP_AbstractCallExprInit : public CPP_Init<CallExprPtr>
+	{
+public:
+	CPP_AbstractCallExprInit() : CPP_Init<CallExprPtr>() { }
+	};
+
+// Constructs a CallExpr that calls a given CPPFunc subclass.
+template <class T> class CPP_CallExprInit : public CPP_AbstractCallExprInit
+	{
+public:
+	CPP_CallExprInit(CallExprPtr& _e_var) : CPP_AbstractCallExprInit(), e_var(_e_var) { }
+
+	void Generate(InitsManager* /* im */, std::vector<CallExprPtr>& inits_vec,
+	              int offset) const override
+		{
+		auto wrapper_class = make_intrusive<T>();
+		auto func_val = make_intrusive<FuncVal>(wrapper_class);
+		auto func_expr = make_intrusive<ConstExpr>(func_val);
+		auto empty_args = make_intrusive<ListExpr>();
+
+		e_var = make_intrusive<CallExpr>(func_expr, empty_args);
+		inits_vec[offset] = e_var;
+		}
+
+private:
+	// Where to store the expression once we've built it.
+	CallExprPtr& e_var;
+	};
+
+// Abstract class for registering a lambda defined in terms of a CPPStmt.
+class CPP_AbstractLambdaRegistration : public CPP_Init<void*>
+	{
+public:
+	CPP_AbstractLambdaRegistration() : CPP_Init<void*>() { }
+	};
+
+// Registers a lambda defined in terms of a given CPPStmt subclass.
+template <class T> class CPP_LambdaRegistration : public CPP_AbstractLambdaRegistration
+	{
+public:
+	CPP_LambdaRegistration(const char* _name, int _func_type, p_hash_type _h, bool _has_captures)
+		: CPP_AbstractLambdaRegistration(), name(_name), func_type(_func_type), h(_h),
+		  has_captures(_has_captures)
+		{
+		}
+
+	void Generate(InitsManager* im, std::vector<void*>& inits_vec, int offset) const override
+		{
+		auto l = make_intrusive<T>(name);
+		auto& ft = im->Types(func_type);
+		register_lambda__CPP(l, h, name, ft, has_captures);
+		}
+
+protected:
+	const char* name;
+	int func_type;
+	p_hash_type h;
+	bool has_captures;
+	};
+
+// Constructs at run-time a mapping between abstract record field offsets used
+// when compiling a set of scripts to their concrete offsets (which might differ
+// from those during compilation due to loading of other scripts that extend
+// various records).
+class CPP_FieldMapping
+	{
+public:
+	CPP_FieldMapping(int _rec, std::string _field_name, int _field_type, int _field_attrs)
+		: rec(_rec), field_name(std::move(_field_name)), field_type(_field_type),
+		  field_attrs(_field_attrs)
+		{
+		}
+
+	int ComputeOffset(InitsManager* im) const;
+
+private:
+	int rec; // index to retrieve the record's type
+	std::string field_name; // which field this offset pertains to
+	int field_type; // the field's type, in case we have to construct it
+	int field_attrs; // the same for the field's attributes
+	};
+
+// Constructs at run-time a mapping between abstract enum values used when
+// compiling a set of scripts to their concrete values (which might differ
+// from those during compilation due to loading of other scripts that extend
+// the enum).
+class CPP_EnumMapping
+	{
+public:
+	CPP_EnumMapping(int _e_type, std::string _e_name) : e_type(_e_type), e_name(std::move(_e_name))
+		{
+		}
+
+	int ComputeOffset(InitsManager* im) const;
+
+private:
+	int e_type; // index to EnumType
+	std::string e_name; // which enum constant for that type
+	};
+
+// Looks up a BiF of the given name, making it available to compiled
+// code via a C++ global.
+class CPP_LookupBiF
+	{
+public:
+	CPP_LookupBiF(zeek::Func*& _bif_func, std::string _bif_name)
+		: bif_func(_bif_func), bif_name(std::move(_bif_name))
+		{
+		}
+
+	void ResolveBiF() const { bif_func = lookup_bif__CPP(bif_name.c_str()); }
+
+protected:
+	zeek::Func*& bif_func; // where to store the pointer to the BiF
+	std::string bif_name; // the BiF's name
+	};
+
+// Information needed to register a compiled function body (which makes it
+// available to substitute for the body's AST).  The compiler generates
+// code that loops over a vector of these to perform the registrations.
+struct CPP_RegisterBody
+	{
+	CPP_RegisterBody(std::string _func_name, void* _func, int _type_signature, int _priority,
+	                 p_hash_type _h, std::vector<std::string> _events)
+		: func_name(std::move(_func_name)), func(_func), type_signature(_type_signature),
+		  priority(_priority), h(_h), events(std::move(_events))
+		{
+		}
+
+	std::string func_name; // name of the function
+	void* func; // pointer to C++
+	int type_signature;
+	int priority;
+	p_hash_type h;
+	std::vector<std::string> events;
+	};
+
+// Helper function that takes a (large) array of int's and from them
+// constructs the corresponding vector-of-vector-of-indices.  Each
+// vector-of-indices is represented first by an int specifying its
+// size, and then that many int's for its values.  We recognize the
+// end of the array upon encountering a "size" entry of -1.
+extern void generate_indices_set(int* inits, std::vector<std::vector<int>>& indices_set);
+
+	} // zeek::detail
diff --git a/src/script_opt/CPP/Stmts.cc b/src/script_opt/CPP/Stmts.cc
index 47d8f713a9..f62e72b4cb 100644
--- a/src/script_opt/CPP/Stmts.cc
+++ b/src/script_opt/CPP/Stmts.cc
@@ -245,7 +245,7 @@ void CPPCompile::GenSwitchStmt(const SwitchStmt* sw)
 	else
 		sw_val = string("p_hash(") + GenExpr(e, GEN_VAL_PTR) + ")";
 
-	Emit("switch ( %s ) {", sw_val.c_str());
+	Emit("switch ( %s ) {", sw_val);
 
 	++break_level;
 
diff --git a/src/script_opt/CPP/Tracker.cc b/src/script_opt/CPP/Tracker.cc
index e82e5878b2..8eeb616e5e 100644
--- a/src/script_opt/CPP/Tracker.cc
+++ b/src/script_opt/CPP/Tracker.cc
@@ -51,13 +51,25 @@ template <class T> string CPPTracker<T>::KeyName(const T* key)
 	auto hash = map[key];
 	ASSERT(hash != 0);
 
+	auto rep = reps[hash];
+	if ( gi_s.count(rep) > 0 )
+		return gi_s[rep]->Name();
+
 	auto index = map2[hash];
 
 	string scope;
 	if ( IsInherited(hash) )
 		scope = scope_prefix(scope2[hash]);
 
-	return scope + string(base_name) + "_" + Fmt(index) + "__CPP";
+	string ind = Fmt(index);
+	string full_name;
+
+	if ( single_global )
+		full_name = base_name + "__CPP[" + ind + "]";
+	else
+		full_name = base_name + "_" + ind + "__CPP";
+
+	return scope + full_name;
 	}
 
 template <class T> void CPPTracker<T>::LogIfNew(IntrusivePtr<T> key, int scope, FILE* log_file)
diff --git a/src/script_opt/CPP/Tracker.h b/src/script_opt/CPP/Tracker.h
index 175d48192e..6005247058 100644
--- a/src/script_opt/CPP/Tracker.h
+++ b/src/script_opt/CPP/Tracker.h
@@ -15,6 +15,7 @@
 #pragma once
 
 #include "zeek/script_opt/CPP/HashMgr.h"
+#include "zeek/script_opt/CPP/InitsInfo.h"
 
 namespace zeek::detail
 	{
@@ -24,11 +25,13 @@ namespace zeek::detail
 template <class T> class CPPTracker
 	{
 public:
-	// The base name is used to construct key names.  The mapper,
-	// if present, maps hash values to information about the previously
-	// generated scope in which the value appears.
-	CPPTracker(const char* _base_name, VarMapper* _mapper = nullptr)
-		: base_name(_base_name), mapper(_mapper)
+	// The base name is used to construct key names.  "single_global",
+	// if true, specifies that the names should be constructed as
+	// indexes into a single global, rather than as distinct globals.
+	// The mapper, if present, maps hash values to information about
+	// the previously generated scope in which the value appears.
+	CPPTracker(const char* _base_name, bool _single_global, VarMapper* _mapper = nullptr)
+		: base_name(_base_name), single_global(_single_global), mapper(_mapper)
 		{
 		}
 
@@ -40,6 +43,8 @@ public:
 	// is provided, then refrains from computing it.
 	void AddKey(IntrusivePtr<T> key, p_hash_type h = 0);
 
+	void AddInitInfo(const T* rep, std::shared_ptr<CPP_InitInfo> gi) { gi_s[rep] = std::move(gi); }
+
 	// Returns the (C++ variable) name associated with the given key.
 	std::string KeyName(const T* key);
 	std::string KeyName(IntrusivePtr<T> key) { return KeyName(key.get()); }
@@ -81,6 +86,8 @@ private:
 	// Maps keys to internal representations (i.e., hashes).
 	std::unordered_map<const T*, p_hash_type> map;
 
+	std::unordered_map<const T*, std::shared_ptr<CPP_InitInfo>> gi_s;
+
 	// Maps internal representations to distinct values.  These
 	// may-or-may-not be indices into an "inherited" namespace scope.
 	std::unordered_map<p_hash_type, int> map2;
@@ -98,6 +105,10 @@ private:
 	// Used to construct key names.
 	std::string base_name;
 
+	// Whether to base the names out of a single global, or distinct
+	// globals.
+	bool single_global;
+
 	// If non-nil, the mapper to consult for previous names.
 	VarMapper* mapper;
 	};
diff --git a/src/script_opt/CPP/Types.cc b/src/script_opt/CPP/Types.cc
index 1e04a33206..c55a2287f8 100644
--- a/src/script_opt/CPP/Types.cc
+++ b/src/script_opt/CPP/Types.cc
@@ -91,170 +91,13 @@ string CPPCompile::GenericValPtrToGT(const string& expr, const TypePtr& t, GenTy
 		return string("cast_intrusive<") + IntrusiveVal(t) + ">(" + expr + ")";
 	}
 
-void CPPCompile::ExpandTypeVar(const TypePtr& t)
-	{
-	auto tn = GenTypeName(t);
-
-	switch ( t->Tag() )
-		{
-		case TYPE_LIST:
-			ExpandListTypeVar(t, tn);
-			break;
-
-		case TYPE_RECORD:
-			ExpandRecordTypeVar(t, tn);
-			break;
-
-		case TYPE_ENUM:
-			ExpandEnumTypeVar(t, tn);
-			break;
-
-		case TYPE_TABLE:
-			ExpandTableTypeVar(t, tn);
-			break;
-
-		case TYPE_FUNC:
-			ExpandFuncTypeVar(t, tn);
-			break;
-
-		case TYPE_TYPE:
-			AddInit(t, tn,
-			        string("make_intrusive<TypeType>(") + GenTypeName(t->AsTypeType()->GetType()) +
-			            ")");
-			break;
-
-		case TYPE_VECTOR:
-			AddInit(t, tn,
-			        string("make_intrusive<VectorType>(") +
-			            GenTypeName(t->AsVectorType()->Yield()) + ")");
-			break;
-
-		default:
-			break;
-		}
-
-	auto& script_type_name = t->GetName();
-	if ( ! script_type_name.empty() )
-		AddInit(t, "register_type__CPP(" + tn + ", \"" + script_type_name + "\");");
-
-	AddInit(t);
-	}
-
-void CPPCompile::ExpandListTypeVar(const TypePtr& t, string& tn)
-	{
-	const auto& tl = t->AsTypeList()->GetTypes();
-	auto t_name = tn + "->AsTypeList()";
-
-	for ( const auto& tl_i : tl )
-		AddInit(t, t_name + "->Append(" + GenTypeName(tl_i) + ");");
-	}
-
-void CPPCompile::ExpandRecordTypeVar(const TypePtr& t, string& tn)
-	{
-	auto r = t->AsRecordType()->Types();
-
-	if ( ! r )
-		return;
-
-	auto t_name = tn + "->AsRecordType()";
-
-	AddInit(t, string("if ( ") + t_name + "->NumFields() == 0 )");
-
-	AddInit(t, "{");
-	AddInit(t, "type_decl_list tl;");
-
-	for ( auto i = 0; i < r->length(); ++i )
-		{
-		const auto& td = (*r)[i];
-		AddInit(t, GenTypeDecl(td));
-		}
-
-	AddInit(t, t_name + "->AddFieldsDirectly(tl);");
-	AddInit(t, "}");
-	}
-
-void CPPCompile::ExpandEnumTypeVar(const TypePtr& t, string& tn)
-	{
-	auto e_name = tn + "->AsEnumType()";
-	auto et = t->AsEnumType();
-	auto names = et->Names();
-
-	AddInit(t, "{ auto et = " + e_name + ";");
-	AddInit(t, "if ( et->Names().empty() ) {");
-
-	for ( const auto& name_pair : et->Names() )
-		AddInit(t, string("\tet->AddNameInternal(\"") + name_pair.first + "\", " +
-		               Fmt(int(name_pair.second)) + ");");
-
-	AddInit(t, "}}");
-	}
-
-void CPPCompile::ExpandTableTypeVar(const TypePtr& t, string& tn)
-	{
-	auto tbl = t->AsTableType();
-
-	const auto& indices = tbl->GetIndices();
-	const auto& yield = tbl->Yield();
-
-	if ( tbl->IsSet() )
-		AddInit(t, tn,
-		        string("make_intrusive<SetType>(cast_intrusive<TypeList>(") + GenTypeName(indices) +
-		            " ), nullptr)");
-	else
-		AddInit(t, tn,
-		        string("make_intrusive<TableType>(cast_intrusive<TypeList>(") +
-		            GenTypeName(indices) + "), " + GenTypeName(yield) + ")");
-	}
-
-void CPPCompile::ExpandFuncTypeVar(const TypePtr& t, string& tn)
-	{
-	auto f = t->AsFuncType();
-
-	auto args_type_accessor = GenTypeName(f->Params());
-	const auto& yt = f->Yield();
-
-	string yield_type_accessor;
-
-	if ( yt )
-		yield_type_accessor += GenTypeName(yt);
-	else
-		yield_type_accessor += "nullptr";
-
-	auto fl = f->Flavor();
-
-	string fl_name;
-	if ( fl == FUNC_FLAVOR_FUNCTION )
-		fl_name = "FUNC_FLAVOR_FUNCTION";
-	else if ( fl == FUNC_FLAVOR_EVENT )
-		fl_name = "FUNC_FLAVOR_EVENT";
-	else if ( fl == FUNC_FLAVOR_HOOK )
-		fl_name = "FUNC_FLAVOR_HOOK";
-
-	auto type_init = string("make_intrusive<FuncType>(cast_intrusive<RecordType>(") +
-	                 args_type_accessor + "), " + yield_type_accessor + ", " + fl_name + ")";
-
-	AddInit(t, tn, type_init);
-	}
-
-string CPPCompile::GenTypeDecl(const TypeDecl* td)
-	{
-	auto type_accessor = GenTypeName(td->type);
-
-	auto td_name = string("util::copy_string(\"") + td->id + "\")";
-
-	if ( td->attrs )
-		return string("tl.append(new TypeDecl(") + td_name + ", " + type_accessor + ", " +
-		       AttrsName(td->attrs) + "));";
-
-	return string("tl.append(new TypeDecl(") + td_name + ", " + type_accessor + "));";
-	}
-
 string CPPCompile::GenTypeName(const Type* t)
 	{
+	ASSERT(processed_types.count(TypeRep(t)) > 0);
 	return types.KeyName(TypeRep(t));
 	}
 
-const char* CPPCompile::TypeTagName(TypeTag tag) const
+const char* CPPCompile::TypeTagName(TypeTag tag)
 	{
 	switch ( tag )
 		{
@@ -280,6 +123,8 @@ const char* CPPCompile::TypeTagName(TypeTag tag) const
 			return "TYPE_INT";
 		case TYPE_INTERVAL:
 			return "TYPE_INTERVAL";
+		case TYPE_LIST:
+			return "TYPE_LIST";
 		case TYPE_OPAQUE:
 			return "TYPE_OPAQUE";
 		case TYPE_PATTERN:
@@ -431,16 +276,16 @@ const char* CPPCompile::TypeType(const TypePtr& t)
 		}
 	}
 
-void CPPCompile::RegisterType(const TypePtr& tp)
+shared_ptr<CPP_InitInfo> CPPCompile::RegisterType(const TypePtr& tp)
 	{
 	auto t = TypeRep(tp);
 
 	if ( processed_types.count(t) > 0 )
-		return;
+		return processed_types[t];
 
-	// Add the type before going further, to avoid loops due to types
-	// that reference each other.
-	processed_types.insert(t);
+	processed_types[t] = nullptr;
+
+	shared_ptr<CPP_InitInfo> gi;
 
 	switch ( t->Tag() )
 		{
@@ -449,7 +294,6 @@ void CPPCompile::RegisterType(const TypePtr& tp)
 		case TYPE_BOOL:
 		case TYPE_COUNT:
 		case TYPE_DOUBLE:
-		case TYPE_ENUM:
 		case TYPE_ERROR:
 		case TYPE_INT:
 		case TYPE_INTERVAL:
@@ -459,119 +303,53 @@ void CPPCompile::RegisterType(const TypePtr& tp)
 		case TYPE_TIME:
 		case TYPE_TIMER:
 		case TYPE_VOID:
-		case TYPE_OPAQUE:
 		case TYPE_SUBNET:
 		case TYPE_FILE:
-			// Nothing to do.
+			gi = make_shared<BaseTypeInfo>(this, tp);
+			break;
+
+		case TYPE_ENUM:
+			gi = make_shared<EnumTypeInfo>(this, tp);
+			break;
+
+		case TYPE_OPAQUE:
+			gi = make_shared<OpaqueTypeInfo>(this, tp);
 			break;
 
 		case TYPE_TYPE:
-			{
-			const auto& tt = t->AsTypeType()->GetType();
-			NoteNonRecordInitDependency(t, tt);
-			RegisterType(tt);
-			}
+			gi = make_shared<TypeTypeInfo>(this, tp);
 			break;
 
 		case TYPE_VECTOR:
-			{
-			const auto& yield = t->AsVectorType()->Yield();
-			NoteNonRecordInitDependency(t, yield);
-			RegisterType(yield);
-			}
+			gi = make_shared<VectorTypeInfo>(this, tp);
 			break;
 
 		case TYPE_LIST:
-			RegisterListType(tp);
+			gi = make_shared<ListTypeInfo>(this, tp);
 			break;
 
 		case TYPE_TABLE:
-			RegisterTableType(tp);
+			gi = make_shared<TableTypeInfo>(this, tp);
 			break;
 
 		case TYPE_RECORD:
-			RegisterRecordType(tp);
+			gi = make_shared<RecordTypeInfo>(this, tp);
 			break;
 
 		case TYPE_FUNC:
-			RegisterFuncType(tp);
+			gi = make_shared<FuncTypeInfo>(this, tp);
 			break;
 
 		default:
 			reporter->InternalError("bad type in CPPCompile::RegisterType");
 		}
 
-	AddInit(t);
+	type_info->AddInstance(gi);
+	processed_types[t] = gi;
 
-	if ( ! types.IsInherited(t) )
-		{
-		auto t_rep = types.GetRep(t);
-		if ( t_rep == t )
-			GenPreInit(t);
-		else
-			NoteInitDependency(t, t_rep);
-		}
-	}
+	types.AddInitInfo(t, gi);
 
-void CPPCompile::RegisterListType(const TypePtr& t)
-	{
-	const auto& tl = t->AsTypeList()->GetTypes();
-
-	for ( auto& tl_i : tl )
-		{
-		NoteNonRecordInitDependency(t, tl_i);
-		RegisterType(tl_i);
-		}
-	}
-
-void CPPCompile::RegisterTableType(const TypePtr& t)
-	{
-	auto tbl = t->AsTableType();
-	const auto& indices = tbl->GetIndices();
-	const auto& yield = tbl->Yield();
-
-	NoteNonRecordInitDependency(t, indices);
-	RegisterType(indices);
-
-	if ( yield )
-		{
-		NoteNonRecordInitDependency(t, yield);
-		RegisterType(yield);
-		}
-	}
-
-void CPPCompile::RegisterRecordType(const TypePtr& t)
-	{
-	auto r = t->AsRecordType()->Types();
-
-	if ( ! r )
-		return;
-
-	for ( const auto& r_i : *r )
-		{
-		NoteNonRecordInitDependency(t, r_i->type);
-		RegisterType(r_i->type);
-
-		if ( r_i->attrs )
-			{
-			NoteInitDependency(t, r_i->attrs);
-			RegisterAttributes(r_i->attrs);
-			}
-		}
-	}
-
-void CPPCompile::RegisterFuncType(const TypePtr& t)
-	{
-	auto f = t->AsFuncType();
-
-	NoteInitDependency(t, TypeRep(f->Params()));
-	RegisterType(f->Params());
-
-	if ( f->Yield() )
-		{
-		NoteNonRecordInitDependency(t, f->Yield());
-		RegisterType(f->Yield());
-		}
+	return gi;
 	}
 
 const char* CPPCompile::NativeAccessor(const TypePtr& t)
diff --git a/src/script_opt/CPP/Vars.cc b/src/script_opt/CPP/Vars.cc
index 6d06ffd08d..432dce39a9 100644
--- a/src/script_opt/CPP/Vars.cc
+++ b/src/script_opt/CPP/Vars.cc
@@ -83,7 +83,7 @@ void CPPCompile::CreateGlobal(const ID* g)
 	if ( pfs.Globals().count(g) == 0 )
 		{
 		// Only used in the context of calls.  If it's compilable,
-		// the we'll call it directly.
+		// then we'll call it directly.
 		if ( compilable_funcs.count(gn) > 0 )
 			{
 			AddGlobal(gn, "zf", true);
@@ -102,18 +102,12 @@ void CPPCompile::CreateGlobal(const ID* g)
 		Emit("IDPtr %s;", globals[gn]);
 
 		if ( pfs.Events().count(gn) > 0 )
-			// This is an event that's also used as
-			// a variable.
+			// This is an event that's also used as a variable.
 			Emit("EventHandlerPtr %s_ev;", globals[gn]);
 
-		const auto& t = g->GetType();
-		NoteInitDependency(g, TypeRep(t));
-
-		auto exported = g->IsExport() ? "true" : "false";
-
-		AddInit(g, globals[gn],
-		        string("lookup_global__CPP(\"") + gn + "\", " + GenTypeName(t) + ", " + exported +
-		            ")");
+		auto gi = make_shared<GlobalInitInfo>(this, g, globals[gn]);
+		global_id_info->AddInstance(gi);
+		global_gis[g] = gi;
 		}
 
 	if ( is_bif )
@@ -124,40 +118,22 @@ void CPPCompile::CreateGlobal(const ID* g)
 	global_vars.emplace(g);
 	}
 
-void CPPCompile::UpdateGlobalHashes()
+std::shared_ptr<CPP_InitInfo> CPPCompile::RegisterGlobal(const ID* g)
 	{
-	for ( auto& g : pfs.AllGlobals() )
+	if ( global_gis.count(g) == 0 )
 		{
-		auto gn = g->Name();
+		auto gn = string(g->Name());
 
-		if ( hm.HasGlobal(gn) )
-			// Not new to this compilation run.
-			continue;
+		if ( globals.count(gn) == 0 )
+			// Create a name for it.
+			(void)IDNameStr(g);
 
-		auto ht = pfs.HashType(g->GetType());
-
-		p_hash_type hv = 0;
-		if ( g->GetVal() )
-			hv = p_hash(g->GetVal());
-
-		fprintf(hm.HashFile(), "global\n%s\n", gn);
-		fprintf(hm.HashFile(), "%llu %llu\n", ht, hv);
-
-		// Record location information in the hash file for
-		// diagnostic purposes.
-		auto loc = g->GetLocationInfo();
-		fprintf(hm.HashFile(), "%s %d\n", loc->filename, loc->first_line);
-
-		// Flag any named record/enum types.
-		if ( g->IsType() )
-			{
-			const auto& t = g->GetType();
-			if ( t->Tag() == TYPE_RECORD )
-				fprintf(hm.HashFile(), "record\n%s\n", gn);
-			else if ( t->Tag() == TYPE_ENUM )
-				fprintf(hm.HashFile(), "enum\n%s\n", gn);
-			}
+		auto gi = make_shared<GlobalInitInfo>(this, g, globals[gn]);
+		global_id_info->AddInstance(gi);
+		global_gis[g] = gi;
 		}
+
+	return global_gis[g];
 	}
 
 void CPPCompile::AddBiF(const ID* b, bool is_var)
@@ -170,12 +146,8 @@ void CPPCompile::AddBiF(const ID* b, bool is_var)
 	if ( AddGlobal(n, "bif", true) )
 		Emit("Func* %s;", globals[n]);
 
-	auto lookup = string("lookup_bif__CPP(\"") + bn + "\")";
-
-	if ( standalone )
-		AddActivation(globals[n] + " = " + lookup + ";");
-	else
-		AddInit(b, globals[n], lookup);
+	ASSERT(BiFs.count(globals[n]) == 0);
+	BiFs[globals[n]] = bn;
 	}
 
 bool CPPCompile::AddGlobal(const string& g, const char* suffix, bool track)
@@ -189,13 +161,8 @@ bool CPPCompile::AddGlobal(const string& g, const char* suffix, bool track)
 		if ( hm.HasGlobalVar(gn) )
 			gn = scope_prefix(hm.GlobalVarScope(gn)) + gn;
 		else
-			{
 			new_var = true;
 
-			if ( track && update )
-				fprintf(hm.HashFile(), "global-var\n%s\n%d\n", gn.c_str(), addl_tag);
-			}
-
 		globals.emplace(g, gn);
 		}
 
@@ -207,18 +174,19 @@ void CPPCompile::RegisterEvent(string ev_name)
 	body_events[body_name].emplace_back(move(ev_name));
 	}
 
-const string& CPPCompile::IDNameStr(const ID* id) const
+const string& CPPCompile::IDNameStr(const ID* id)
 	{
 	if ( id->IsGlobal() )
 		{
 		auto g = string(id->Name());
-		ASSERT(globals.count(g) > 0);
-		return ((CPPCompile*)(this))->globals[g];
+		if ( globals.count(g) == 0 )
+			CreateGlobal(id);
+		return globals[g];
 		}
 
 	ASSERT(locals.count(id) > 0);
 
-	return ((CPPCompile*)(this))->locals[id];
+	return locals[id];
 	}
 
 string CPPCompile::LocalName(const ID* l) const
diff --git a/src/script_opt/ScriptOpt.cc b/src/script_opt/ScriptOpt.cc
index 9f12373ce9..aa70a8ae9d 100644
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@@ -399,7 +399,7 @@ static void generate_CPP(std::unique_ptr<ProfileFuncs>& pfs)
 	{
 	const auto hash_name = hash_dir + "CPP-hashes";
 
-	auto hm = std::make_unique<CPPHashManager>(hash_name.c_str(), analysis_options.add_CPP);
+	auto hm = std::make_unique<CPPHashManager>(hash_name.c_str());
 
 	if ( analysis_options.gen_CPP )
 		{
@@ -413,26 +413,12 @@ static void generate_CPP(std::unique_ptr<ProfileFuncs>& pfs)
 				}
 			}
 		}
-	else
-		{ // doing add-C++ instead, so look for previous compilations
-		for ( auto& func : funcs )
-			{
-			auto hash = func.Profile()->HashVal();
-			if ( compiled_scripts.count(hash) > 0 || hm->HasHash(hash) )
-				func.SetSkip(true);
-			}
-
-		// Now that we've presumably marked a lot of functions
-		// as skippable, recompute the global profile.
-		pfs = std::make_unique<ProfileFuncs>(funcs, is_CPP_compilable, false);
-		}
 
 	const auto gen_name = hash_dir + "CPP-gen.cc";
 	const auto addl_name = hash_dir + "CPP-gen-addl.h";
 
-	CPPCompile cpp(funcs, *pfs, gen_name, addl_name, *hm,
-	               analysis_options.gen_CPP || analysis_options.update_CPP,
-	               analysis_options.gen_standalone_CPP, analysis_options.report_uncompilable);
+	CPPCompile cpp(funcs, *pfs, gen_name, addl_name, *hm, analysis_options.gen_standalone_CPP,
+	               analysis_options.report_uncompilable);
 	}
 
 static void find_when_funcs(std::unique_ptr<ProfileFuncs>& pfs,

From bb618bae30712387ea53e8c5446f23dc2ca0156d Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 7 Nov 2021 17:02:18 -0800
Subject: [PATCH 041/210] remove -O add-C++ and -O update-C++ options

---
 src/Options.cc              |  8 +-------
 src/script_opt/ScriptOpt.cc | 19 -------------------
 src/script_opt/ScriptOpt.h  | 12 ------------
 3 files changed, 1 insertion(+), 38 deletions(-)

diff --git a/src/Options.cc b/src/Options.cc
index 9bc235cbcc..5cba4fe246 100644
--- a/src/Options.cc
+++ b/src/Options.cc
@@ -202,8 +202,6 @@ static void print_analysis_help()
 	fprintf(stderr, "    report-uncompilable	print names of functions that can't be compiled\n");
 	fprintf(stderr, "    use-C++	use available C++ script bodies\n");
 	fprintf(stderr, "\n  experimental options for incremental compilation:\n");
-	fprintf(stderr, "    add-C++	generate private C++ for any missing script bodies\n");
-	fprintf(stderr, "    update-C++	generate reusable C++ for any missing script bodies\n");
 	}
 
 static void set_analysis_option(const char* opt, Options& opts)
@@ -223,9 +221,7 @@ static void set_analysis_option(const char* opt, Options& opts)
 		exit(0);
 		}
 
-	if ( util::streq(opt, "add-C++") )
-		a_o.add_CPP = true;
-	else if ( util::streq(opt, "dump-uds") )
+	if ( util::streq(opt, "dump-uds") )
 		a_o.activate = a_o.dump_uds = true;
 	else if ( util::streq(opt, "dump-xform") )
 		a_o.activate = a_o.dump_xform = true;
@@ -253,8 +249,6 @@ static void set_analysis_option(const char* opt, Options& opts)
 		a_o.inliner = a_o.report_recursive = true;
 	else if ( util::streq(opt, "report-uncompilable") )
 		a_o.report_uncompilable = true;
-	else if ( util::streq(opt, "update-C++") )
-		a_o.update_CPP = true;
 	else if ( util::streq(opt, "use-C++") )
 		a_o.use_CPP = true;
 	else if ( util::streq(opt, "xform") )
diff --git a/src/script_opt/ScriptOpt.cc b/src/script_opt/ScriptOpt.cc
index aa70a8ae9d..2940b1b5ec 100644
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@@ -221,8 +221,6 @@ static void init_options()
 	check_env_opt("ZEEK_PROFILE", analysis_options.profile_ZAM);
 
 	// Compile-to-C++-related options.
-	check_env_opt("ZEEK_ADD_CPP", analysis_options.add_CPP);
-	check_env_opt("ZEEK_UPDATE_CPP", analysis_options.update_CPP);
 	check_env_opt("ZEEK_GEN_CPP", analysis_options.gen_CPP);
 	check_env_opt("ZEEK_GEN_STANDALONE_CPP", analysis_options.gen_standalone_CPP);
 	check_env_opt("ZEEK_COMPILE_ALL", analysis_options.compile_all);
@@ -233,23 +231,6 @@ static void init_options()
 		analysis_options.gen_CPP = true;
 
 	if ( analysis_options.gen_CPP )
-		{
-		if ( analysis_options.add_CPP )
-			{
-			reporter->Warning("gen-C++ incompatible with add-C++");
-			analysis_options.add_CPP = false;
-			}
-
-		if ( analysis_options.update_CPP )
-			{
-			reporter->Warning("gen-C++ incompatible with update-C++");
-			analysis_options.update_CPP = false;
-			}
-
-		generating_CPP = true;
-		}
-
-	if ( analysis_options.update_CPP || analysis_options.add_CPP )
 		generating_CPP = true;
 
 	if ( analysis_options.use_CPP && generating_CPP )
diff --git a/src/script_opt/ScriptOpt.h b/src/script_opt/ScriptOpt.h
index 065a9bb2c9..8d15eadb23 100644
--- a/src/script_opt/ScriptOpt.h
+++ b/src/script_opt/ScriptOpt.h
@@ -96,18 +96,6 @@ struct AnalyOpt
 	// of the corresponding script, and not activated by default).
 	bool gen_standalone_CPP = false;
 
-	// If true, generate C++ for those script bodies that don't already
-	// have generated code, in a form that enables later compiles to
-	// take advantage of the newly-added elements.  Only use for generating
-	// a zeek that will always include the associated scripts.
-	bool update_CPP = false;
-
-	// If true, generate C++ for those script bodies that don't already
-	// have generated code.  The added C++ is not made available for
-	// later generated code, and will work for a generated zeek that
-	// runs without including the associated scripts.
-	bool add_CPP = false;
-
 	// If true, use C++ bodies if available.
 	bool use_CPP = false;
 

From ab1a29184c8d5f454c1312fc27d123870371d665 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 7 Nov 2021 17:05:21 -0800
Subject: [PATCH 042/210] documentation updates

---
 src/script_opt/CPP/README.md | 43 ++++--------------------------------
 1 file changed, 4 insertions(+), 39 deletions(-)

diff --git a/src/script_opt/CPP/README.md b/src/script_opt/CPP/README.md
index e2790320fd..b9153cd9a5 100644
--- a/src/script_opt/CPP/README.md
+++ b/src/script_opt/CPP/README.md
@@ -114,40 +114,6 @@ There are additional workflows relating to running the test suite, which
 we document only briefly here as they're likely going to change or go away
 , as it's not clear they're actually needed.
 
-First, `-O update-C++` will run using a Zeek instance that already includes
-compiled scripts and, for any functions pulled in by the command-line scripts,
-if they're not already compiled, will generate additional C++ code for
-those that can be combined with the already-compiled code.  The
-additionally compiled code leverages the existing compiled-in functions
-(and globals), which it learns about via the `CPP-hashes.dat` file mentioned
-above.  Any code compiled in this fashion must be _consistent_ with the
-previously compiled code, meaning that globals and extensible types (enums,
-records) have definitions that align with those previously used, and any
-other code later compiled must also be consistent.
-
-In a similar vein, `-O add-C++` likewise uses a Zeek instance that already
-includes compiled scripts.  It generates additional C++ code that leverages
-that existing compilation.  However, this code is _not_ meant for use with
-subsequently compiled code; later code also build with `add-C++` can have
-inconsistencies with this code.  (The utility of this mode is to support
-compiling the entire test suite as one large incremental compilation,
-rather than as hundreds of pointwise compilations.)
-
-Both of these _append_ to any existing `CPP-gen-addl.h` file, providing
-a means for building it up to reflect a number of compilations.
-
-The `update-C++` and `add-C++` options help support different
-ways of building the `btest` test suite.  They were meant to enable doing so
-without requiring per-test-suite-element recompilations.  However, experiences
-to date have found that trying to avoid pointwise compilations incurs
-additional headaches, so it's better to just bite off the cost of a large
-number of recompilations.  Given that, it might make sense to remove these
-options.
-
-Finally, with respect to workflow there are number of simple scripts in
-`src/script_opt/CPP/` (which should ultimately be replaced) in support of
-compiler maintenance:
-
 * `non-embedded-build`  
 Builds `zeek` without any embedded compiled-to-C++ scripts.
 * `bare-embedded-build`  
@@ -183,12 +149,11 @@ Known Issues
 Here we list various known issues with using the compiler:
 <br>
 
-* Compilation of compiled code can be noticeably slow (if built using
-`./configure --enable-debug`) or hugely slow (if not), with the latter
-taking on the order of an hour on a beefy laptop.  This slowness complicates
+* Compilation of compiled code can be quite slow when the C++ compilation
+includes optimization,
+taking many minutes on a beefy laptop.  This slowness complicates
 CI/CD approaches for always running compiled code against the test suite
-when merging changes.  It's not presently clear how feasible it is to
-speed this up.
+when merging changes.
 
 * Run-time error messages generally lack location information and information
 about associated expressions/statements, making them hard to puzzle out.

From 0bdc268a00cf608c3db063fa6d7eb2aa584fa2be Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 7 Nov 2021 17:49:30 -0800
Subject: [PATCH 043/210] geez sometimes it's signed sometimes it's not

---
 src/script_opt/CPP/InitsInfo.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/script_opt/CPP/InitsInfo.cc b/src/script_opt/CPP/InitsInfo.cc
index 4c2685afaf..4eb670de37 100644
--- a/src/script_opt/CPP/InitsInfo.cc
+++ b/src/script_opt/CPP/InitsInfo.cc
@@ -185,7 +185,7 @@ ListConstInfo::ListConstInfo(CPPCompile* _c, ValPtr v) : CompoundItemInfo(_c)
 	auto lv = cast_intrusive<ListVal>(v);
 	auto n = lv->Length();
 
-	for ( auto i = 0U; i < n; ++i )
+	for ( auto i = 0; i < n; ++i )
 		vals.emplace_back(ValElem(c, lv->Idx(i)));
 	}
 
@@ -194,7 +194,7 @@ VectorConstInfo::VectorConstInfo(CPPCompile* c, ValPtr v) : CompoundItemInfo(c,
 	auto vv = cast_intrusive<VectorVal>(v);
 	auto n = vv->Size();
 
-	for ( auto i = 0; i < n; ++i )
+	for ( auto i = 0U; i < n; ++i )
 		vals.emplace_back(ValElem(c, vv->ValAt(i)));
 	}
 
@@ -205,7 +205,7 @@ RecordConstInfo::RecordConstInfo(CPPCompile* c, ValPtr v) : CompoundItemInfo(c,
 
 	type = c->TypeOffset(r->GetType());
 
-	for ( auto i = 0; i < n; ++i )
+	for ( auto i = 0U; i < n; ++i )
 		vals.emplace_back(ValElem(c, r->GetField(i)));
 	}
 

From 3ea362be91a5c8d5218ee9f1397e474b49bf9ef8 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 7 Nov 2021 17:54:56 -0800
Subject: [PATCH 044/210] fix for case-sensitive file systems

---
 src/script_opt/CPP/RuntimeInits.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/script_opt/CPP/RuntimeInits.cc b/src/script_opt/CPP/RuntimeInits.cc
index ef795f4942..739ed9a4d9 100644
--- a/src/script_opt/CPP/RuntimeInits.cc
+++ b/src/script_opt/CPP/RuntimeInits.cc
@@ -1,12 +1,12 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "zeek/script_opt/CPP/RunTimeInits.h"
+#include "zeek/script_opt/CPP/RuntimeInits.h"
 
 #include "zeek/Desc.h"
 #include "zeek/File.h"
 #include "zeek/RE.h"
 #include "zeek/ZeekString.h"
-#include "zeek/script_opt/CPP/RunTimeInitSupport.h"
+#include "zeek/script_opt/CPP/RuntimeInitSupport.h"
 
 using namespace std;
 

From c190c85bf0131e5eeab7d0cada4210050bfe2bf5 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 8 Nov 2021 09:08:20 -0800
Subject: [PATCH 045/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 931cc50ce8..6bcc7c3e12 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 931cc50ce8fa21dbe8b2816136069b2d18716f06
+Subproject commit 6bcc7c3e125e0bef4352d44a57ded9e9e9fc3775

From e0b116154a19ad1d8b5d7b201eb35c1b5fbdb395 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 8 Nov 2021 15:19:57 -0700
Subject: [PATCH 046/210] GH-1819: Handle recursive types when describing type
 in binary mode

---
 src/Type.cc                             |  9 +++++++--
 testing/btest/core/recursive-types.zeek | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/core/recursive-types.zeek

diff --git a/src/Type.cc b/src/Type.cc
index 80a6e9c678..9c0f22d868 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1326,10 +1326,15 @@ void RecordType::DescribeFields(ODesc* d) const
 			d->AddCount(types->length());
 			for ( const auto& type : *types )
 				{
-				type->type->Describe(d);
-				d->SP();
 				d->Add(type->id);
 				d->SP();
+
+				if ( d->FindType(type->type.get()) )
+					d->Add("<recursion>");
+				else
+					type->type->Describe(d);
+
+				d->SP();
 				}
 			}
 		}
diff --git a/testing/btest/core/recursive-types.zeek b/testing/btest/core/recursive-types.zeek
new file mode 100644
index 0000000000..c4f6f595e1
--- /dev/null
+++ b/testing/btest/core/recursive-types.zeek
@@ -0,0 +1,22 @@
+# @TEST-EXEC: zeek -b %INPUT
+
+# global_ids() here contains some types that are recursive, in that
+# arguments to functions contain chained references to the type that
+# defines the function. This tests that we don't crash when
+# attempting to call Describe() on those types in binary-mode.
+event zeek_init()
+	{
+	local sh: string = "";
+	local gi =  global_ids();
+        for (myfunc in gi)
+		{
+		if(gi[myfunc]?$value)
+			{
+			if(strstr(myfunc,"lambda") > 0)
+				{
+				sh = sha256_hash(gi[myfunc]$value);
+				print(sh);
+				}
+			}
+		}
+	}

From 72cbc7cd13b7c1bda98658104431c3b530ff68d6 Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Fri, 5 Nov 2021 10:35:11 +0100
Subject: [PATCH 047/210] Move 3rdparty source files to `3rdparty/`

This patch moves in-tree 3rdparty source files to `3rdparty/`. With that
we can remove special treatment of these files for `run-clang-format`.
---
 .clang-format-ignore         |   14 +-
 COPYING.3rdparty             |   14 +-
 src/3rdparty                 |    2 +-
 src/CMakeLists.txt           |   20 +-
 src/ConvertUTF.c             |  755 ----------------------
 src/ConvertUTF.h             |  233 -------
 src/DNS_Mgr.cc               |    2 +-
 src/Debug.cc                 |    2 +-
 src/Desc.cc                  |    2 +-
 src/IPAddr.cc                |    2 +-
 src/Options.cc               |    2 +-
 src/PrefixTable.h            |    2 +-
 src/RunState.cc              |    2 +-
 src/binpac_zeek-lib.pac      |    2 +-
 src/bro_inet_ntop.c          |  189 ------
 src/bro_inet_ntop.h          |   16 -
 src/bsd-getopt-long.c        |  524 ---------------
 src/bsd-getopt-long.h        |  127 ----
 src/in_cksum.cc              |  141 ----
 src/input/readers/raw/Raw.cc |    2 +-
 src/modp_numtoa.c            |  494 --------------
 src/modp_numtoa.h            |  114 ----
 src/nb_dns.c                 |  794 -----------------------
 src/nb_dns.h                 |   41 --
 src/patricia.c               | 1174 ----------------------------------
 src/patricia.h               |  195 ------
 src/setsignal.c              |   52 --
 src/setsignal.h              |    7 -
 src/strsep.c                 |   93 ---
 src/supervisor/Supervisor.cc |    2 +-
 src/threading/Formatter.cc   |    2 +-
 src/util.cc                  |    2 +-
 src/util.h                   |    2 +-
 src/zeek-setup.cc            |    2 +-
 34 files changed, 33 insertions(+), 4994 deletions(-)
 delete mode 100644 src/ConvertUTF.c
 delete mode 100644 src/ConvertUTF.h
 delete mode 100644 src/bro_inet_ntop.c
 delete mode 100644 src/bro_inet_ntop.h
 delete mode 100644 src/bsd-getopt-long.c
 delete mode 100644 src/bsd-getopt-long.h
 delete mode 100644 src/in_cksum.cc
 delete mode 100644 src/modp_numtoa.c
 delete mode 100644 src/modp_numtoa.h
 delete mode 100644 src/nb_dns.c
 delete mode 100644 src/nb_dns.h
 delete mode 100644 src/patricia.c
 delete mode 100644 src/patricia.h
 delete mode 100644 src/setsignal.c
 delete mode 100644 src/setsignal.h
 delete mode 100644 src/strsep.c

diff --git a/.clang-format-ignore b/.clang-format-ignore
index 50f6bce6a5..1300d06344 100644
--- a/.clang-format-ignore
+++ b/.clang-format-ignore
@@ -1,17 +1,5 @@
 # Ignore everything 3rdparty
 src/3rdparty/*
 
-# These are files that are technically sourced from other places but aren't in 3rdparty
-# and shouldn't be reformatted.
-src/ConvertUTF.*
-src/bro_inet_ntop.*
-src/bsd-getopt-long.*
-src/in_cksum.*
-src/nb_dns.*
-src/modp_numtoa.*
-src/patricia.*
-src/strsep.c
-src/setsignal.c
-
 # These files are generated code
-src/DebugCmdInfoConstants.*
\ No newline at end of file
+src/DebugCmdInfoConstants.*
diff --git a/COPYING.3rdparty b/COPYING.3rdparty
index 4b21b90ab5..ffbb0dee0b 100644
--- a/COPYING.3rdparty
+++ b/COPYING.3rdparty
@@ -250,7 +250,7 @@ PROJECT (https://github.com/zeek) UNDER BSD LICENCE.
 
 ==============================================================================
 
-%%% in_cksum.cc
+%%% 3rdparty/in_cksum.cc
 
 ==============================================================================
 
@@ -283,7 +283,7 @@ SUCH DAMAGE.
 
 ==============================================================================
 
-%%% Patricia.c
+%%% 3rdparty/patricia.c
 
 ==============================================================================
 
@@ -328,7 +328,7 @@ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 ==============================================================================
 
-%%% strsep.c
+%%% 3rdparty/strsep.c
 
 ==============================================================================
 
@@ -365,7 +365,7 @@ SUCH DAMAGE.
 
 ==============================================================================
 
-%%% ConvertUTF.c
+%%% 3rdparty/ConvertUTF.c
 
 ==============================================================================
 
@@ -479,7 +479,7 @@ SUCH DAMAGE.
 
 ==============================================================================
 
-%%% bsd-getopt-long.c
+%%% 3rdparty/bsd-getopt-long.c
 
 ==============================================================================
 
@@ -555,7 +555,7 @@ limitations under the License.
 
 ==============================================================================
 
-%%% bro_inet_ntop.c
+%%% 3rdparty/bro_inet_ntop.c
 
 ==============================================================================
 
@@ -578,7 +578,7 @@ OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 ==============================================================================
 
-%%% modp_numtoa.h
+%%% 3rdparty/modp_numtoa.h
 
 ==============================================================================
 
diff --git a/src/3rdparty b/src/3rdparty
index d31b51e6a0..4a8d0d86a8 160000
--- a/src/3rdparty
+++ b/src/3rdparty
@@ -1 +1 @@
-Subproject commit d31b51e6a06ad4c71db81981920eb753954abbf8
+Subproject commit 4a8d0d86a8b38b40e19a47586abf9fe9b5ec9323
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index c0f520fbeb..9f7eaffbab 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -280,7 +280,7 @@ add_custom_command(OUTPUT ${CMAKE_CURRENT_BINARY_DIR}/ZAM-AssignFlavorsDefs.h
                    WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
 )
 
-set_source_files_properties(nb_dns.c PROPERTIES COMPILE_FLAGS
+set_source_files_properties(3rdparty/nb_dns.c PROPERTIES COMPILE_FLAGS
                             -fno-strict-aliasing)
 
 set(MAIN_SRCS
@@ -297,7 +297,6 @@ set(MAIN_SRCS
     CCL.cc
     CompHash.cc
     Conn.cc
-    ConvertUTF.c
     DFA.cc
     DbgBreakpoint.cc
     DbgHelp.cc
@@ -367,13 +366,6 @@ set(MAIN_SRCS
     ZeekArgs.cc
     ZeekString.cc
     ZVal.cc
-    bsd-getopt-long.c
-    bro_inet_ntop.c
-    in_cksum.cc
-    patricia.c
-    setsignal.c
-    strsep.c
-    modp_numtoa.c
 
     supervisor/Supervisor.cc
 
@@ -437,12 +429,20 @@ set(MAIN_SRCS
     script_opt/ZAM/ZInst.cc
     script_opt/ZAM/ZOp.cc
 
-    nb_dns.c
     digest.h
 )
 
 set(THIRD_PARTY_SRCS
+    3rdparty/bro_inet_ntop.c
+    3rdparty/bsd-getopt-long.c
+    3rdparty/ConvertUTF.c
+    3rdparty/in_cksum.cc
+    3rdparty/modp_numtoa.c
+    3rdparty/nb_dns.c
+    3rdparty/patricia.c
+    3rdparty/setsignal.c
     3rdparty/sqlite3.c
+    3rdparty/strsep.c
 )
 
 set(GEN_ZAM_SRCS
diff --git a/src/ConvertUTF.c b/src/ConvertUTF.c
deleted file mode 100644
index b8acb69d27..0000000000
--- a/src/ConvertUTF.c
+++ /dev/null
@@ -1,755 +0,0 @@
-/*===--- ConvertUTF.c - Universal Character Names conversions ---------------===
- *
- *                     The LLVM Compiler Infrastructure
- *
- * This file is distributed under the University of Illinois Open Source
- * License:
- *
- *    University of Illinois/NCSA
- *    Open Source License
- *
- *    Copyright (c) 2003-2014 University of Illinois at Urbana-Champaign.
- *    All rights reserved.
- *
- *    Developed by:
- *
- *        LLVM Team
- *
- *        University of Illinois at Urbana-Champaign
- *
- *        http://llvm.org
- *
- *    Permission is hereby granted, free of charge, to any person
- *    obtaining a copy of this software and associated documentation
- *    files (the "Software"), to deal with the Software without
- *    restriction, including without limitation the rights to use,
- *    copy, modify, merge, publish, distribute, sublicense, and/or
- *    sell copies of the Software, and to permit persons to whom the
- *    Software is furnished to do so, subject to the following
- *    conditions:
- *
- *        * Redistributions of source code must retain the above
- *          copyright notice, this list of conditions and the
- *          following disclaimers.
- *
- *        * Redistributions in binary form must reproduce the
- *          above copyright notice, this list of conditions and
- *          the following disclaimers in the documentation and/or
- *          other materials provided with the distribution.
- *
- *        * Neither the names of the LLVM Team, University of
- *          Illinois at Urbana-Champaign, nor the names of its
- *          contributors may be used to endorse or promote
- *          products derived from this Software without specific
- *          prior written permission.
- *
- *    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- *    EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- *    OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- *    NONINFRINGEMENT.  IN NO EVENT SHALL THE CONTRIBUTORS OR
- *    COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- *    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
- *    ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
- *    USE OR OTHER DEALINGS WITH THE SOFTWARE.
- *
- *===------------------------------------------------------------------------=*/
-/*
- * Copyright 2001-2004 Unicode, Inc.
- *
- * Disclaimer
- *
- * This source code is provided as is by Unicode, Inc. No claims are
- * made as to fitness for any particular purpose. No warranties of any
- * kind are expressed or implied. The recipient agrees to determine
- * applicability of information provided. If this file has been
- * purchased on magnetic or optical media from Unicode, Inc., the
- * sole remedy for any claim will be exchange of defective media
- * within 90 days of receipt.
- *
- * Limitations on Rights to Redistribute This Code
- *
- * Unicode, Inc. hereby grants the right to freely use the information
- * supplied in this file in the creation of products supporting the
- * Unicode Standard, and to make copies of this file in any form
- * for internal or external distribution as long as this notice
- * remains attached.
- */
-
-/* ---------------------------------------------------------------------
-
-    Conversions between UTF32, UTF-16, and UTF-8. Source code file.
-    Author: Mark E. Davis, 1994.
-    Rev History: Rick McGowan, fixes & updates May 2001.
-    Sept 2001: fixed const & error conditions per
-        mods suggested by S. Parent & A. Lillich.
-    June 2002: Tim Dodd added detection and handling of incomplete
-        source sequences, enhanced error detection, added casts
-        to eliminate compiler warnings.
-    July 2003: slight mods to back out aggressive FFFE detection.
-    Jan 2004: updated switches in from-UTF8 conversions.
-    Oct 2004: updated to use UNI_MAX_LEGAL_UTF32 in UTF-32 conversions.
-
-    See the header file "ConvertUTF.h" for complete documentation.
-
------------------------------------------------------------------------- */
-
-
-#include "zeek/ConvertUTF.h"
-#ifdef CVTUTF_DEBUG
-#include <stdio.h>
-#endif
-#include <assert.h>
-
-static const int halfShift  = 10; /* used for shifting by 10 bits */
-
-static const UTF32 halfBase = 0x0010000UL;
-static const UTF32 halfMask = 0x3FFUL;
-
-#define UNI_SUR_HIGH_START  (UTF32)0xD800
-#define UNI_SUR_HIGH_END    (UTF32)0xDBFF
-#define UNI_SUR_LOW_START   (UTF32)0xDC00
-#define UNI_SUR_LOW_END     (UTF32)0xDFFF
-#define false      0
-#define true        1
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Index into the table below with the first byte of a UTF-8 sequence to
- * get the number of trailing bytes that are supposed to follow it.
- * Note that *legal* UTF-8 values can't have 4 or 5-bytes. The table is
- * left as-is for anyone who may want to do such conversion, which was
- * allowed in earlier algorithms.
- */
-static const char trailingBytesForUTF8[256] = {
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
-    1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,
-    2,2,2,2,2,2,2,2,2,2,2,2,2,2,2,2, 3,3,3,3,3,3,3,3,4,4,4,4,5,5,5,5
-};
-
-/*
- * Magic values subtracted from a buffer value during UTF8 conversion.
- * This table contains as many values as there might be trailing bytes
- * in a UTF-8 sequence.
- */
-static const UTF32 offsetsFromUTF8[6] = { 0x00000000UL, 0x00003080UL, 0x000E2080UL,
-                     0x03C82080UL, 0xFA082080UL, 0x82082080UL };
-
-/*
- * Once the bits are split out into bytes of UTF-8, this is a mask OR-ed
- * into the first byte, depending on how many bytes follow.  There are
- * as many entries in this table as there are UTF-8 sequence types.
- * (I.e., one byte sequence, two byte... etc.). Remember that sequencs
- * for *legal* UTF-8 will be 4 or fewer bytes total.
- */
-static const UTF8 firstByteMark[7] = { 0x00, 0x00, 0xC0, 0xE0, 0xF0, 0xF8, 0xFC };
-
-/* --------------------------------------------------------------------- */
-
-/* The interface converts a whole buffer to avoid function-call overhead.
- * Constants have been gathered. Loops & conditionals have been removed as
- * much as possible for efficiency, in favor of drop-through switches.
- * (See "Note A" at the bottom of the file for equivalent code.)
- * If your compiler supports it, the "isLegalUTF8" call can be turned
- * into an inline function.
- */
-
-
-/* --------------------------------------------------------------------- */
-
-ConversionResult ConvertUTF32toUTF16 (
-        const UTF32** sourceStart, const UTF32* sourceEnd,
-        UTF16** targetStart, UTF16* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF32* source = *sourceStart;
-    UTF16* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch;
-        if (target >= targetEnd) {
-            result = targetExhausted; break;
-        }
-        ch = *source++;
-        if (ch <= UNI_MAX_BMP) { /* Target is a character <= 0xFFFF */
-            /* UTF-16 surrogate values are illegal in UTF-32; 0xffff or 0xfffe are both reserved values */
-            if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_LOW_END) {
-                if (flags == strictConversion) {
-                    --source; /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                } else {
-                    *target++ = UNI_REPLACEMENT_CHAR;
-                }
-            } else {
-                *target++ = (UTF16)ch; /* normal case */
-            }
-        } else if (ch > UNI_MAX_LEGAL_UTF32) {
-            if (flags == strictConversion) {
-                result = sourceIllegal;
-            } else {
-                *target++ = UNI_REPLACEMENT_CHAR;
-            }
-        } else {
-            /* target is a character in range 0xFFFF - 0x10FFFF. */
-            if (target + 1 >= targetEnd) {
-                --source; /* Back up source pointer! */
-                result = targetExhausted; break;
-            }
-            ch -= halfBase;
-            *target++ = (UTF16)((ch >> halfShift) + UNI_SUR_HIGH_START);
-            *target++ = (UTF16)((ch & halfMask) + UNI_SUR_LOW_START);
-        }
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-/* --------------------------------------------------------------------- */
-
-ConversionResult ConvertUTF16toUTF32 (
-        const UTF16** sourceStart, const UTF16* sourceEnd,
-        UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF16* source = *sourceStart;
-    UTF32* target = *targetStart;
-    UTF32 ch, ch2;
-    while (source < sourceEnd) {
-        const UTF16* oldSource = source; /*  In case we have to back up because of target overflow. */
-        ch = *source++;
-        /* If we have a surrogate pair, convert to UTF32 first. */
-        if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_HIGH_END) {
-            /* If the 16 bits following the high surrogate are in the source buffer... */
-            if (source < sourceEnd) {
-                ch2 = *source;
-                /* If it's a low surrogate, convert to UTF32. */
-                if (ch2 >= UNI_SUR_LOW_START && ch2 <= UNI_SUR_LOW_END) {
-                    ch = ((ch - UNI_SUR_HIGH_START) << halfShift)
-                        + (ch2 - UNI_SUR_LOW_START) + halfBase;
-                    ++source;
-                } else if (flags == strictConversion) { /* it's an unpaired high surrogate */
-                    --source; /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                }
-            } else { /* We don't have the 16 bits following the high surrogate. */
-                --source; /* return to the high surrogate */
-                result = sourceExhausted;
-                break;
-            }
-        } else if (flags == strictConversion) {
-            /* UTF-16 surrogate values are illegal in UTF-32 */
-            if (ch >= UNI_SUR_LOW_START && ch <= UNI_SUR_LOW_END) {
-                --source; /* return to the illegal value itself */
-                result = sourceIllegal;
-                break;
-            }
-        }
-        if (target >= targetEnd) {
-            source = oldSource; /* Back up source pointer! */
-            result = targetExhausted; break;
-        }
-        *target++ = ch;
-    }
-    *sourceStart = source;
-    *targetStart = target;
-#ifdef CVTUTF_DEBUG
-if (result == sourceIllegal) {
-    fprintf(stderr, "ConvertUTF16toUTF32 illegal seq 0x%04x,%04x\n", ch, ch2);
-    fflush(stderr);
-}
-#endif
-    return result;
-}
-ConversionResult ConvertUTF16toUTF8 (
-        const UTF16** sourceStart, const UTF16* sourceEnd,
-        UTF8** targetStart, UTF8* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF16* source = *sourceStart;
-    UTF8* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch;
-        unsigned short bytesToWrite = 0;
-        const UTF32 byteMask = 0xBF;
-        const UTF32 byteMark = 0x80;
-        const UTF16* oldSource = source; /* In case we have to back up because of target overflow. */
-        ch = *source++;
-        /* If we have a surrogate pair, convert to UTF32 first. */
-        if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_HIGH_END) {
-            /* If the 16 bits following the high surrogate are in the source buffer... */
-            if (source < sourceEnd) {
-                UTF32 ch2 = *source;
-                /* If it's a low surrogate, convert to UTF32. */
-                if (ch2 >= UNI_SUR_LOW_START && ch2 <= UNI_SUR_LOW_END) {
-                    ch = ((ch - UNI_SUR_HIGH_START) << halfShift)
-                        + (ch2 - UNI_SUR_LOW_START) + halfBase;
-                    ++source;
-                } else if (flags == strictConversion) { /* it's an unpaired high surrogate */
-                    --source; /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                }
-            } else { /* We don't have the 16 bits following the high surrogate. */
-                --source; /* return to the high surrogate */
-                result = sourceExhausted;
-                break;
-            }
-        } else if (flags == strictConversion) {
-            /* UTF-16 surrogate values are illegal in UTF-32 */
-            if (ch >= UNI_SUR_LOW_START && ch <= UNI_SUR_LOW_END) {
-                --source; /* return to the illegal value itself */
-                result = sourceIllegal;
-                break;
-            }
-        }
-        /* Figure out how many bytes the result will require */
-        if (ch < (UTF32)0x80) {      bytesToWrite = 1;
-        } else if (ch < (UTF32)0x800) {     bytesToWrite = 2;
-        } else if (ch < (UTF32)0x10000) {   bytesToWrite = 3;
-        } else if (ch < (UTF32)0x110000) {  bytesToWrite = 4;
-        } else {                            bytesToWrite = 3;
-                                            ch = UNI_REPLACEMENT_CHAR;
-        }
-
-        target += bytesToWrite;
-        if (target > targetEnd) {
-            source = oldSource; /* Back up source pointer! */
-            target -= bytesToWrite; result = targetExhausted; break;
-        }
-        switch (bytesToWrite) { /* note: everything falls through. */
-            case 4: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 3: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 2: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 1: *--target =  (UTF8)(ch | firstByteMark[bytesToWrite]);
-        }
-        target += bytesToWrite;
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-/* --------------------------------------------------------------------- */
-
-ConversionResult ConvertUTF32toUTF8 (
-        const UTF32** sourceStart, const UTF32* sourceEnd,
-        UTF8** targetStart, UTF8* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF32* source = *sourceStart;
-    UTF8* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch;
-        unsigned short bytesToWrite = 0;
-        const UTF32 byteMask = 0xBF;
-        const UTF32 byteMark = 0x80;
-        ch = *source++;
-        if (flags == strictConversion ) {
-            /* UTF-16 surrogate values are illegal in UTF-32 */
-            if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_LOW_END) {
-                --source; /* return to the illegal value itself */
-                result = sourceIllegal;
-                break;
-            }
-        }
-        /*
-         * Figure out how many bytes the result will require. Turn any
-         * illegally large UTF32 things (> Plane 17) into replacement chars.
-         */
-        if (ch < (UTF32)0x80) {      bytesToWrite = 1;
-        } else if (ch < (UTF32)0x800) {     bytesToWrite = 2;
-        } else if (ch < (UTF32)0x10000) {   bytesToWrite = 3;
-        } else if (ch <= UNI_MAX_LEGAL_UTF32) {  bytesToWrite = 4;
-        } else {                            bytesToWrite = 3;
-                                            ch = UNI_REPLACEMENT_CHAR;
-                                            result = sourceIllegal;
-        }
-
-        target += bytesToWrite;
-        if (target > targetEnd) {
-            --source; /* Back up source pointer! */
-            target -= bytesToWrite; result = targetExhausted; break;
-        }
-        switch (bytesToWrite) { /* note: everything falls through. */
-            case 4: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 3: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 2: *--target = (UTF8)((ch | byteMark) & byteMask); ch >>= 6;
-            case 1: *--target = (UTF8) (ch | firstByteMark[bytesToWrite]);
-        }
-        target += bytesToWrite;
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Utility routine to tell whether a sequence of bytes is legal UTF-8.
- * This must be called with the length pre-determined by the first byte.
- * If not calling this from ConvertUTF8to*, then the length can be set by:
- *  length = trailingBytesForUTF8[*source]+1;
- * and the sequence is illegal right away if there aren't that many bytes
- * available.
- * If presented with a length > 4, this returns false.  The Unicode
- * definition of UTF-8 goes up to 4-byte sequences.
- */
-
-static Boolean isLegalUTF8(const UTF8 *source, int length) {
-    UTF8 a;
-    const UTF8 *srcptr = source+length;
-    switch (length) {
-    default: return false;
-        /* Everything else falls through when "true"... */
-    case 4: if ((a = (*--srcptr)) < 0x80 || a > 0xBF) return false;
-    case 3: if ((a = (*--srcptr)) < 0x80 || a > 0xBF) return false;
-    case 2: if ((a = (*--srcptr)) < 0x80 || a > 0xBF) return false;
-
-        switch (*source) {
-            /* no fall-through in this inner switch */
-            case 0xE0: if (a < 0xA0) return false; break;
-            case 0xED: if (a > 0x9F) return false; break;
-            case 0xF0: if (a < 0x90) return false; break;
-            case 0xF4: if (a > 0x8F) return false; break;
-            default:   if (a < 0x80) return false;
-        }
-
-    case 1: if (*source >= 0x80 && *source < 0xC2) return false;
-    }
-    if (*source > 0xF4) return false;
-    return true;
-}
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Exported function to return whether a UTF-8 sequence is legal or not.
- * This is not used here; it's just exported.
- */
-Boolean isLegalUTF8Sequence(const UTF8 *source, const UTF8 *sourceEnd) {
-    int length = trailingBytesForUTF8[*source]+1;
-    if (length > sourceEnd - source) {
-        return false;
-    }
-    return isLegalUTF8(source, length);
-}
-
-/* --------------------------------------------------------------------- */
-
-static unsigned
-findMaximalSubpartOfIllFormedUTF8Sequence(const UTF8 *source,
-                                          const UTF8 *sourceEnd) {
-  UTF8 b1, b2, b3;
-
-  assert(!isLegalUTF8Sequence(source, sourceEnd));
-
-  /*
-   * Unicode 6.3.0, D93b:
-   *
-   *   Maximal subpart of an ill-formed subsequence: The longest code unit
-   *   subsequence starting at an unconvertible offset that is either:
-   *   a. the initial subsequence of a well-formed code unit sequence, or
-   *   b. a subsequence of length one.
-   */
-
-  if (source == sourceEnd)
-    return 0;
-
-  /*
-   * Perform case analysis.  See Unicode 6.3.0, Table 3-7. Well-Formed UTF-8
-   * Byte Sequences.
-   */
-
-  b1 = *source;
-  ++source;
-  if (b1 >= 0xC2 && b1 <= 0xDF) {
-    /*
-     * First byte is valid, but we know that this code unit sequence is
-     * invalid, so the maximal subpart has to end after the first byte.
-     */
-    return 1;
-  }
-
-  if (source == sourceEnd)
-    return 1;
-
-  b2 = *source;
-  ++source;
-
-  if (b1 == 0xE0) {
-    return (b2 >= 0xA0 && b2 <= 0xBF) ? 2 : 1;
-  }
-  if (b1 >= 0xE1 && b1 <= 0xEC) {
-    return (b2 >= 0x80 && b2 <= 0xBF) ? 2 : 1;
-  }
-  if (b1 == 0xED) {
-    return (b2 >= 0x80 && b2 <= 0x9F) ? 2 : 1;
-  }
-  if (b1 >= 0xEE && b1 <= 0xEF) {
-    return (b2 >= 0x80 && b2 <= 0xBF) ? 2 : 1;
-  }
-  if (b1 == 0xF0) {
-    if (b2 >= 0x90 && b2 <= 0xBF) {
-      if (source == sourceEnd)
-        return 2;
-
-      b3 = *source;
-      return (b3 >= 0x80 && b3 <= 0xBF) ? 3 : 2;
-    }
-    return 1;
-  }
-  if (b1 >= 0xF1 && b1 <= 0xF3) {
-    if (b2 >= 0x80 && b2 <= 0xBF) {
-      if (source == sourceEnd)
-        return 2;
-
-      b3 = *source;
-      return (b3 >= 0x80 && b3 <= 0xBF) ? 3 : 2;
-    }
-    return 1;
-  }
-  if (b1 == 0xF4) {
-    if (b2 >= 0x80 && b2 <= 0x8F) {
-      if (source == sourceEnd)
-        return 2;
-
-      b3 = *source;
-      return (b3 >= 0x80 && b3 <= 0xBF) ? 3 : 2;
-    }
-    return 1;
-  }
-
-  assert((b1 >= 0x80 && b1 <= 0xC1) || b1 >= 0xF5);
-  /*
-   * There are no valid sequences that start with these bytes.  Maximal subpart
-   * is defined to have length 1 in these cases.
-   */
-  return 1;
-}
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Exported function to return the total number of bytes in a codepoint
- * represented in UTF-8, given the value of the first byte.
- */
-unsigned getNumBytesForUTF8(UTF8 first) {
-  return trailingBytesForUTF8[first] + 1;
-}
-
-/* --------------------------------------------------------------------- */
-
-/*
- * Exported function to return whether a UTF-8 string is legal or not.
- * This is not used here; it's just exported.
- */
-Boolean isLegalUTF8String(const UTF8 **source, const UTF8 *sourceEnd) {
-    while (*source != sourceEnd) {
-        int length = trailingBytesForUTF8[**source] + 1;
-        if (length > sourceEnd - *source || !isLegalUTF8(*source, length))
-            return false;
-        *source += length;
-    }
-    return true;
-}
-
-/* --------------------------------------------------------------------- */
-
-ConversionResult ConvertUTF8toUTF16 (
-        const UTF8** sourceStart, const UTF8* sourceEnd,
-        UTF16** targetStart, UTF16* targetEnd, ConversionFlags flags) {
-    ConversionResult result = conversionOK;
-    const UTF8* source = *sourceStart;
-    UTF16* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch = 0;
-        unsigned short extraBytesToRead = trailingBytesForUTF8[*source];
-        if (extraBytesToRead >= sourceEnd - source) {
-            result = sourceExhausted; break;
-        }
-        /* Do this check whether lenient or strict */
-        if (!isLegalUTF8(source, extraBytesToRead+1)) {
-            result = sourceIllegal;
-            break;
-        }
-        /*
-         * The cases all fall through. See "Note A" below.
-         */
-        switch (extraBytesToRead) {
-            case 5: ch += *source++; ch <<= 6; /* remember, illegal UTF-8 */
-            case 4: ch += *source++; ch <<= 6; /* remember, illegal UTF-8 */
-            case 3: ch += *source++; ch <<= 6;
-            case 2: ch += *source++; ch <<= 6;
-            case 1: ch += *source++; ch <<= 6;
-            case 0: ch += *source++;
-        }
-        ch -= offsetsFromUTF8[extraBytesToRead];
-
-        if (target >= targetEnd) {
-            source -= (extraBytesToRead+1); /* Back up source pointer! */
-            result = targetExhausted; break;
-        }
-        if (ch <= UNI_MAX_BMP) { /* Target is a character <= 0xFFFF */
-            /* UTF-16 surrogate values are illegal in UTF-32 */
-            if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_LOW_END) {
-                if (flags == strictConversion) {
-                    source -= (extraBytesToRead+1); /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                } else {
-                    *target++ = UNI_REPLACEMENT_CHAR;
-                }
-            } else {
-                *target++ = (UTF16)ch; /* normal case */
-            }
-        } else if (ch > UNI_MAX_UTF16) {
-            if (flags == strictConversion) {
-                result = sourceIllegal;
-                source -= (extraBytesToRead+1); /* return to the start */
-                break; /* Bail out; shouldn't continue */
-            } else {
-                *target++ = UNI_REPLACEMENT_CHAR;
-            }
-        } else {
-            /* target is a character in range 0xFFFF - 0x10FFFF. */
-            if (target + 1 >= targetEnd) {
-                source -= (extraBytesToRead+1); /* Back up source pointer! */
-                result = targetExhausted; break;
-            }
-            ch -= halfBase;
-            *target++ = (UTF16)((ch >> halfShift) + UNI_SUR_HIGH_START);
-            *target++ = (UTF16)((ch & halfMask) + UNI_SUR_LOW_START);
-        }
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-/* --------------------------------------------------------------------- */
-
-static ConversionResult ConvertUTF8toUTF32Impl(
-        const UTF8** sourceStart, const UTF8* sourceEnd,
-        UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags,
-        Boolean InputIsPartial) {
-    ConversionResult result = conversionOK;
-    const UTF8* source = *sourceStart;
-    UTF32* target = *targetStart;
-    while (source < sourceEnd) {
-        UTF32 ch = 0;
-        unsigned short extraBytesToRead = trailingBytesForUTF8[*source];
-        if (extraBytesToRead >= sourceEnd - source) {
-            if (flags == strictConversion || InputIsPartial) {
-                result = sourceExhausted;
-                break;
-            } else {
-                result = sourceIllegal;
-
-                /*
-                 * Replace the maximal subpart of ill-formed sequence with
-                 * replacement character.
-                 */
-                source += findMaximalSubpartOfIllFormedUTF8Sequence(source,
-                                                                    sourceEnd);
-                *target++ = UNI_REPLACEMENT_CHAR;
-                continue;
-            }
-        }
-        if (target >= targetEnd) {
-            result = targetExhausted; break;
-        }
-
-        /* Do this check whether lenient or strict */
-        if (!isLegalUTF8(source, extraBytesToRead+1)) {
-            result = sourceIllegal;
-            if (flags == strictConversion) {
-                /* Abort conversion. */
-                break;
-            } else {
-                /*
-                 * Replace the maximal subpart of ill-formed sequence with
-                 * replacement character.
-                 */
-                source += findMaximalSubpartOfIllFormedUTF8Sequence(source,
-                                                                    sourceEnd);
-                *target++ = UNI_REPLACEMENT_CHAR;
-                continue;
-            }
-        }
-        /*
-         * The cases all fall through. See "Note A" below.
-         */
-        switch (extraBytesToRead) {
-            case 5: ch += *source++; ch <<= 6;
-            case 4: ch += *source++; ch <<= 6;
-            case 3: ch += *source++; ch <<= 6;
-            case 2: ch += *source++; ch <<= 6;
-            case 1: ch += *source++; ch <<= 6;
-            case 0: ch += *source++;
-        }
-        ch -= offsetsFromUTF8[extraBytesToRead];
-
-        if (ch <= UNI_MAX_LEGAL_UTF32) {
-            /*
-             * UTF-16 surrogate values are illegal in UTF-32, and anything
-             * over Plane 17 (> 0x10FFFF) is illegal.
-             */
-            if (ch >= UNI_SUR_HIGH_START && ch <= UNI_SUR_LOW_END) {
-                if (flags == strictConversion) {
-                    source -= (extraBytesToRead+1); /* return to the illegal value itself */
-                    result = sourceIllegal;
-                    break;
-                } else {
-                    *target++ = UNI_REPLACEMENT_CHAR;
-                }
-            } else {
-                *target++ = ch;
-            }
-        } else { /* i.e., ch > UNI_MAX_LEGAL_UTF32 */
-            result = sourceIllegal;
-            *target++ = UNI_REPLACEMENT_CHAR;
-        }
-    }
-    *sourceStart = source;
-    *targetStart = target;
-    return result;
-}
-
-ConversionResult ConvertUTF8toUTF32Partial(const UTF8 **sourceStart,
-                                           const UTF8 *sourceEnd,
-                                           UTF32 **targetStart,
-                                           UTF32 *targetEnd,
-                                           ConversionFlags flags) {
-  return ConvertUTF8toUTF32Impl(sourceStart, sourceEnd, targetStart, targetEnd,
-                                flags, /*InputIsPartial=*/true);
-}
-
-ConversionResult ConvertUTF8toUTF32(const UTF8 **sourceStart,
-                                    const UTF8 *sourceEnd, UTF32 **targetStart,
-                                    UTF32 *targetEnd, ConversionFlags flags) {
-  return ConvertUTF8toUTF32Impl(sourceStart, sourceEnd, targetStart, targetEnd,
-                                flags, /*InputIsPartial=*/false);
-}
-
-/* ---------------------------------------------------------------------
-
-    Note A.
-    The fall-through switches in UTF-8 reading code save a
-    temp variable, some decrements & conditionals.  The switches
-    are equivalent to the following loop:
-        {
-            int tmpBytesToRead = extraBytesToRead+1;
-            do {
-                ch += *source++;
-                --tmpBytesToRead;
-                if (tmpBytesToRead) ch <<= 6;
-            } while (tmpBytesToRead > 0);
-        }
-    In UTF-8 writing code, the switches on "bytesToWrite" are
-    similarly unrolled loops.
-
-   --------------------------------------------------------------------- */
diff --git a/src/ConvertUTF.h b/src/ConvertUTF.h
deleted file mode 100644
index fe7939914e..0000000000
--- a/src/ConvertUTF.h
+++ /dev/null
@@ -1,233 +0,0 @@
-/*===--- ConvertUTF.h - Universal Character Names conversions ---------------===
- *
- *                     The LLVM Compiler Infrastructure
- *
- * This file is distributed under the University of Illinois Open Source
- * License:
- *
- *    University of Illinois/NCSA
- *    Open Source License
- *
- *    Copyright (c) 2003-2014 University of Illinois at Urbana-Champaign.
- *    All rights reserved.
- *
- *    Developed by:
- *
- *        LLVM Team
- *
- *        University of Illinois at Urbana-Champaign
- *
- *        http://llvm.org
- *
- *    Permission is hereby granted, free of charge, to any person
- *    obtaining a copy of this software and associated documentation
- *    files (the "Software"), to deal with the Software without
- *    restriction, including without limitation the rights to use,
- *    copy, modify, merge, publish, distribute, sublicense, and/or
- *    sell copies of the Software, and to permit persons to whom the
- *    Software is furnished to do so, subject to the following
- *    conditions:
- *
- *        * Redistributions of source code must retain the above
- *          copyright notice, this list of conditions and the
- *          following disclaimers.
- *
- *        * Redistributions in binary form must reproduce the
- *          above copyright notice, this list of conditions and
- *          the following disclaimers in the documentation and/or
- *          other materials provided with the distribution.
- *
- *        * Neither the names of the LLVM Team, University of
- *          Illinois at Urbana-Champaign, nor the names of its
- *          contributors may be used to endorse or promote
- *          products derived from this Software without specific
- *          prior written permission.
- *
- *    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- *    EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
- *    OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- *    NONINFRINGEMENT.  IN NO EVENT SHALL THE CONTRIBUTORS OR
- *    COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- *    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
- *    ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
- *    USE OR OTHER DEALINGS WITH THE SOFTWARE.
- *
- *==------------------------------------------------------------------------==*/
-/*
- * Copyright 2001-2004 Unicode, Inc.
- *
- * Disclaimer
- *
- * This source code is provided as is by Unicode, Inc. No claims are
- * made as to fitness for any particular purpose. No warranties of any
- * kind are expressed or implied. The recipient agrees to determine
- * applicability of information provided. If this file has been
- * purchased on magnetic or optical media from Unicode, Inc., the
- * sole remedy for any claim will be exchange of defective media
- * within 90 days of receipt.
- *
- * Limitations on Rights to Redistribute This Code
- *
- * Unicode, Inc. hereby grants the right to freely use the information
- * supplied in this file in the creation of products supporting the
- * Unicode Standard, and to make copies of this file in any form
- * for internal or external distribution as long as this notice
- * remains attached.
- */
-
-/* ---------------------------------------------------------------------
-
-    Conversions between UTF32, UTF-16, and UTF-8.  Header file.
-
-    Several funtions are included here, forming a complete set of
-    conversions between the three formats.  UTF-7 is not included
-    here, but is handled in a separate source file.
-
-    Each of these routines takes pointers to input buffers and output
-    buffers.  The input buffers are const.
-
-    Each routine converts the text between *sourceStart and sourceEnd,
-    putting the result into the buffer between *targetStart and
-    targetEnd. Note: the end pointers are *after* the last item: e.g.
-    *(sourceEnd - 1) is the last item.
-
-    !!! NOTE: The source and end pointers must be aligned properly !!!
-
-    The return result indicates whether the conversion was successful,
-    and if not, whether the problem was in the source or target buffers.
-    (Only the first encountered problem is indicated.)
-
-    After the conversion, *sourceStart and *targetStart are both
-    updated to point to the end of last text successfully converted in
-    the respective buffers.
-
-    Input parameters:
-        sourceStart - pointer to a pointer to the source buffer.
-                The contents of this are modified on return so that
-                it points at the next thing to be converted.
-        targetStart - similarly, pointer to pointer to the target buffer.
-        sourceEnd, targetEnd - respectively pointers to the ends of the
-                two buffers, for overflow checking only.
-
-    These conversion functions take a ConversionFlags argument. When this
-    flag is set to strict, both irregular sequences and isolated surrogates
-    will cause an error.  When the flag is set to lenient, both irregular
-    sequences and isolated surrogates are converted.
-
-    Whether the flag is strict or lenient, all illegal sequences will cause
-    an error return. This includes sequences such as: <F4 90 80 80>, <C0 80>,
-    or <A0> in UTF-8, and values above 0x10FFFF in UTF-32. Conformant code
-    must check for illegal sequences.
-
-    When the flag is set to lenient, characters over 0x10FFFF are converted
-    to the replacement character; otherwise (when the flag is set to strict)
-    they constitute an error.
-
-    Output parameters:
-        The value "sourceIllegal" is returned from some routines if the input
-        sequence is malformed.  When "sourceIllegal" is returned, the source
-        value will point to the illegal value that caused the problem. E.g.,
-        in UTF-8 when a sequence is malformed, it points to the start of the
-        malformed sequence.
-
-    Author: Mark E. Davis, 1994.
-    Rev History: Rick McGowan, fixes & updates May 2001.
-         Fixes & updates, Sept 2001.
-
------------------------------------------------------------------------- */
-
-#pragma once
-
-/* ---------------------------------------------------------------------
-    The following 4 definitions are compiler-specific.
-    The C standard does not guarantee that wchar_t has at least
-    16 bits, so wchar_t is no less portable than unsigned short!
-    All should be unsigned values to avoid sign extension during
-    bit mask & shift operations.
------------------------------------------------------------------------- */
-
-typedef unsigned int    UTF32;  /* at least 32 bits */
-typedef unsigned short  UTF16;  /* at least 16 bits */
-typedef unsigned char   UTF8;   /* typically 8 bits */
-typedef unsigned char   Boolean; /* 0 or 1 */
-
-/* Some fundamental constants */
-#define UNI_REPLACEMENT_CHAR (UTF32)0x0000FFFD
-#define UNI_MAX_BMP (UTF32)0x0000FFFF
-#define UNI_MAX_UTF16 (UTF32)0x0010FFFF
-#define UNI_MAX_UTF32 (UTF32)0x7FFFFFFF
-#define UNI_MAX_LEGAL_UTF32 (UTF32)0x0010FFFF
-
-#define UNI_MAX_UTF8_BYTES_PER_CODE_POINT 4
-
-#define UNI_UTF16_BYTE_ORDER_MARK_NATIVE  0xFEFF
-#define UNI_UTF16_BYTE_ORDER_MARK_SWAPPED 0xFFFE
-
-typedef enum {
-  conversionOK,           /* conversion successful */
-  sourceExhausted,        /* partial character in source, but hit end */
-  targetExhausted,        /* insuff. room in target for conversion */
-  sourceIllegal           /* source sequence is illegal/malformed */
-} ConversionResult;
-
-typedef enum {
-  strictConversion = 0,
-  lenientConversion
-} ConversionFlags;
-
-/* This is for C++ and does no harm in C */
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-ConversionResult ConvertUTF8toUTF16 (
-  const UTF8** sourceStart, const UTF8* sourceEnd,
-  UTF16** targetStart, UTF16* targetEnd, ConversionFlags flags);
-
-/**
- * Convert a partial UTF8 sequence to UTF32.  If the sequence ends in an
- * incomplete code unit sequence, returns \c sourceExhausted.
- */
-ConversionResult ConvertUTF8toUTF32Partial(
-  const UTF8** sourceStart, const UTF8* sourceEnd,
-  UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags);
-
-/**
- * Convert a partial UTF8 sequence to UTF32.  If the sequence ends in an
- * incomplete code unit sequence, returns \c sourceIllegal.
- */
-ConversionResult ConvertUTF8toUTF32(
-  const UTF8** sourceStart, const UTF8* sourceEnd,
-  UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags);
-
-/* NOTE: The source and end pointers must be aligned properly. */
-ConversionResult ConvertUTF16toUTF8 (
-  const UTF16** sourceStart, const UTF16* sourceEnd,
-  UTF8** targetStart, UTF8* targetEnd, ConversionFlags flags);
-
-/* NOTE: The source and end pointers must be aligned properly. */
-ConversionResult ConvertUTF32toUTF8 (
-  const UTF32** sourceStart, const UTF32* sourceEnd,
-  UTF8** targetStart, UTF8* targetEnd, ConversionFlags flags);
-
-/* NOTE: The source and end pointers must be aligned properly. */
-ConversionResult ConvertUTF16toUTF32 (
-  const UTF16** sourceStart, const UTF16* sourceEnd,
-  UTF32** targetStart, UTF32* targetEnd, ConversionFlags flags);
-
-/* NOTE: The source and end pointers must be aligned properly. */
-ConversionResult ConvertUTF32toUTF16 (
-  const UTF32** sourceStart, const UTF32* sourceEnd,
-  UTF16** targetStart, UTF16* targetEnd, ConversionFlags flags);
-
-Boolean isLegalUTF8Sequence(const UTF8 *source, const UTF8 *sourceEnd);
-
-Boolean isLegalUTF8String(const UTF8 **source, const UTF8 *sourceEnd);
-
-unsigned getNumBytesForUTF8(UTF8 firstByte);
-
-#ifdef __cplusplus
-}
-#endif
-
-/* --------------------------------------------------------------------- */
diff --git a/src/DNS_Mgr.cc b/src/DNS_Mgr.cc
index 827f17ecfe..8d776b7351 100644
--- a/src/DNS_Mgr.cc
+++ b/src/DNS_Mgr.cc
@@ -46,7 +46,7 @@ extern "C"
 
 #include <netdb.h>
 
-#include "zeek/nb_dns.h"
+#include "zeek/3rdparty/nb_dns.h"
 	}
 
 using namespace std;
diff --git a/src/Debug.cc b/src/Debug.cc
index eb08b54207..469d016f2d 100644
--- a/src/Debug.cc
+++ b/src/Debug.cc
@@ -34,7 +34,7 @@
 
 extern "C"
 	{
-#include "zeek/setsignal.h"
+#include "zeek/3rdparty/setsignal.h"
 	}
 
 using namespace std;
diff --git a/src/Desc.cc b/src/Desc.cc
index 7eac71491d..1712cea05c 100644
--- a/src/Desc.cc
+++ b/src/Desc.cc
@@ -9,7 +9,7 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "zeek/ConvertUTF.h"
+#include "zeek/3rdparty/ConvertUTF.h"
 #include "zeek/File.h"
 #include "zeek/IPAddr.h"
 #include "zeek/Reporter.h"
diff --git a/src/IPAddr.cc b/src/IPAddr.cc
index 7c88b82ed9..a957ce4d10 100644
--- a/src/IPAddr.cc
+++ b/src/IPAddr.cc
@@ -6,12 +6,12 @@
 #include <string>
 #include <vector>
 
+#include "zeek/3rdparty/bro_inet_ntop.h"
 #include "zeek/Conn.h"
 #include "zeek/Hash.h"
 #include "zeek/Reporter.h"
 #include "zeek/ZeekString.h"
 #include "zeek/analyzer/Manager.h"
-#include "zeek/bro_inet_ntop.h"
 
 namespace zeek
 	{
diff --git a/src/Options.cc b/src/Options.cc
index 9bc235cbcc..374ae84efe 100644
--- a/src/Options.cc
+++ b/src/Options.cc
@@ -17,7 +17,7 @@
 #include <cstdlib>
 #include <sstream>
 
-#include "zeek/bsd-getopt-long.h"
+#include "zeek/3rdparty/bsd-getopt-long.h"
 #include "zeek/logging/writers/ascii/Ascii.h"
 
 namespace zeek
diff --git a/src/PrefixTable.h b/src/PrefixTable.h
index 3322e9a67d..3404041930 100644
--- a/src/PrefixTable.h
+++ b/src/PrefixTable.h
@@ -2,7 +2,7 @@
 
 extern "C"
 	{
-#include "zeek/patricia.h"
+#include "zeek/3rdparty/patricia.h"
 	}
 
 #include <list>
diff --git a/src/RunState.cc b/src/RunState.cc
index 9852fc0744..2161e7ba30 100644
--- a/src/RunState.cc
+++ b/src/RunState.cc
@@ -22,7 +22,7 @@
 
 extern "C"
 	{
-#include "zeek/setsignal.h"
+#include "zeek/3rdparty/setsignal.h"
 	};
 
 #include "zeek/Anon.h"
diff --git a/src/binpac_zeek-lib.pac b/src/binpac_zeek-lib.pac
index d4ed3ba96d..a4748d45ea 100644
--- a/src/binpac_zeek-lib.pac
+++ b/src/binpac_zeek-lib.pac
@@ -1,9 +1,9 @@
 %extern{
+#include "zeek/3rdparty/ConvertUTF.h"
 #include "zeek/binpac_zeek.h"
 #include "zeek/util.h"
 #include "zeek/Reporter.h"
 #include "zeek/Val.h"
-#include "zeek/ConvertUTF.h"
 #include "zeek/RunState.h"
 %}
 
diff --git a/src/bro_inet_ntop.c b/src/bro_inet_ntop.c
deleted file mode 100644
index 40ec26ca25..0000000000
--- a/src/bro_inet_ntop.c
+++ /dev/null
@@ -1,189 +0,0 @@
-/* Taken/adapted from FreeBSD 9.0.0 inet_ntop.c (CVS revision 1.3.16.1.2.1) */
-/*
- * Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
- * Copyright (c) 1996-1999 by Internet Software Consortium.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
- * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "zeek/bro_inet_ntop.h"
-
-#include <sys/param.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-
-/*%
- * WARNING: Don't even consider trying to compile this on a system where
- * sizeof(int) < 4.  sizeof(int) > 4 is fine; all the world's not a VAX.
- */
-
-static const char *bro_inet_ntop4(const u_char *src, char *dst, socklen_t size);
-static const char *bro_inet_ntop6(const u_char *src, char *dst, socklen_t size);
-
-/* char *
- * bro_inet_ntop(af, src, dst, size)
- *	convert a network format address to presentation format.
- * return:
- *	pointer to presentation format address (`dst'), or NULL (see errno).
- * author:
- *	Paul Vixie, 1996.
- */
-const char *
-bro_inet_ntop(int af, const void * __restrict src, char * __restrict dst,
-    socklen_t size)
-{
-	switch (af) {
-	case AF_INET:
-		return (bro_inet_ntop4(src, dst, size));
-	case AF_INET6:
-		return (bro_inet_ntop6(src, dst, size));
-	default:
-		errno = EAFNOSUPPORT;
-		return (NULL);
-	}
-	/* NOTREACHED */
-}
-
-/* const char *
- * bro_inet_ntop4(src, dst, size)
- *	format an IPv4 address
- * return:
- *	`dst' (as a const)
- * notes:
- *	(1) uses no statics
- *	(2) takes a u_char* not an in_addr as input
- * author:
- *	Paul Vixie, 1996.  Modified by Jon Siwek, 2012, to replace strlcpy
- */
-static const char *
-bro_inet_ntop4(const u_char *src, char *dst, socklen_t size)
-{
-	static const char fmt[] = "%u.%u.%u.%u";
-	char tmp[sizeof "255.255.255.255"];
-	int l;
-
-	l = snprintf(tmp, sizeof(tmp), fmt, src[0], src[1], src[2], src[3]);
-	if (l <= 0 || (socklen_t) l >= size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strncpy(dst, tmp, size - 1);
-	dst[size - 1] = 0;
-	return (dst);
-}
-
-/* const char *
- * bro_inet_ntop6(src, dst, size)
- *	convert IPv6 binary address into presentation (printable) format
- * author:
- *	Paul Vixie, 1996.  Modified by Jon Siwek, 2012, for IPv4-translated format
- */
-static const char *
-bro_inet_ntop6(const u_char *src, char *dst, socklen_t size)
-{
-	/*
-	 * Note that int32_t and int16_t need only be "at least" large enough
-	 * to contain a value of the specified size.  On some systems, like
-	 * Crays, there is no such thing as an integer variable with 16 bits.
-	 * Keep this in mind if you think this function should have been coded
-	 * to use pointer overlays.  All the world's not a VAX.
-	 */
-	char tmp[sizeof "ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255"], *tp;
-	struct { int base, len; } best, cur;
-	u_int words[NS_IN6ADDRSZ / NS_INT16SZ];
-	int i;
-
-	/*
-	 * Preprocess:
-	 *	Copy the input (bytewise) array into a wordwise array.
-	 *	Find the longest run of 0x00's in src[] for :: shorthanding.
-	 */
-	memset(words, '\0', sizeof words);
-	for (i = 0; i < NS_IN6ADDRSZ; i++)
-		words[i / 2] |= (src[i] << ((1 - (i % 2)) << 3));
-	best.base = -1;
-	best.len = 0;
-	cur.base = -1;
-	cur.len = 0;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		if (words[i] == 0) {
-			if (cur.base == -1)
-				cur.base = i, cur.len = 1;
-			else
-				cur.len++;
-		} else {
-			if (cur.base != -1) {
-				if (best.base == -1 || cur.len > best.len)
-					best = cur;
-				cur.base = -1;
-			}
-		}
-	}
-	if (cur.base != -1) {
-		if (best.base == -1 || cur.len > best.len)
-			best = cur;
-	}
-	if (best.base != -1 && best.len < 2)
-		best.base = -1;
-
-	/*
-	 * Format the result.
-	 */
-	tp = tmp;
-	for (i = 0; i < (NS_IN6ADDRSZ / NS_INT16SZ); i++) {
-		/* Are we inside the best run of 0x00's? */
-		if (best.base != -1 && i >= best.base &&
-		    i < (best.base + best.len)) {
-			if (i == best.base)
-				*tp++ = ':';
-			continue;
-		}
-		/* Are we following an initial run of 0x00s or any real hex? */
-		if (i != 0)
-			*tp++ = ':';
-		/* Is this address an encapsulated IPv4? */
-		if (i == 6 && best.base == 0 && (best.len == 6 ||
-		    (best.len == 7 && words[7] != 0x0001) ||
-		    (best.len == 5 && words[5] == 0xffff) ||
-		    (best.len == 4 && words[4] == 0xffff && words[5] == 0))) {
-			if (!bro_inet_ntop4(src+12, tp, sizeof tmp - (tp - tmp)))
-				return (NULL);
-			tp += strlen(tp);
-			break;
-		}
-		tp += sprintf(tp, "%x", words[i]);
-	}
-	/* Was it a trailing run of 0x00's? */
-	if (best.base != -1 && (best.base + best.len) ==
-	    (NS_IN6ADDRSZ / NS_INT16SZ))
-		*tp++ = ':';
-	*tp++ = '\0';
-
-	/*
-	 * Check for overflow, copy, and we're done.
-	 */
-	if ((socklen_t)(tp - tmp) > size) {
-		errno = ENOSPC;
-		return (NULL);
-	}
-	strcpy(dst, tmp);
-	return (dst);
-}
diff --git a/src/bro_inet_ntop.h b/src/bro_inet_ntop.h
deleted file mode 100644
index 61d1df7635..0000000000
--- a/src/bro_inet_ntop.h
+++ /dev/null
@@ -1,16 +0,0 @@
-#pragma once
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-const char * 
-bro_inet_ntop(int af, const void * __restrict src, char * __restrict dst,
-    socklen_t size);
-
-#ifdef __cplusplus
-}
-#endif
diff --git a/src/bsd-getopt-long.c b/src/bsd-getopt-long.c
deleted file mode 100644
index 6097010857..0000000000
--- a/src/bsd-getopt-long.c
+++ /dev/null
@@ -1,524 +0,0 @@
-/*    $OpenBSD: getopt_long.c,v 1.17 2004/06/03 18:46:52 millert Exp $    */
-/*    $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $    */
-
-/*
- * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-/*-
- * Copyright (c) 2000 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Dieter Baron and Thomas Klausner.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *        This product includes software developed by the NetBSD
- *        Foundation, Inc. and its contributors.
- * 4. Neither the name of The NetBSD Foundation nor the names of its
- *    contributors may be used to endorse or promote products derived
- *    from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#define IN_GETOPT_LONG_C 1
-
-#include <zeek/zeek-config.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <stdio.h>
-#include <string.h>
-
-#ifndef HAVE_GETOPT_LONG
-
-# include "bsd-getopt-long.h"
-
-# ifdef WITH_DMALLOC
-#  include <dmalloc.h>
-# endif
-
-int    pure_opterr = 1;        /* if error message should be printed */
-int    pure_optind = 1;        /* index into parent argv vector */
-int    pure_optopt = '?';        /* character checked for validity */
-int    pure_optreset;        /* reset getopt */
-const char    *pure_optarg;        /* argument associated with option */
-
-# define PRINT_ERROR    ((pure_opterr) && (*options != ':'))
-
-# define FLAG_PERMUTE    0x01    /* permute non-options to the end of argv */
-# define FLAG_ALLARGS    0x02    /* treat non-options as args to option "-1" */
-# define FLAG_LONGONLY   0x04    /* operate as pure_getopt_long_only */
-
-/* return values */
-# define    BADCH       (int)'?'
-# define    BADARG      ((*options == ':') ? (int)':' : (int)'?')
-# define    INORDER     (int)1
-
-# define    EMSG        ""
-
-static int pure_getopt_internal(int, char * const *, const char *,
-                                const struct pure_option *, int *, int);
-static int pure_parse_long_options(char * const *, const char *,
-                                   const struct pure_option *, int *, int);
-static int pure_gcd(int, int);
-static void pure_permute_args(int, int, int, char * const *);
-
-static const char *pure_place = EMSG; /* option letter processing */
-
-/* XXX: set pure_optreset to 1 rather than these two */
-static int nonopt_start = -1; /* first non option argument (for permute) */
-static int nonopt_end = -1;   /* first option after non options (for permute) */
-
-/* Error messages */
-static const char *recargchar = "option requires an argument -- %c\n";
-static const char *recargstring = "option requires an argument -- %s\n";
-static const char *ambig = "ambiguous option -- %.*s\n";
-static const char *noarg = "option doesn't take an argument -- %.*s\n";
-static const char *illoptchar = "unknown option -- %c\n";
-static const char *illoptstring = "unknown option -- %s\n";
-
-/*
- * Compute the greatest common divisor of a and b.
- */
-static int pure_gcd(int a, int b)
-{
-    int c;
-    
-    c = a % b;
-    while (c != 0) {
-        a = b;
-        b = c;
-        c = a % b;
-    }    
-    return b;
-}
-
-/*
- * Exchange the block from nonopt_start to nonopt_end with the block
- * from nonopt_end to opt_end (keeping the same order of arguments
- * in each block).
- */
-static void pure_permute_args(int panonopt_start, int panonopt_end, 
-                              int opt_end, char * const *nargv)
-{
-    int cstart, cyclelen, i, j, ncycle, nnonopts, nopts, pos;
-    char *swap;
-    
-    /*
-     * compute lengths of blocks and number and size of cycles
-     */
-    nnonopts = panonopt_end - panonopt_start;
-    nopts = opt_end - panonopt_end;
-    ncycle = pure_gcd(nnonopts, nopts);
-    cyclelen = (opt_end - panonopt_start) / ncycle;
-    
-    for (i = 0; i < ncycle; i++) {
-        cstart = panonopt_end+i;
-        pos = cstart;
-        for (j = 0; j < cyclelen; j++) {
-            if (pos >= panonopt_end)
-                pos -= nnonopts;
-            else
-                pos += nopts;
-            swap = nargv[pos];
-            /* LINTED const cast */
-            ((char **) nargv)[pos] = nargv[cstart];
-            /* LINTED const cast */
-            ((char **)nargv)[cstart] = swap;
-        }
-    }
-}
-
-/*
- * pure_parse_long_options --
- *    Parse long options in argc/argv argument vector.
- * Returns -1 if short_too is set and the option does not match long_options.
- */
-static int pure_parse_long_options(char * const *nargv, const char *options,
-                                   const struct pure_option *long_options,
-                                   int *idx, int short_too)
-{
-    const char *current_argv, *has_equal;
-    size_t current_argv_len;
-    int i, match;
-    
-    current_argv = pure_place;
-    match = -1;
-    
-    pure_optind++;
-    
-    if ((has_equal = strchr(current_argv, '=')) != NULL) {
-        /* argument found (--option=arg) */
-        current_argv_len = has_equal - current_argv;
-        has_equal++;
-    } else
-        current_argv_len = strlen(current_argv);
-    
-    for (i = 0; long_options[i].name; i++) {
-        /* find matching long option */
-        if (strncmp(current_argv, long_options[i].name,
-            current_argv_len))
-            continue;
-        
-        if (strlen(long_options[i].name) == current_argv_len) {
-            /* exact match */
-            match = i;
-            break;
-        }
-        /*
-         * If this is a known short option, don't allow
-         * a partial match of a single character.
-         */
-        if (short_too && current_argv_len == 1)
-            continue;
-        
-        if (match == -1)    /* partial match */
-            match = i;
-        else {
-            /* ambiguous abbreviation */
-            if (PRINT_ERROR)
-                fprintf(stderr, ambig, (int)current_argv_len,
-                        current_argv);
-            pure_optopt = 0;
-            return BADCH;
-        }
-    }
-    if (match != -1) {        /* option found */
-        if (long_options[match].has_arg == no_argument
-            && has_equal) {
-            if (PRINT_ERROR)
-                fprintf(stderr, noarg, (int)current_argv_len,
-                        current_argv);
-            /*
-             * XXX: GNU sets pure_optopt to val regardless of flag
-             */
-            if (long_options[match].flag == NULL)
-                pure_optopt = long_options[match].val;
-            else
-                pure_optopt = 0;
-            return BADARG;
-        }
-        if (long_options[match].has_arg == required_argument ||
-            long_options[match].has_arg == optional_argument) {
-            if (has_equal)
-                pure_optarg = has_equal;
-            else if (long_options[match].has_arg ==
-                     required_argument) {
-                /*
-                 * optional argument doesn't use next nargv
-                 */
-                pure_optarg = nargv[pure_optind++];
-            }
-        }
-        if ((long_options[match].has_arg == required_argument)
-            && (pure_optarg == NULL)) {
-            /*
-             * Missing argument; leading ':' indicates no error
-             * should be generated.
-             */
-            if (PRINT_ERROR)
-                fprintf(stderr, recargstring,
-                        current_argv);
-            /*
-             * XXX: GNU sets pure_optopt to val regardless of flag
-             */
-            if (long_options[match].flag == NULL)
-                pure_optopt = long_options[match].val;
-            else
-                pure_optopt = 0;
-            --pure_optind;
-            return BADARG;
-        }
-    } else {            /* unknown option */
-        if (short_too) {
-            --pure_optind;
-            return -1;
-        }
-        if (PRINT_ERROR)
-            fprintf(stderr, illoptstring, current_argv);
-        pure_optopt = 0;
-        return BADCH;
-    }
-    if (idx)
-        *idx = match;
-    if (long_options[match].flag) {
-        *long_options[match].flag = long_options[match].val;
-        return 0;
-    } else
-        return long_options[match].val;
-}
-
-/*
- * getopt_internal --
- *    Parse argc/argv argument vector.  Called by user level routines.
- */
-static int pure_getopt_internal(int nargc, char * const *nargv,
-                                const char *options,
-                                const struct pure_option *long_options,
-                                int *idx, int flags)
-{
-    char *oli;                /* option letter list index */
-    int optchar, short_too;
-    static int posixly_correct = -1;
-    
-    if (options == NULL)
-        return -1;
-    
-    /*
-     * Disable GNU extensions if POSIXLY_CORRECT is set or options
-     * string begins with a '+'.
-     */
-    if (posixly_correct == -1)
-        posixly_correct = (getenv("POSIXLY_CORRECT") != NULL);
-    if (posixly_correct || *options == '+')
-        flags &= ~FLAG_PERMUTE;
-    else if (*options == '-')
-        flags |= FLAG_ALLARGS;
-    if (*options == '+' || *options == '-')
-        options++;
-    
-    /*
-     * XXX Some GNU programs (like cvs) set pure_optind to 0 instead of
-     * XXX using pure_optreset.  Work around this braindamage.
-     */
-    if (pure_optind == 0)
-        pure_optind = pure_optreset = 1;
-    
-    pure_optarg = NULL;
-    if (pure_optreset)
-        nonopt_start = nonopt_end = -1;
-    start:
-    if (pure_optreset || !*pure_place) {        /* update scanning pointer */
-        pure_optreset = 0;
-        if (pure_optind >= nargc) {          /* end of argument vector */
-            pure_place = EMSG;
-            if (nonopt_end != -1) {
-                /* do permutation, if we have to */
-                pure_permute_args(nonopt_start, nonopt_end,
-                                  pure_optind, nargv);
-                pure_optind -= nonopt_end - nonopt_start;
-            }
-            else if (nonopt_start != -1) {
-                /*
-                 * If we skipped non-options, set pure_optind
-                 * to the first of them.
-                 */
-                pure_optind = nonopt_start;
-            }
-            nonopt_start = nonopt_end = -1;
-            return -1;
-        }
-        if (*(pure_place = nargv[pure_optind]) != '-' ||
-            (pure_place[1] == '\0' && strchr(options, '-') == NULL)) {
-            pure_place = EMSG;        /* found non-option */
-            if (flags & FLAG_ALLARGS) {
-                /*
-                 * GNU extension:
-                 * return non-option as argument to option 1
-                 */
-                pure_optarg = nargv[pure_optind++];
-                return INORDER;
-            }
-            if (!(flags & FLAG_PERMUTE)) {
-                /*
-                 * If no permutation wanted, stop parsing
-                 * at first non-option.
-                 */
-                return -1;
-            }
-            /* do permutation */
-            if (nonopt_start == -1)
-                nonopt_start = pure_optind;
-            else if (nonopt_end != -1) {
-                pure_permute_args(nonopt_start, nonopt_end,
-                                  pure_optind, nargv);
-                nonopt_start = pure_optind -
-                    (nonopt_end - nonopt_start);
-                nonopt_end = -1;
-            }
-            pure_optind++;
-            /* process next argument */
-            goto start;
-        }
-        if (nonopt_start != -1 && nonopt_end == -1)
-            nonopt_end = pure_optind;
-
-        /*
-         * Check for "--" or "--foo" with no long options
-         * but if pure_place is simply "-" leave it unmolested.
-         */
-
-        if (pure_place[1] != '\0' && *++pure_place == '-' &&
-            (pure_place[1] == '\0' || long_options == NULL)) {
-            pure_optind++;
-            pure_place = EMSG;
-            /*
-             * We found an option (--), so if we skipped
-             * non-options, we have to permute.
-             */
-            if (nonopt_end != -1) {
-                pure_permute_args(nonopt_start, nonopt_end,
-                                  pure_optind, nargv);
-                pure_optind -= nonopt_end - nonopt_start;
-            }
-            nonopt_start = nonopt_end = -1;
-            return -1;
-        }
-    }
-    
-    /*
-     * Check long options if:
-     *  1) we were passed some
-     *  2) the arg is not just "-"
-     *  3) either the arg starts with -- we are pure_getopt_long_only()
-     */
-    if (long_options != NULL && pure_place != nargv[pure_optind] &&
-        (*pure_place == '-' || (flags & FLAG_LONGONLY))) {
-        short_too = 0;
-        if (*pure_place == '-')
-            pure_place++;        /* --foo long option */
-        else if (*pure_place != ':' && strchr(options, *pure_place) != NULL)
-            short_too = 1;        /* could be short option too */
-        
-        optchar = pure_parse_long_options(nargv, options, long_options,
-                                          idx, short_too);
-        if (optchar != -1) {
-            pure_place = EMSG;
-            return optchar;
-        }
-    }
-    
-    if ((optchar = (int) *pure_place++) == ':' ||
-        (optchar == '-' && *pure_place != '\0') ||        
-        (oli = strchr(options, optchar)) == NULL) { 
-         /*
-          * If the user specified "-" and '-' isn't listed in
-          * options, return -1 (non-option) as per POSIX.
-          * Otherwise, it is an unknown option character (or :').
-          */
-        if (optchar == '-' && *pure_place == '\0')
-            return -1;
-        if (!*pure_place)
-            ++pure_optind;
-        if (PRINT_ERROR)
-            fprintf(stderr, illoptchar, optchar);
-        pure_optopt = optchar;
-        return BADCH;
-    }
-    if (long_options != NULL && optchar == 'W' && oli[1] == ';') {
-        /* -W long-option */
-        if (*pure_place)            /* no space */
-            /* NOTHING */;
-        else if (++pure_optind >= nargc) {    /* no arg */
-            pure_place = EMSG;
-            if (PRINT_ERROR)
-                fprintf(stderr, recargchar, optchar);
-            pure_optopt = optchar;
-            return BADARG;
-        } else                /* white space */
-            pure_place = nargv[pure_optind];
-        optchar = pure_parse_long_options(nargv, options, long_options,
-                                          idx, 0);
-        pure_place = EMSG;
-        return optchar;
-    }
-    if (*++oli != ':') {            /* doesn't take argument */
-        if (!*pure_place)
-            ++pure_optind;
-    } else {                /* takes (optional) argument */
-        pure_optarg = NULL;
-        if (*pure_place)            /* no white space */
-            pure_optarg = pure_place;
-        /* XXX: disable test for :: if PC? (GNU doesn't) */
-        else if (oli[1] != ':') {    /* arg not optional */
-            if (++pure_optind >= nargc) {    /* no arg */
-                pure_place = EMSG;
-                if (PRINT_ERROR)
-                    fprintf(stderr, recargchar, optchar);
-                pure_optopt = optchar;
-                return BADARG;
-            } else {
-                pure_optarg = nargv[pure_optind];
-            }
-        }
-        pure_place = EMSG;
-        ++pure_optind;
-    }
-    /* dump back option letter */
-    return optchar;
-}
-
-/*
- * getopt --
- *    Parse argc/argv argument vector.
- */
-int pure_getopt(int nargc, char * const *nargv, const char *options)
-{
-    
-    /*
-     * We dont' pass FLAG_PERMUTE to pure_getopt_internal() since
-     * the BSD getopt(3) (unlike GNU) has never done this.
-     *
-     * Furthermore, since many privileged programs call getopt()
-     * before dropping privileges it makes sense to keep things
-     * as simple (and bug-free) as possible.
-     */
-    return pure_getopt_internal(nargc, nargv, options, NULL, NULL, 0);
-}
-
-/*
- * pure_getopt_long --
- *    Parse argc/argv argument vector.
- */
-int pure_getopt_long(int nargc, char * const *nargv, const char *options,
-                     const struct pure_option *long_options, int *idx)
-{
-    return pure_getopt_internal(nargc, nargv, options, long_options, idx,
-                                FLAG_PERMUTE);
-}
-
-/*
- * pure_getopt_long_only --
- *    Parse argc/argv argument vector.
- */
-int pure_getopt_long_only(int nargc, char * const *nargv,
-                               const char *options,
-                               const struct pure_option *long_options,
-                               int *idx)
-{
-    return pure_getopt_internal(nargc, nargv, options, long_options, idx,
-                                FLAG_PERMUTE|FLAG_LONGONLY);
-}
-
-#endif
diff --git a/src/bsd-getopt-long.h b/src/bsd-getopt-long.h
deleted file mode 100644
index 9a1a9cd85a..0000000000
--- a/src/bsd-getopt-long.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/*    $OpenBSD: getopt_long.c,v 1.13 2003/06/03 01:52:40 millert Exp $    */
-/*    $NetBSD: getopt_long.c,v 1.15 2002/01/31 22:43:40 tv Exp $    */
-
-/*
- * Copyright (c) 2002 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
- * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
- * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
- * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-/*-
- * Copyright (c) 2000 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Dieter Baron and Thomas Klausner.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *        This product includes software developed by the NetBSD
- *        Foundation, Inc. and its contributors.
- * 4. Neither the name of The NetBSD Foundation nor the names of its
- *    contributors may be used to endorse or promote products derived
- *    from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-#ifndef HAVE_GETOPT_LONG
-
-/*
- * GNU-like getopt_long() and 4.4BSD getsubopt()/optreset extensions
- */
-# ifndef no_argument
-#  define no_argument        0
-# endif
-# ifndef required_argument
-#  define required_argument  1
-# endif
-# ifndef optional_argument
-#  define optional_argument  2
-# endif
-
-struct pure_option {
-    /* name of long option */
-    const char *name;
-    /*
-     * one of no_argument, required_argument, and optional_argument:
-     * whether option takes an argument
-     */
-    int has_arg;
-    /* if not NULL, set *flag to val when option found */
-    int *flag;
-    /* if flag not NULL, value to set *flag to; else return value */
-    int val;
-};
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-int pure_getopt_long(int nargc, char * const *nargv, const char *options,
-                     const struct pure_option *long_options, int *idx);
-
-int pure_getopt_long_only(int nargc, char * const *nargv,
-                          const char *options,
-                          const struct pure_option *long_options,
-                          int *idx);
-
-int pure_getopt(int nargc, char * const *nargv, const char *options);
-
-#ifdef __cplusplus
-}
-#endif
-
-/* prefix+macros just to avoid clashes with existing getopt() implementations */
-
-# ifndef IN_GETOPT_LONG_C
-#  undef option
-#  define option pure_option
-#  undef getopt_long
-#  define getopt_long(A, B, C, D, E) pure_getopt_long(A, B, C, D, E)
-#  undef getopt_long_only
-#  define getopt_long_only(A, B, C, D, E) pure_getopt_long_only(A, B, C, D, E)
-#  undef getopt
-#  define getopt(A, B, C) pure_getopt(A, B, C)
-#  undef optarg
-#  define optarg pure_optarg
-#  undef opterr
-#  define opterr pure_opterr
-#  undef optind
-#  define optind pure_optind
-#  undef optopt
-#  define optopt pure_optopt
-#  undef optreset
-#  define optreset pure_optreset
-# endif
-
-#endif
diff --git a/src/in_cksum.cc b/src/in_cksum.cc
deleted file mode 100644
index 40f00d9134..0000000000
--- a/src/in_cksum.cc
+++ /dev/null
@@ -1,141 +0,0 @@
-// Modified from tcpdump v4.9.3's in_cksum.c (which itself was a modified
-// version of FreeBSD's in_cksum.c).
-
-/* in_cksum.c
- * 4.4-Lite-2 Internet checksum routine, modified to take a vector of
- * pointers/lengths giving the pieces to be checksummed.  Also using
- * Tahoe/CGI version of ADDCARRY(x) macro instead of from portable version.
- */
-
-/*
- * Copyright (c) 1988, 1992, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- *	@(#)in_cksum.c	8.1 (Berkeley) 6/10/93
- */
-
-#include "zeek/net_util.h"
-
-namespace zeek::detail {
-
-#define ADDCARRY(x)  {if ((x) > 65535) (x) -= 65535;}
-#define REDUCE {l_util.l = sum; sum = l_util.s[0] + l_util.s[1]; ADDCARRY(sum);}
-
-uint16_t in_cksum(const struct checksum_block *vec, int veclen)
-{
-	const uint16_t *w;
-	int sum = 0;
-	int mlen = 0;
-	int byte_swapped = 0;
-
-	union {
-		uint8_t		c[2];
-		uint16_t	s;
-	} s_util;
-	union {
-		uint16_t	s[2];
-		uint32_t	l;
-	} l_util;
-
-	for (; veclen != 0; vec++, veclen--) {
-		if (vec->len == 0)
-			continue;
-		w = (const uint16_t *)(const void *)vec->block;
-		if (mlen == -1) {
-			/*
-			 * The first byte of this chunk is the continuation
-			 * of a word spanning between this chunk and the
-			 * last chunk.
-			 *
-			 * s_util.c[0] is already saved when scanning previous
-			 * chunk.
-			 */
-			s_util.c[1] = *(const uint8_t *)w;
-			sum += s_util.s;
-			w = (const uint16_t *)(const void *)((const uint8_t *)w + 1);
-			mlen = vec->len - 1;
-		} else
-			mlen = vec->len;
-		/*
-		 * Force to even boundary.
-		 */
-		if ((1 & (uintptr_t) w) && (mlen > 0)) {
-			REDUCE;
-			sum <<= 8;
-			s_util.c[0] = *(const uint8_t *)w;
-			w = (const uint16_t *)(const void *)((const uint8_t *)w + 1);
-			mlen--;
-			byte_swapped = 1;
-		}
-		/*
-		 * Unroll the loop to make overhead from
-		 * branches &c small.
-		 */
-		while ((mlen -= 32) >= 0) {
-			sum += w[0]; sum += w[1]; sum += w[2]; sum += w[3];
-			sum += w[4]; sum += w[5]; sum += w[6]; sum += w[7];
-			sum += w[8]; sum += w[9]; sum += w[10]; sum += w[11];
-			sum += w[12]; sum += w[13]; sum += w[14]; sum += w[15];
-			w += 16;
-		}
-		mlen += 32;
-		while ((mlen -= 8) >= 0) {
-			sum += w[0]; sum += w[1]; sum += w[2]; sum += w[3];
-			w += 4;
-		}
-		mlen += 8;
-		if (mlen == 0 && byte_swapped == 0)
-			continue;
-		REDUCE;
-		while ((mlen -= 2) >= 0) {
-			sum += *w++;
-		}
-		if (byte_swapped) {
-			REDUCE;
-			sum <<= 8;
-			byte_swapped = 0;
-			if (mlen == -1) {
-				s_util.c[1] = *(const uint8_t *)w;
-				sum += s_util.s;
-				mlen = 0;
-			} else
-				mlen = -1;
-		} else if (mlen == -1)
-			s_util.c[0] = *(const uint8_t *)w;
-	}
-	if (mlen == -1) {
-		/* The last mbuf has odd # of bytes. Follow the
-		   standard (the odd byte may be shifted left by 8 bits
-		   or not as determined by endian-ness of the machine) */
-		s_util.c[1] = 0;
-		sum += s_util.s;
-	}
-	REDUCE;
-	return sum;
-}
-
-} // namespace zeek
diff --git a/src/input/readers/raw/Raw.cc b/src/input/readers/raw/Raw.cc
index 463f4d6a2d..a8ba5df1c8 100644
--- a/src/input/readers/raw/Raw.cc
+++ b/src/input/readers/raw/Raw.cc
@@ -18,7 +18,7 @@
 
 extern "C"
 	{
-#include "zeek/setsignal.h"
+#include "zeek/3rdparty/setsignal.h"
 	}
 
 using zeek::threading::Field;
diff --git a/src/modp_numtoa.c b/src/modp_numtoa.c
deleted file mode 100644
index f6b7059d8a..0000000000
--- a/src/modp_numtoa.c
+++ /dev/null
@@ -1,494 +0,0 @@
-/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 4 -*- */
-/* vi: set expandtab shiftwidth=4 tabstop=4: */
-
-#include "zeek/modp_numtoa.h"
-
-#include <stdint.h>
-#include <stdio.h>
-#include <math.h>
-#include <limits.h>
-#include <float.h>
-
-// other interesting references on num to string convesion
-// http://www.jb.man.ac.uk/~slowe/cpp/itoa.html
-// and http://www.ddj.com/dept/cpp/184401596?pgno=6
-
-// Version 19-Nov-2007
-// Fixed round-to-even rules to match printf
-//   thanks to Johannes Otepka
-
-/**
- * Powers of 10
- * 10^0 to 10^9
- */
-static const double _pow10[] = {1, 10, 100, 1000, 10000, 100000, 1000000,
-                               10000000, 100000000, 1000000000};
-static const double _pow10r[] = {1, .1, .01, .001, .0001, .00001, .000001,
-                                .0000001, .00000001, .000000001};
-
-static void strreverse(char* begin, char* end)
-{
-    char aux;
-    while (end > begin)
-        aux = *end, *end-- = *begin, *begin++ = aux;
-}
-
-// Expects 'str' to have been made using "%e" scientific notation format string
-static void sn_strip_trailing_zeros(char* str)
-	{
-	char* frac = 0;
-
-	for ( ; ; )
-		{
-		if ( *str == '.' )
-			{
-			frac = str + 1;
-			break;
-			}
-
-		if ( *str == 0 )
-			break;
-
-		++str;
-		}
-
-	if ( ! frac )
-		return;
-
-	char* start_dec = frac;
-	char* exp = 0;
-	char* trailing_zeros = 0;
-
-	for ( ; ; )
-		{
-		if ( *frac == 0 )
-			break;
-
-		if ( *frac == 'e' )
-			{
-			exp = frac;
-			break;
-			}
-
-		if ( *frac == '0' )
-			{
-			if ( ! trailing_zeros )
-				trailing_zeros = frac;
-			}
-		else
-			trailing_zeros = 0;
-
-		++frac;
-		}
-
-	if ( trailing_zeros == start_dec )
-		--trailing_zeros;
-
-	if ( trailing_zeros && exp )
-		{
-		for ( ; ; )
-			{
-			*trailing_zeros = *exp;
-
-			if ( *exp == 0 )
-				break;
-
-			++trailing_zeros;
-			++exp;
-			}
-		}
-	}
-
-void modp_itoa10(int32_t value, char* str)
-{
-    char* wstr=str;
-    // Take care of sign
-    unsigned int uvalue = (value < 0) ? -value : value;
-    // Conversion. Number is reversed.
-    do *wstr++ = (char)(48 + (uvalue % 10)); while(uvalue /= 10);
-    if (value < 0) *wstr++ = '-';
-    *wstr='\0';
-
-    // Reverse string
-    strreverse(str,wstr-1);
-}
-
-void modp_uitoa10(uint32_t value, char* str)
-{
-    char* wstr=str;
-    // Conversion. Number is reversed.
-    do *wstr++ = (char)(48 + (value % 10)); while (value /= 10);
-    *wstr='\0';
-    // Reverse string
-    strreverse(str, wstr-1);
-}
-
-void modp_litoa10(int64_t value, char* str)
-{
-    char* wstr=str;
-    uint64_t uvalue = (value < 0) ? (value == INT64_MIN ? (uint64_t)(INT64_MAX) + 1 : -value) : value;
-
-    // Conversion. Number is reversed.
-    do *wstr++ = (char)(48 + (uvalue % 10)); while(uvalue /= 10);
-    if (value < 0) *wstr++ = '-';
-    *wstr='\0';
-
-    // Reverse string
-    strreverse(str,wstr-1);
-}
-
-void modp_ulitoa10(uint64_t value, char* str)
-{
-    char* wstr=str;
-    // Conversion. Number is reversed.
-    do *wstr++ = (char)(48 + (value % 10)); while (value /= 10);
-    *wstr='\0';
-    // Reverse string
-    strreverse(str, wstr-1);
-}
-
-void modp_dtoa(double value, char* str, int prec)
-{
-    /* Hacky test for NaN
-     * under -fast-math this won't work, but then you also won't
-     * have correct nan values anyways.  The alternative is
-     * to link with libmath (bad) or hack IEEE double bits (bad)
-     */
-    if (! (value == value)) {
-        str[0] = 'n'; str[1] = 'a'; str[2] = 'n'; str[3] = '\0';
-        return;
-    }
-
-    /* we'll work in positive values and deal with the
-       negative sign issue later */
-    int neg = 0;
-    if (value < 0) {
-        neg = 1;
-        value = -value;
-    }
-
-    /* if input is larger than thres_max, revert to exponential */
-    const double thres_max = (double)(INT_MAX);
-
-    /* for very large numbers switch back to native sprintf for exponentials.
-       anyone want to write code to replace this? */
-    /*
-      normal printf behavior is to print EVERY whole number digit
-      which can be 100s of characters overflowing your buffers == bad
-    */
-    if (value >= thres_max) {
-        sprintf(str, "%.*e", DBL_DECIMAL_DIG - 1, neg ? -value : value);
-        sn_strip_trailing_zeros(str);
-        return;
-    }
-
-    double diff = 0.0;
-    char* wstr = str;
-
-    if (prec < 0) {
-        prec = 0;
-    } else if (prec > 9) {
-        /* precision of >= 10 can lead to overflow errors */
-        prec = 9;
-    }
-
-    int whole = (int) value;
-    double tmp = (value - whole) * _pow10[prec];
-    uint32_t frac = (uint32_t)(tmp);
-    diff = tmp - frac;
-
-    if (diff > 0.5) {
-        ++frac;
-        /* handle rollover, e.g.  case 0.99 with prec 1 is 1.0  */
-        if (frac >= _pow10[prec]) {
-            frac = 0;
-            ++whole;
-        }
-    } else if (diff == 0.5 && ((frac == 0) || (frac & 1))) {
-        /* if halfway, round up if odd, OR
-           if last digit is 0.  That last part is strange */
-        ++frac;
-    }
-
-    if (prec == 0) {
-        diff = value - whole;
-        if (diff > 0.5) {
-            /* greater than 0.5, round up, e.g. 1.6 -> 2 */
-            ++whole;
-        } else if (diff == 0.5 && (whole & 1)) {
-            /* exactly 0.5 and ODD, then round up */
-            /* 1.5 -> 2, but 2.5 -> 2 */
-            ++whole;
-        }
-    } else {
-        int count = prec;
-        // now do fractional part, as an unsigned number
-        do {
-            --count;
-            *wstr++ = (char)(48 + (frac % 10));
-        } while (frac /= 10);
-        // add extra 0s
-        while (count-- > 0) *wstr++ = '0';
-        // add decimal
-        *wstr++ = '.';
-    }
-
-    // do whole part
-    // Take care of sign
-    // Conversion. Number is reversed.
-    do *wstr++ = (char)(48 + (whole % 10)); while (whole /= 10);
-    if (neg) {
-        *wstr++ = '-';
-    }
-    *wstr='\0';
-    strreverse(str, wstr-1);
-}
-
-
-// This is near identical to modp_dtoa above
-//   The differnce is noted below
-void modp_dtoa2(double value, char* str, int prec)
-{
-    /* Hacky test for NaN
-     * under -fast-math this won't work, but then you also won't
-     * have correct nan values anyways.  The alternative is
-     * to link with libmath (bad) or hack IEEE double bits (bad)
-     */
-    if (! (value == value)) {
-        str[0] = 'n'; str[1] = 'a'; str[2] = 'n'; str[3] = '\0';
-        return;
-    }
-
-    /* we'll work in positive values and deal with the
-       negative sign issue later */
-    int neg = 0;
-    if (value < 0) {
-        neg = 1;
-        value = -value;
-    }
-
-    /* if input is larger than thres_max, revert to exponential */
-    const double thres_max = (double)(INT_MAX);
-
-    /* for very large numbers switch back to native sprintf for exponentials.
-       anyone want to write code to replace this? */
-    /*
-      normal printf behavior is to print EVERY whole number digit
-      which can be 100s of characters overflowing your buffers == bad
-    */
-    if (value >= thres_max) {
-        sprintf(str, "%.*e", DBL_DECIMAL_DIG - 1, neg ? -value : value);
-        sn_strip_trailing_zeros(str);
-        return;
-    }
-
-    int count;
-    double diff = 0.0;
-    char* wstr = str;
-
-    if (prec < 0) {
-        prec = 0;
-    } else if (prec > 9) {
-        /* precision of >= 10 can lead to overflow errors */
-        prec = 9;
-    }
-
-    double smallest = _pow10r[prec];
-
-    if (value != 0.0 && value < smallest) {
-        sprintf(str, "%.*e", DBL_DECIMAL_DIG - 1, neg ? -value : value);
-        sn_strip_trailing_zeros(str);
-        return;
-    }
-
-    int whole = (int) value;
-    double tmp = (value - whole) * _pow10[prec];
-    uint32_t frac = (uint32_t)(tmp);
-    diff = tmp - frac;
-
-    if (diff > 0.5) {
-        ++frac;
-        /* handle rollover, e.g.  case 0.99 with prec 1 is 1.0  */
-        if (frac >= _pow10[prec]) {
-            frac = 0;
-            ++whole;
-        }
-    } else if (diff == 0.5 && ((frac == 0) || (frac & 1))) {
-        /* if halfway, round up if odd, OR
-           if last digit is 0.  That last part is strange */
-        ++frac;
-    }
-
-    if (prec == 0) {
-        diff = value - whole;
-        if (diff > 0.5) {
-            /* greater than 0.5, round up, e.g. 1.6 -> 2 */
-            ++whole;
-        } else if (diff == 0.5 && (whole & 1)) {
-            /* exactly 0.5 and ODD, then round up */
-            /* 1.5 -> 2, but 2.5 -> 2 */
-            ++whole;
-        }
-
-        //vvvvvvvvvvvvvvvvvvv  Diff from modp_dto2
-    } else if (frac) {
-        count = prec;
-        // now do fractional part, as an unsigned number
-        // we know it is not 0 but we can have leading zeros, these
-        // should be removed
-        while (!(frac % 10)) {
-            --count;
-            frac /= 10;
-        }
-        //^^^^^^^^^^^^^^^^^^^  Diff from modp_dto2
-
-        // now do fractional part, as an unsigned number
-        do {
-            --count;
-            *wstr++ = (char)(48 + (frac % 10));
-        } while (frac /= 10);
-        // add extra 0s
-        while (count-- > 0) *wstr++ = '0';
-        // add decimal
-        *wstr++ = '.';
-    }
-
-    // do whole part
-    // Take care of sign
-    // Conversion. Number is reversed.
-    do *wstr++ = (char)(48 + (whole % 10)); while (whole /= 10);
-    if (neg) {
-        *wstr++ = '-';
-    }
-    *wstr='\0';
-    strreverse(str, wstr-1);
-}
-
-// This is near identical to modp_dtoa2 above, excep that it never uses
-// exponential notation and requires a buffer length.
-void modp_dtoa3(double value, char* str, int n, int prec)
-{
-    /* Hacky test for NaN
-     * under -fast-math this won't work, but then you also won't
-     * have correct nan values anyways.  The alternative is
-     * to link with libmath (bad) or hack IEEE double bits (bad)
-     */
-    if (! (value == value)) {
-        str[0] = 'n'; str[1] = 'a'; str[2] = 'n'; str[3] = '\0';
-        return;
-    }
-
-    /* we'll work in positive values and deal with the
-       negative sign issue later */
-    int neg = 0;
-    if (value < 0) {
-        neg = 1;
-        value = -value;
-    }
-
-    if (prec < 0) {
-        prec = 0;
-    } else if (prec > 9) {
-        /* precision of >= 10 can lead to overflow errors */
-        prec = 9;
-    }
-
-    /* if input is larger than thres_max, revert to exponential */
-    const double thres_max = (double)(INT_MAX);
-
-    /* for very large numbers switch back to native sprintf for exponentials.
-       anyone want to write code to replace this? */
-    /*
-      normal printf behavior is to print EVERY whole number digit
-      which can be 100s of characters overflowing your buffers == bad
-    */
-    if (value >= thres_max) {
-        /* ---- Modified part, compared to modp_dtoa3. */
-        int i = snprintf(str, n, "%.*f", prec, neg ? -value : value);
-
-        if ( i < 0 || i >= n ) {
-        // Error or truncated output.
-            snprintf(str, n, "NAN");
-            return;
-            }
-
-        /* Remove trailing zeros. */
-
-        char* p;
-        for ( p = str + i - 1; p >= str && *p == '0'; --p );
-
-        if ( p >= str && *p == '.' )
-            --p;
-
-        *++p = '\0';
-        return;
-
-        /* ---- End of modified part.. */
-    }
-
-    int count;
-    double diff = 0.0;
-    char* wstr = str;
-
-    int whole = (int) value;
-    double tmp = (value - whole) * _pow10[prec];
-    uint32_t frac = (uint32_t)(tmp);
-    diff = tmp - frac;
-
-    if (diff > 0.5) {
-        ++frac;
-        /* handle rollover, e.g.  case 0.99 with prec 1 is 1.0  */
-        if (frac >= _pow10[prec]) {
-            frac = 0;
-            ++whole;
-        }
-    } else if (diff == 0.5 && ((frac == 0) || (frac & 1))) {
-        /* if halfway, round up if odd, OR
-           if last digit is 0.  That last part is strange */
-        ++frac;
-    }
-
-    if (prec == 0) {
-        diff = value - whole;
-        if (diff > 0.5) {
-            /* greater than 0.5, round up, e.g. 1.6 -> 2 */
-            ++whole;
-        } else if (diff == 0.5 && (whole & 1)) {
-            /* exactly 0.5 and ODD, then round up */
-            /* 1.5 -> 2, but 2.5 -> 2 */
-            ++whole;
-        }
-
-        //vvvvvvvvvvvvvvvvvvv  Diff from modp_dto2
-    } else if (frac) {
-        count = prec;
-        // now do fractional part, as an unsigned number
-        // we know it is not 0 but we can have leading zeros, these
-        // should be removed
-        while (!(frac % 10)) {
-            --count;
-            frac /= 10;
-        }
-        //^^^^^^^^^^^^^^^^^^^  Diff from modp_dto2
-
-        // now do fractional part, as an unsigned number
-        do {
-            --count;
-            *wstr++ = (char)(48 + (frac % 10));
-        } while (frac /= 10);
-        // add extra 0s
-        while (count-- > 0) *wstr++ = '0';
-        // add decimal
-        *wstr++ = '.';
-    }
-
-    // do whole part
-    // Take care of sign
-    // Conversion. Number is reversed.
-    do *wstr++ = (char)(48 + (whole % 10)); while (whole /= 10);
-    if (neg) {
-        *wstr++ = '-';
-    }
-    *wstr='\0';
-    strreverse(str, wstr-1);
-}
diff --git a/src/modp_numtoa.h b/src/modp_numtoa.h
deleted file mode 100644
index c8c46827c8..0000000000
--- a/src/modp_numtoa.h
+++ /dev/null
@@ -1,114 +0,0 @@
-/* -*- mode: c++; c-basic-offset: 4; indent-tabs-mode: nil; tab-width: 4 -*- */
-/* vi: set expandtab shiftwidth=4 tabstop=4: */
-
-/**
- * \file
- *
- * <pre>
- * Copyright &copy; 2007, Nick Galbreath -- nickg [at] modp [dot] com
- * All rights reserved.
- * http://code.google.com/p/stringencoders/
- * Released under the bsd license.
- * </pre>
- *
- * This defines signed/unsigned integer, and 'double' to char buffer
- * converters.  The standard way of doing this is with "sprintf", however
- * these functions are
- *   * guarenteed maximum size output
- *   * 5-20x faster!
- *   * core-dump safe
- *
- *
- */
-
-#pragma once
-
-#ifdef __cplusplus
-#define BEGIN_C extern "C" {
-#define END_C }
-#else
-#define BEGIN_C
-#define END_C
-#endif
-
-BEGIN_C
-
-#include <stdint.h>
-
-/** \brief convert an signed integer to char buffer
- *
- * \param[in] value
- * \param[out] buf the output buffer.  Should be 16 chars or more.
- */
-void modp_itoa10(int32_t value, char* buf);
-
-/** \brief convert an unsigned integer to char buffer
- *
- * \param[in] value
- * \param[out] buf The output buffer, should be 16 chars or more.
- */
-void modp_uitoa10(uint32_t value, char* buf);
-
-/** \brief convert an signed long integer to char buffer
- *
- * \param[in] value
- * \param[out] buf the output buffer.  Should be 24 chars or more.
- */
-void modp_litoa10(int64_t value, char* buf);
-
-/** \brief convert an unsigned long integer to char buffer
- *
- * \param[in] value
- * \param[out] buf The output buffer, should be 24 chars or more.
- */
-void modp_ulitoa10(uint64_t value, char* buf);
-
-/** \brief convert a floating point number to char buffer with
- *         fixed-precision format
- *
- * This is similar to "%.[0-9]f" in the printf style.  It will include
- * trailing zeros
- *
- * If the input value is greater than 1<<31, then the output format
- * will be switched exponential format and include as many precision digits
- * as needed to preserve information.
- *
- * \param[in] value
- * \param[out] buf  The allocated output buffer.  Should be 32 chars or more.
- * \param[in] precision  Number of digits to the right of the decimal point.
- *    Can only be 0-9.
- */
-void modp_dtoa(double value, char* buf, int precision);
-
-/** \brief convert a floating point number to char buffer with a
- *         variable-precision format, and no trailing zeros
- *
- * This is similar to "%.[0-9]f" in the printf style, except it will
- * NOT include trailing zeros after the decimal point.  This type
- * of format oddly does not exists with printf.
- *
- * If the input value is greater than 1<<31, then the output format
- * will be switched exponential format and include as many precision digits
- * as needed to preserve information.
- *
- * If a non-zero input value is less than 10^(-precision), the output format
- * will be switched exponential format and include as many precision digits
- * as needed to preserve information.
- *
- * \param[in] value
- * \param[out] buf  The allocated output buffer.  Should be 32 chars or more.
- * \param[in] precision  Number of digits to the right of the decimal point.
- *    Can only be 0-9.
- */
-void modp_dtoa2(double value, char* buf, int precision);
-
-/** \brief convert a floating point number to char buffer with a
- *         variable-precision format, no trailing zeros, and no
- *   	scientific notation.
- *
- *  Other than avoiding scientific notation, this is the same as mop_dtoa2. It does however
- *  require the max buffer length. The buffer will always be null-terminated.
- */
-void modp_dtoa3(double value, char* buf, int n, int precision);
-
-END_C
diff --git a/src/nb_dns.c b/src/nb_dns.c
deleted file mode 100644
index d02ed35be2..0000000000
--- a/src/nb_dns.c
+++ /dev/null
@@ -1,794 +0,0 @@
-/*
- * See the file "COPYING" in the main distribution directory for copyright.
- */
-/*
- * nb_dns - non-blocking dns routines
- *
- * This version works with BIND 9
- *
- * Note: The code here is way more complicated than it should be but
- * although the interface to send requests is public, the routine to
- * crack reply buffers is private.
- */
-
-#include "zeek/zeek-config.h"			/* must appear before first ifdef */
-#include "zeek/nb_dns.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-
-#include <netinet/in.h>
-
-#include <arpa/inet.h>
-#include <arpa/nameser.h>
-#ifdef NEED_NAMESER_COMPAT_H
-#include <arpa/nameser_compat.h>
-#endif
-
-#include <errno.h>
-#ifdef HAVE_MEMORY_H
-#include <memory.h>
-#endif
-#include <netdb.h>
-#include <resolv.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifdef notdef
-#include "gnuc.h"
-#ifdef HAVE_OS_PROTO_H
-#include "os-proto.h"
-#endif
-#endif
-
-#if PACKETSZ > 1024
-#define MAXPACKET	PACKETSZ
-#else
-#define MAXPACKET	1024
-#endif
-
-#ifdef DO_SOCK_DECL
-extern int socket(int, int, int);
-extern int connect(int, const struct sockaddr *, int);
-extern int send(int, const void *, int, int);
-extern int recvfrom(int, void *, int, int, struct sockaddr *, int *);
-#endif
-
-/* Private data */
-struct nb_dns_entry {
-	struct nb_dns_entry *next;
-	char name[NS_MAXDNAME + 1];
-	u_short id;
-	int qtype;			/* query type */
-	int atype;			/* address family */
-	int asize;			/* address size */
-	void *cookie;
-};
-
-#ifndef MAXALIASES
-#define MAXALIASES	35
-#endif
-#ifndef MAXADDRS
-#define MAXADDRS	35
-#endif
-
-struct nb_dns_hostent {
-	struct hostent hostent;
-	int numaliases;
-	int numaddrs;
-	char *host_aliases[MAXALIASES + 1];
-	char *h_addr_ptrs[MAXADDRS + 1];
-	char hostbuf[8 * 1024];
-};
-
-struct nb_dns_info {
-	int s;				/* Resolver file descriptor */
-	struct sockaddr_storage server;	/* server address to bind to */
-	struct nb_dns_entry *list;	/* outstanding requests */
-	struct nb_dns_hostent dns_hostent;
-};
-
-/* Forwards */
-static int _nb_dns_mkquery(struct nb_dns_info *, const char *, int, int,
-    void *, char *);
-static int _nb_dns_cmpsockaddr(struct sockaddr *, struct sockaddr *, char *);
-
-static char *
-my_strerror(int errnum)
-{
-#ifdef HAVE_STRERROR
-	extern char *strerror(int);
-	return strerror(errnum);
-#else
-	static char errnum_buf[32];
-	snprintf(errnum_buf, sizeof(errnum_buf), "errno %d", errnum);
-	return errnum_buf;
-#endif
-}
-
-static const char* sa_ntop(struct sockaddr* sa, char* buf, int len)
-	{
-	if ( sa->sa_family == AF_INET )
-		return inet_ntop(sa->sa_family,
-		                 &(((struct sockaddr_in*)sa)->sin_addr),
-		                 buf, len);
-	else
-		return inet_ntop(sa->sa_family,
-		                 &(((struct sockaddr_in6*)sa)->sin6_addr),
-		                 buf, len);
-	}
-
-struct nb_dns_info *
-nb_dns_init(char *errstr)
-{
-	register struct nb_dns_info *nd;
-
-	nd = (struct nb_dns_info *)malloc(sizeof(*nd));
-	if (nd == NULL) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "nb_dns_init: malloc(): %s",
-		    my_strerror(errno));
-		return (NULL);
-	}
-	memset(nd, 0, sizeof(*nd));
-	nd->s = -1;
-
-	/* XXX should be able to init static hostent struct some other way */
-	(void)gethostbyname("localhost");
-
-	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "res_init() failed");
-		free(nd);
-		return (NULL);
-	}
-
-	if ( _res.nscount == 0 )
-		{
-		// Really?  Let's try parsing resolv.conf ourselves to see what's
-		// there.  (e.g. musl libc has res_init() that doesn't actually
-		// parse the config file).
-		const char* config_file_path = "/etc/resolv.conf";
-
-#ifdef _PATH_RESCONF
-		config_file_path = _PATH_RESCONF;
-#endif
-
-		FILE* config_file = fopen(config_file_path, "r");
-
-		if ( config_file )
-			{
-			char line[128];
-			char* ns;
-
-			while ( fgets(line, sizeof(line), config_file) )
-				{
-				ns = strtok(line, " \t\n");
-
-				if ( ! ns || strcmp(ns, "nameserver") )
-					continue;
-
-				ns = strtok(0, " \t\n");
-
-				if ( ! ns )
-					continue;
-
-				/* XXX support IPv6 */
-				struct sockaddr_in a;
-				memset(&a, 0, sizeof(a));
-				a.sin_family = AF_INET;
-				a.sin_port = htons(53);
-
-				if ( inet_pton(AF_INET, ns, &a.sin_addr) == 1 )
-					{
-					memcpy(&nd->server, &a, sizeof(a));
-					nd->s = socket(nd->server.ss_family, SOCK_DGRAM, 0);
-
-					if ( nd->s < 0 )
-						{
-						snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
-						         my_strerror(errno));
-						fclose(config_file);
-						free(nd);
-						return (NULL);
-						}
-
-					if ( connect(nd->s, (struct sockaddr *)&nd->server,
-					             nd->server.ss_family == AF_INET ?
-					             sizeof(struct sockaddr_in) :
-					             sizeof(struct sockaddr_in6)) < 0 )
-						{
-						char s[INET6_ADDRSTRLEN];
-						sa_ntop((struct sockaddr*)&nd->server, s, INET6_ADDRSTRLEN);
-						snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s", s,
-						         my_strerror(errno));
-						fclose(config_file);
-						close(nd->s);
-						free(nd);
-						return (NULL);
-						}
-
-					fclose(config_file);
-					return (nd);
-					}
-				}
-
-			fclose(config_file);
-			snprintf(errstr, NB_DNS_ERRSIZE, "no valid nameserver found in %s",
-			         config_file_path);
-			free(nd);
-			return (NULL);
-			}
-
-		snprintf(errstr, NB_DNS_ERRSIZE, "resolver config file not located");
-		free(nd);
-		return (NULL);
-		}
-
-	int i;
-
-	for ( i = 0; i < _res.nscount; ++i )
-		{
-		memcpy(&nd->server, &_res.nsaddr_list[i], sizeof(struct sockaddr_in));
-		/* XXX support IPv6 */
-		if ( nd->server.ss_family != AF_INET )
-			continue;
-
-		nd->s = socket(nd->server.ss_family, SOCK_DGRAM, 0);
-
-		if ( nd->s < 0 )
-			{
-			snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
-			         my_strerror(errno));
-			free(nd);
-			return (NULL);
-			}
-
-		if ( connect(nd->s, (struct sockaddr *)&nd->server,
-	                 nd->server.ss_family == AF_INET ?
-	                           sizeof(struct sockaddr_in) :
-	                           sizeof(struct sockaddr_in6)) < 0 )
-			{
-			char s[INET6_ADDRSTRLEN];
-			sa_ntop((struct sockaddr*)&nd->server, s, INET6_ADDRSTRLEN);
-			snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s", s,
-			         my_strerror(errno));
-			close(nd->s);
-			free(nd);
-			return (NULL);
-			}
-
-		return (nd);
-		}
-
-	snprintf(errstr, NB_DNS_ERRSIZE, "no valid nameservers in resolver config");
-	free(nd);
-	return (NULL);
-}
-
-struct nb_dns_info *
-nb_dns_init2(char *errstr, struct sockaddr* sa)
-{
-	register struct nb_dns_info *nd;
-
-	nd = (struct nb_dns_info *)malloc(sizeof(*nd));
-	if (nd == NULL) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "nb_dns_init: malloc(): %s",
-		    my_strerror(errno));
-		return (NULL);
-	}
-	memset(nd, 0, sizeof(*nd));
-	nd->s = -1;
-
-	if ( sa->sa_family == AF_INET )
-		{
-		memcpy(&nd->server, sa, sizeof(struct sockaddr_in));
-		((struct sockaddr_in*)&nd->server)->sin_port = htons(53);
-		}
-	else
-		{
-		memcpy(&nd->server, sa, sizeof(struct sockaddr_in6));
-		((struct sockaddr_in6*)&nd->server)->sin6_port = htons(53);
-		}
-
-	nd->s = socket(nd->server.ss_family, SOCK_DGRAM, 0);
-
-	if ( nd->s < 0 )
-		{
-		snprintf(errstr, NB_DNS_ERRSIZE, "socket(): %s",
-		         my_strerror(errno));
-		free(nd);
-		return (NULL);
-		}
-
-	if ( connect(nd->s, (struct sockaddr *)&nd->server,
-	             nd->server.ss_family == AF_INET ?
-	                       sizeof(struct sockaddr_in) :
-	                       sizeof(struct sockaddr_in6)) < 0 )
-		{
-		char s[INET6_ADDRSTRLEN];
-		sa_ntop((struct sockaddr*)&nd->server, s, INET6_ADDRSTRLEN);
-		snprintf(errstr, NB_DNS_ERRSIZE, "connect(%s): %s", s,
-		         my_strerror(errno));
-		close(nd->s);
-		free(nd);
-		return (NULL);
-		}
-
-	return (nd);
-}
-
-void
-nb_dns_finish(struct nb_dns_info *nd)
-{
-	register struct nb_dns_entry *ne, *ne2;
-
-	ne = nd->list;
-	while (ne != NULL) {
-		ne2 = ne;
-		ne = ne->next;
-		free(ne2);
-	}
-	close(nd->s);
-	free(nd);
-}
-
-int
-nb_dns_fd(struct nb_dns_info *nd)
-{
-
-	return (nd->s);
-}
-
-static int
-_nb_dns_cmpsockaddr(register struct sockaddr *sa1,
-    register struct sockaddr *sa2, register char *errstr)
-{
-	register struct sockaddr_in *sin1, *sin2;
-#ifdef AF_INET6
-	register struct sockaddr_in6 *sin6a, *sin6b;
-#endif
-	static const char serr[] = "answer from wrong nameserver (%d)";
-
-	if (sa1->sa_family != sa2->sa_family) {
-		snprintf(errstr, NB_DNS_ERRSIZE, serr, 1);
-		return (-1);
-	}
-	switch (sa1->sa_family) {
-
-	case AF_INET:
-		sin1 = (struct sockaddr_in *)sa1;
-		sin2 = (struct sockaddr_in *)sa2;
-		if (sin1->sin_port != sin2->sin_port) {
-			snprintf(errstr, NB_DNS_ERRSIZE, serr, 2);
-			return (-1);
-		}
-		if (sin1->sin_addr.s_addr != sin2->sin_addr.s_addr) {
-			snprintf(errstr, NB_DNS_ERRSIZE, serr, 3);
-			return (-1);
-		}
-		break;
-
-#ifdef AF_INET6
-	case AF_INET6:
-		sin6a = (struct sockaddr_in6 *)sa1;
-		sin6b = (struct sockaddr_in6 *)sa2;
-		if (sin6a->sin6_port != sin6b->sin6_port) {
-			snprintf(errstr, NB_DNS_ERRSIZE, serr, 62);
-			return (-1);
-		}
-		if (memcmp(&sin6a->sin6_addr, &sin6b->sin6_addr,
-		    sizeof(sin6a->sin6_addr)) != 0) {
-			snprintf(errstr, NB_DNS_ERRSIZE, serr, 63);
-			return (-1);
-		}
-		break;
-#endif
-
-	default:
-		snprintf(errstr, NB_DNS_ERRSIZE, serr, 4);
-		return (-1);
-	}
-	return (0);
-}
-
-static int
-_nb_dns_mkquery(register struct nb_dns_info *nd, register const char *name,
-    register int atype, register int qtype, register void * cookie,
-    register char *errstr)
-{
-	register struct nb_dns_entry *ne;
-	register HEADER *hp;
-	register int n;
-	u_long msg[MAXPACKET / sizeof(u_long)];
-
-	/* Allocate an entry */
-	ne = (struct nb_dns_entry *)malloc(sizeof(*ne));
-	if (ne == NULL) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "malloc(): %s",
-		    my_strerror(errno));
-		return (-1);
-	}
-	memset(ne, 0, sizeof(*ne));
-	strncpy(ne->name, name, sizeof(ne->name) - 1);
-	ne->name[sizeof(ne->name) - 1] = '\0';
-	ne->qtype = qtype;
-	ne->atype = atype;
-	switch (atype) {
-
-	case AF_INET:
-		ne->asize = NS_INADDRSZ;
-		break;
-
-#ifdef AF_INET6
-	case AF_INET6:
-		ne->asize = NS_IN6ADDRSZ;
-		break;
-#endif
-
-	default:
-		snprintf(errstr, NB_DNS_ERRSIZE,
-		    "_nb_dns_mkquery: bad family %d", atype);
-		free(ne);
-		return (-1);
-	}
-
-	/* Build the request */
-	n = res_mkquery(
-	    ns_o_query,			/* op code (query) */
-	    name,			/* domain name */
-	    ns_c_in,			/* query class (internet) */
-	    qtype,			/* query type */
-	    NULL,			/* data */
-	    0,				/* length of data */
-	    NULL,			/* new rr */
-	    (u_char *)msg,		/* buffer */
-	    sizeof(msg));		/* size of buffer */
-	if (n < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "res_mkquery() failed");
-		free(ne);
-		return (-1);
-	}
-
-	hp = (HEADER *)msg;
-	ne->id = htons(hp->id);
-
-	if (send(nd->s, (char *)msg, n, 0) != n) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "send(): %s",
-		    my_strerror(errno));
-		free(ne);
-		return (-1);
-	}
-
-	ne->next = nd->list;
-	ne->cookie = cookie;
-	nd->list = ne;
-
-	return(0);
-}
-
-int
-nb_dns_host_request(register struct nb_dns_info *nd, register const char *name,
-    register void *cookie, register char *errstr)
-{
-
-	return (nb_dns_host_request2(nd, name, AF_INET, 0, cookie, errstr));
-}
-
-int
-nb_dns_host_request2(register struct nb_dns_info *nd, register const char *name,
-    register int af, register int qtype, register void *cookie, register char *errstr)
-{
-	if (qtype != 16) {
-
-		switch (af) {
-
-		case AF_INET:
-			qtype = T_A;
-			break;
-
-#ifdef AF_INET6
-		case AF_INET6:
-			qtype = T_AAAA;
-			break;
-#endif
-
-		default:
-			snprintf(errstr, NB_DNS_ERRSIZE,
-			    "nb_dns_host_request2(): unknown address family %d", af);
-			return (-1);
-		}
-	}
-	return (_nb_dns_mkquery(nd, name, af, qtype, cookie, errstr));
-}
-
-int
-nb_dns_addr_request(register struct nb_dns_info *nd, nb_uint32_t addr,
-    register void *cookie, register char *errstr)
-{
-
-	return (nb_dns_addr_request2(nd, (char *)&addr, AF_INET,
-	    cookie, errstr));
-}
-
-int
-nb_dns_addr_request2(register struct nb_dns_info *nd, char *addrp,
-    register int af, register void *cookie, register char *errstr)
-{
-#ifdef AF_INET6
-	register char *cp;
-	register int n, i;
-	register size_t size;
-#endif
-	register u_char *uaddr;
-	char name[NS_MAXDNAME + 1];
-
-	switch (af) {
-
-	case AF_INET:
-		uaddr = (u_char *)addrp;
-		snprintf(name, sizeof(name), "%u.%u.%u.%u.in-addr.arpa",
-		    (uaddr[3] & 0xff),
-		    (uaddr[2] & 0xff),
-		    (uaddr[1] & 0xff),
-		    (uaddr[0] & 0xff));
-		break;
-
-#ifdef AF_INET6
-	case AF_INET6:
-		uaddr = (u_char *)addrp;
-		cp = name;
-		size = sizeof(name);
-		for (n = NS_IN6ADDRSZ - 1; n >= 0; --n) {
-			snprintf(cp, size, "%x.%x.",
-			    (uaddr[n] & 0xf),
-			    (uaddr[n] >> 4) & 0xf);
-			i = strlen(cp);
-			size -= i;
-			cp += i;
-		}
-		snprintf(cp, size, "ip6.arpa");
-		break;
-#endif
-
-	default:
-		snprintf(errstr, NB_DNS_ERRSIZE,
-		    "nb_dns_addr_request2(): unknown address family %d", af);
-		return (-1);
-	}
-
-	return (_nb_dns_mkquery(nd, name, af, T_PTR, cookie, errstr));
-}
-
-int
-nb_dns_abort_request(struct nb_dns_info *nd, void *cookie)
-{
-	register struct nb_dns_entry *ne, *lastne;
-
-	/* Try to find this request on the outstanding request list */
-	lastne = NULL;
-	for (ne = nd->list; ne != NULL; ne = ne->next) {
-		if (ne->cookie == cookie)
-			break;
-		lastne = ne;
-	}
-
-	/* Not a currently pending request */
-	if (ne == NULL)
-		return (-1);
-
-	/* Unlink this entry */
-	if (lastne == NULL)
-		nd->list = ne->next;
-	else
-		lastne->next = ne->next;
-	ne->next = NULL;
-
-	return (0);
-}
-
-/* Returns 1 with an answer, 0 when reply was old, -1 on fatal errors */
-int
-nb_dns_activity(struct nb_dns_info *nd, struct nb_dns_result *nr, char *errstr)
-{
-	register int msglen, qtype, atype, n, i;
-	register struct nb_dns_entry *ne, *lastne;
-	socklen_t fromlen;
-	struct sockaddr_storage from;
-	u_long msg[MAXPACKET / sizeof(u_long)];
-	register char *bp, *ep;
-	register char **ap, **hap;
-	register u_int16_t id;
-	register const u_char *rdata;
-	register u_int32_t rttl = 0;	// make compiler happy.
-	register struct hostent *he;
-	register size_t rdlen;
-	ns_msg handle;
-	ns_rr rr;
-
-	/* This comes from the second half of do_query() */
-	fromlen = sizeof(from);
-	msglen = recvfrom(nd->s, (char *)msg, sizeof(msg), 0,
-	                  (struct sockaddr*)&from, &fromlen);
-	if (msglen <= 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "recvfrom(): %s",
-		    my_strerror(errno));
-		return (-1);
-	}
-	if (msglen < HFIXEDSZ) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "recvfrom(): undersized: %d",
-		    msglen);
-		return (-1);
-	}
-	if (ns_initparse((u_char *)msg, msglen, &handle) < 0) {
-		snprintf(errstr, NB_DNS_ERRSIZE, "ns_initparse(): %s",
-		    my_strerror(errno));
-		nr->host_errno = NO_RECOVERY;
-		return (-1);
-	}
-
-	/* RES_INSECURE1 style check */
-	if (_nb_dns_cmpsockaddr((struct sockaddr*)&nd->server,
-	                        (struct sockaddr*)&from, errstr) < 0) {
-		nr->host_errno = NO_RECOVERY;
-		return (-1);
-	}
-
-	/* Search for this request */
-	lastne = NULL;
-	id = ns_msg_id(handle);
-	for (ne = nd->list; ne != NULL; ne = ne->next) {
-		if (ne->id == id)
-			break;
-		lastne = ne;
-	}
-
-	/* Not an answer to a question we care about anymore */
-	if (ne == NULL)
-		return (0);
-
-	/* Unlink this entry */
-	if (lastne == NULL)
-		nd->list = ne->next;
-	else
-		lastne->next = ne->next;
-	ne->next = NULL;
-
-	/* RES_INSECURE2 style check */
-	/* XXX not implemented */
-
-	/* Initialize result struct */
-	memset(nr, 0, sizeof(*nr));
-	nr->cookie = ne->cookie;
-	qtype = ne->qtype;
-
-	/* Deal with various errors */
-	switch (ns_msg_getflag(handle, ns_f_rcode)) {
-
-	case ns_r_nxdomain:
-		nr->host_errno = HOST_NOT_FOUND;
-		free(ne);
-		return (1);
-
-	case ns_r_servfail:
-		nr->host_errno = TRY_AGAIN;
-		free(ne);
-		return (1);
-
-	case ns_r_noerror:
-		break;
-
-	case ns_r_formerr:
-	case ns_r_notimpl:
-	case ns_r_refused:
-	default:
-		nr->host_errno = NO_RECOVERY;
-		free(ne);
-		return (1);
-	}
-
-	/* Loop through records in packet */
-	memset(&rr, 0, sizeof(rr));
-	memset(&nd->dns_hostent, 0, sizeof(nd->dns_hostent));
-	he = &nd->dns_hostent.hostent;
-	/* XXX no support for aliases */
-	he->h_aliases = nd->dns_hostent.host_aliases;
-	he->h_addr_list = nd->dns_hostent.h_addr_ptrs;
-	he->h_addrtype = ne->atype;
-	he->h_length = ne->asize;
-	free(ne);
-
-	bp = nd->dns_hostent.hostbuf;
-	ep = bp + sizeof(nd->dns_hostent.hostbuf);
-	hap = he->h_addr_list;
-	ap = he->h_aliases;
-
-	for (i = 0; i < ns_msg_count(handle, ns_s_an); i++) {
-		/* Parse next record */
-		if (ns_parserr(&handle, ns_s_an, i, &rr) < 0) {
-			if (errno != ENODEV) {
-				nr->host_errno = NO_RECOVERY;
-				return (1);
-			}
-			/* All done */
-			break;
-		}
-
-		/* Ignore records that don't answer our query (e.g. CNAMEs) */
-		atype = ns_rr_type(rr);
-		if (atype != qtype)
-			continue;
-
-		rdata = ns_rr_rdata(rr);
-		rdlen = ns_rr_rdlen(rr);
-		rttl = ns_rr_ttl(rr);
-		switch (atype) {
-
-		case T_A:
-		case T_AAAA:
-			if (rdlen != (unsigned int) he->h_length) {
-				snprintf(errstr, NB_DNS_ERRSIZE,
-				    "nb_dns_activity(): bad rdlen %d",
-				    (int) rdlen);
-				nr->host_errno = NO_RECOVERY;
-				return (-1);
-			}
-
-			if (bp + rdlen >= ep) {
-				snprintf(errstr, NB_DNS_ERRSIZE,
-				    "nb_dns_activity(): overflow 1");
-				nr->host_errno = NO_RECOVERY;
-				return (-1);
-			}
-			if (nd->dns_hostent.numaddrs + 1 >= MAXADDRS) {
-				snprintf(errstr, NB_DNS_ERRSIZE,
-				    "nb_dns_activity(): overflow 2");
-				nr->host_errno = NO_RECOVERY;
-				return (-1);
-			}
-
-			memcpy(bp, rdata, rdlen);
-			*hap++ = bp;
-			bp += rdlen;
-			++nd->dns_hostent.numaddrs;
-
-			/* Keep looking for more A records */
-			break;
-
-		case T_TXT:
-			if (bp + rdlen >= ep) {
-				snprintf(errstr, NB_DNS_ERRSIZE,
-				    "nb_dns_activity(): overflow 1 for txt");
-				nr->host_errno = NO_RECOVERY;
-				return (-1);
-			}
-
-			memcpy(bp, rdata, rdlen);
-			he->h_name = bp+1; /* First char is a control character. */
-			nr->hostent = he;
-			nr->ttl = rttl;
-			return (1);
-
-		case T_PTR:
-			n = dn_expand((const u_char *)msg,
-			    (const u_char *)msg + msglen, rdata, bp, ep - bp);
-			if (n < 0) {
-				/* XXX return -1 here ??? */
-				nr->host_errno = NO_RECOVERY;
-				return (1);
-			}
-			he->h_name = bp;
-			/* XXX check for overflow */
-			bp += n;		/* returned len includes EOS */
-
-			/* "Find first satisfactory answer" */
-			nr->hostent = he;
-			nr->ttl = rttl;
-			return (1);
-		}
-	}
-
-	nr->hostent = he;
-	nr->ttl = rttl;
-	return (1);
-}
diff --git a/src/nb_dns.h b/src/nb_dns.h
deleted file mode 100644
index 91ea1d8e94..0000000000
--- a/src/nb_dns.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * See the file "COPYING" in the main distribution directory for copyright.
- */
-
-#pragma once
-
-#include <stdint.h>
-#include <sys/socket.h>
-
-/* Private data */
-struct nb_dns_info;
-
-/* Public data */
-struct nb_dns_result {
-	void *cookie;
-	int host_errno;
-	uint32_t ttl;
-	struct hostent *hostent;
-};
-
-typedef unsigned int nb_uint32_t;
-
-/* Public routines */
-struct nb_dns_info *nb_dns_init(char *);
-struct nb_dns_info *nb_dns_init2(char *, struct sockaddr*);
-void nb_dns_finish(struct nb_dns_info *);
-
-int nb_dns_fd(struct nb_dns_info *);
-
-int nb_dns_host_request(struct nb_dns_info *, const char *, void *, char *);
-int nb_dns_host_request2(struct nb_dns_info *, const char *, int, int,
-				void *, char *);
-
-int nb_dns_addr_request(struct nb_dns_info *, nb_uint32_t, void *, char *);
-int nb_dns_addr_request2(struct nb_dns_info *, char *, int, void *, char *);
-
-int nb_dns_abort_request(struct nb_dns_info *, void *);
-
-int nb_dns_activity(struct nb_dns_info *, struct nb_dns_result *, char *);
-
-#define NB_DNS_ERRSIZE 256
diff --git a/src/patricia.c b/src/patricia.c
deleted file mode 100644
index 7aa265c0fb..0000000000
--- a/src/patricia.c
+++ /dev/null
@@ -1,1174 +0,0 @@
-/*
- * This code originates from Dave Plonka's Net::Security perl module. An adaptation
- * of it in C is kept at https://github.com/CAIDA/cc-common/tree/master/libpatricia.
- * That repository is considered the upstream version for Zeek's fork. We make some
- * custom changes to this upstream:
- * - Replaces void_fn_t with data_fn_t and prefix_data_fn_t
- * - Adds patricia_search_all method
- * - One commented-out portion of an if statement that breaks one of our tests
- *
- * The current version is based on commit 4a2c61374f507a420d28bd9084c976142d279605
- * from that repo.
- */
-
-/*
- * Johanna Amann <johanna@icir.org>
- *
- * Added patricia_search_all function.
- */
-/*
- * Dave Plonka <plonka@doit.wisc.edu>
- *
- * This product includes software developed by the University of Michigan,
- * Merit Network, Inc., and their contributors.
- *
- * This file had been called "radix.c" in the MRT sources.
- *
- * I renamed it to "patricia.c" since it's not an implementation of a general
- * radix trie.  Also I pulled in various requirements from "prefix.c" and
- * "demo.c" so that it could be used as a standalone API.
- */
-
-/* From copyright.txt:
- *
- * Copyright (c) 1997, 1998, 1999
- *
- *
- * The Regents of the University of Michigan ("The Regents") and Merit Network,
- * Inc.  All rights reserved.
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * 1.  Redistributions of source code must retain the above
- *     copyright notice, this list of conditions and the
- *     following disclaimer.
- * 2.  Redistributions in binary form must reproduce the above
- *     copyright notice, this list of conditions and the
- *     following disclaimer in the documentation and/or other
- *     materials provided with the distribution.
- * 3.  All advertising materials mentioning features or use of
- *     this software must display the following acknowledgement:
- * This product includes software developed by the University of Michigan, Merit
- * Network, Inc., and their contributors.
- * 4.  Neither the name of the University, Merit Network, nor the
- *     names of their contributors may be used to endorse or
- *     promote products derived from this software without
- *     specific prior written permission.
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef UNUSED
-#  if __GNUC__ >= 3
-#    define UNUSED  __attribute__((unused))
-#  else
-#    define UNUSED
-#  endif
-#endif
-
-UNUSED static char copyright[] =
-"This product includes software developed by the University of Michigan, Merit"
-"Network, Inc., and their contributors.";
-
-#include <assert.h> /* assert */
-#include <ctype.h> /* isdigit */
-#include <errno.h> /* errno */
-#include <math.h> /* sin */
-#include <stddef.h> /* NULL */
-#include <stdio.h> /* sprintf, fprintf, stderr */
-#include <stdlib.h> /* free, atol, calloc */
-#include <string.h> /* memcpy, strchr, strlen */
-#include <sys/types.h> /* BSD: for inet_addr */
-#include <sys/socket.h> /* BSD, Linux: for inet_addr */
-#include <netinet/in.h> /* BSD, Linux: for inet_addr */
-#include <arpa/inet.h> /* BSD, Linux, Solaris: for inet_addr */
-#include <stdbool.h>
-
-#include "zeek/patricia.h"
-
-#define Delete free
-
-// From Zeek for reporting memory exhaustion.
-extern void out_of_memory(const char* where);
-
-/* { from prefix.c */
-
-/* prefix_tochar
- * convert prefix information to bytes
- */
-u_char *
-prefix_tochar (prefix_t * prefix)
-{
-    if (prefix == NULL)
-	return (NULL);
-
-    return ((u_char *) & prefix->add.sin);
-}
-
-int
-comp_with_mask (void *addr, void *dest, u_int mask)
-{
-
-    if ( /* mask/8 == 0 || */ memcmp (addr, dest, mask / 8) == 0) {
-	int n = mask / 8;
-	int m = -(1 << (8 - (mask % 8)));
-
-	if (mask % 8 == 0 || (((u_char *)addr)[n] & m) == (((u_char *)dest)[n] & m))
-	    return (1);
-    }
-    return (0);
-}
-
-/* this allows imcomplete prefix */
-int
-my_inet_pton (int af, const char *src, void *dst)
-{
-    if (af == AF_INET) {
-        int i, c, val;
-        u_char xp[sizeof(struct in_addr)] = {0, 0, 0, 0};
-
-        for (i = 0; ; i++) {
-	    c = *src++;
-	    if (!isdigit (c))
-		return (-1);
-	    val = 0;
-	    do {
-		val = val * 10 + c - '0';
-		if (val > 255)
-		    return (0);
-		c = *src++;
-	    } while (c && isdigit (c));
-            xp[i] = val;
-	    if (c == '\0')
-		break;
-            if (c != '.')
-                return (0);
-	    if (i >= 3)
-		return (0);
-        }
-        memcpy (dst, xp, sizeof(struct in_addr));
-        return (1);
-    } else if (af == AF_INET6) {
-        return (inet_pton (af, src, dst));
-    } else {
-#ifndef NT
-	errno = EAFNOSUPPORT;
-#endif /* NT */
-	return -1;
-    }
-}
-
-#define PATRICIA_MAX_THREADS		16
-
-/*
- * convert prefix information to ascii string with length
- * thread safe and (almost) re-entrant implementation
- */
-char *
-prefix_toa2x (prefix_t *prefix, char *buff, int with_len)
-{
-    if (prefix == NULL)
-	return ("(Null)");
-    assert (prefix->ref_count >= 0);
-    if (buff == NULL) {
-
-        struct buffer {
-            char buffs[PATRICIA_MAX_THREADS][48+5];
-            u_int i;
-        } *buffp;
-
-#    if 0
-	THREAD_SPECIFIC_DATA (struct buffer, buffp, 1);
-#    else
-        { /* for scope only */
-	   static struct buffer local_buff;
-           buffp = &local_buff;
-	}
-#    endif
-	if (buffp == NULL) {
-	    /* XXX should we report an error? */
-	    return (NULL);
-	}
-
-	buff = buffp->buffs[buffp->i++%PATRICIA_MAX_THREADS];
-    }
-    if (prefix->family == AF_INET) {
-	u_char *a;
-	assert (prefix->bitlen <= sizeof(struct in_addr) * 8);
-	a = prefix_touchar (prefix);
-	if (with_len) {
-	    sprintf (buff, "%d.%d.%d.%d/%d", a[0], a[1], a[2], a[3],
-		     prefix->bitlen);
-	}
-	else {
-	    sprintf (buff, "%d.%d.%d.%d", a[0], a[1], a[2], a[3]);
-	}
-	return (buff);
-    }
-    else if (prefix->family == AF_INET6) {
-	char *r;
-	r = (char *) inet_ntop (AF_INET6, &prefix->add.sin6, buff, 48 /* a guess value */ );
-	if (r && with_len) {
-	    assert (prefix->bitlen <= sizeof(struct in6_addr) * 8);
-	    sprintf (buff + strlen (buff), "/%d", prefix->bitlen);
-	}
-	return (buff);
-    }
-    else
-	return (NULL);
-}
-
-/* prefix_toa2
- * convert prefix information to ascii string
- */
-char *
-prefix_toa2 (prefix_t *prefix, char *buff)
-{
-    return (prefix_toa2x (prefix, buff, 0));
-}
-
-/* prefix_toa
- */
-char *
-prefix_toa (prefix_t * prefix)
-{
-    return (prefix_toa2 (prefix, (char *) NULL));
-}
-
-prefix_t *
-New_Prefix2 (int family, void *dest, int bitlen, prefix_t *prefix)
-{
-    int dynamic_allocated = 0;
-    int default_bitlen = sizeof(struct in_addr) * 8;
-
-    if (family == AF_INET6) {
-        default_bitlen = sizeof(struct in6_addr) * 8;
-	if (prefix == NULL) {
-            prefix = calloc(1, sizeof (prefix_t));
-            if (prefix == NULL)
-                out_of_memory("patricia/new_prefix2: unable to allocate memory");
-
-	    dynamic_allocated++;
-	}
-	memcpy (&prefix->add.sin6, dest, sizeof(struct in6_addr));
-    }
-    else
-    if (family == AF_INET) {
-		if (prefix == NULL) {
-#ifndef NT
-            prefix = calloc(1, sizeof (prefix_t));
-            if (prefix == NULL)
-                out_of_memory("patricia/new_prefix2: unable to allocate memory");
-#else
-			//for some reason, compiler is getting
-			//prefix4_t size incorrect on NT
-			prefix = calloc(1, sizeof (prefix_t));
-                        if (prefix == NULL)
-                            out_of_memory("patricia/new_prefix2: unable to allocate memory");
-#endif /* NT */
-
-			dynamic_allocated++;
-		}
-	memcpy (&prefix->add.sin, dest, sizeof(struct in_addr));
-    }
-    else {
-        return (NULL);
-    }
-
-    prefix->bitlen = (bitlen >= 0)? bitlen: default_bitlen;
-    prefix->family = family;
-    prefix->ref_count = 0;
-    if (dynamic_allocated) {
-        prefix->ref_count++;
-   }
-/* fprintf(stderr, "[C %s, %d]\n", prefix_toa (prefix), prefix->ref_count); */
-    return (prefix);
-}
-
-prefix_t *
-New_Prefix (int family, void *dest, int bitlen)
-{
-    return (New_Prefix2 (family, dest, bitlen, NULL));
-}
-
-/* ascii2prefix
- */
-prefix_t *
-ascii2prefix (int family, char *string)
-{
-    u_long bitlen, maxbitlen = 0;
-    char *cp;
-    struct in_addr sin;
-    struct in6_addr sin6;
-    int result;
-    char save[MAXLINE];
-
-    if (string == NULL)
-		return (NULL);
-
-    /* easy way to handle both families */
-    if (family == 0) {
-       family = AF_INET;
-       if (strchr (string, ':')) family = AF_INET6;
-    }
-
-    if (family == AF_INET) {
-	maxbitlen = sizeof(struct in_addr) * 8;
-    }
-    else if (family == AF_INET6) {
-	maxbitlen = sizeof(struct in6_addr) * 8;
-    }
-
-    if ((cp = strchr (string, '/')) != NULL) {
-		bitlen = atol (cp + 1);
-		/* *cp = '\0'; */
-		/* copy the string to save. Avoid destroying the string */
-		assert (cp - string < MAXLINE);
-		memcpy (save, string, cp - string);
-		save[cp - string] = '\0';
-		string = save;
-		if (bitlen > maxbitlen)
-			bitlen = maxbitlen;
-		}
-		else {
-			bitlen = maxbitlen;
-		}
-
-		if (family == AF_INET) {
-			if ((result = my_inet_pton (AF_INET, string, &sin)) <= 0)
-				return (NULL);
-			return (New_Prefix (AF_INET, &sin, bitlen));
-		}
-
-		else if (family == AF_INET6) {
-// Get rid of this with next IPv6 upgrade
-#if defined(NT) && !defined(HAVE_INET_NTOP)
-			inet6_addr(string, &sin6);
-			return (New_Prefix (AF_INET6, &sin6, bitlen));
-#else
-			if ((result = inet_pton (AF_INET6, string, &sin6)) <= 0)
-				return (NULL);
-#endif /* NT */
-			return (New_Prefix (AF_INET6, &sin6, bitlen));
-		}
-		else
-			return (NULL);
-}
-
-prefix_t *
-Ref_Prefix (prefix_t * prefix)
-{
-    if (prefix == NULL)
-	return (NULL);
-    if (prefix->ref_count == 0) {
-	/* make a copy in case of a static prefix */
-        return (New_Prefix2 (prefix->family, &prefix->add, prefix->bitlen, NULL));
-    }
-    prefix->ref_count++;
-/* fprintf(stderr, "[A %s, %d]\n", prefix_toa (prefix), prefix->ref_count); */
-    return (prefix);
-}
-
-void
-Deref_Prefix (prefix_t * prefix)
-{
-    if (prefix == NULL)
-	return;
-    /* for secure programming, raise an assert. no static prefix can call this */
-    assert (prefix->ref_count > 0);
-
-    prefix->ref_count--;
-    assert (prefix->ref_count >= 0);
-    if (prefix->ref_count <= 0) {
-	Delete (prefix);
-	return;
-    }
-}
-
-/* } */
-
-/* #define PATRICIA_DEBUG 1 */
-
-static int num_active_patricia = 0;
-
-/* these routines support continuous mask only */
-
-patricia_tree_t *
-New_Patricia (int maxbits)
-{
-    patricia_tree_t *patricia = calloc(1, sizeof *patricia);
-    if (patricia == NULL)
-        out_of_memory("patricia/new_patricia: unable to allocate memory");
-
-    patricia->maxbits = maxbits;
-    patricia->head = NULL;
-    patricia->num_active_node = 0;
-    assert (maxbits <= PATRICIA_MAXBITS); /* XXX */
-    num_active_patricia++;
-    return (patricia);
-}
-
-
-/*
- * if func is supplied, it will be called as func(node->data)
- * before deleting the node
- */
-
-void
-Clear_Patricia (patricia_tree_t *patricia, data_fn_t func)
-{
-    assert (patricia);
-    if (patricia->head) {
-
-        patricia_node_t *Xstack[PATRICIA_MAXBITS+1];
-        patricia_node_t **Xsp = Xstack;
-        patricia_node_t *Xrn = patricia->head;
-
-        while (Xrn) {
-            patricia_node_t *l = Xrn->l;
-            patricia_node_t *r = Xrn->r;
-
-    	    if (Xrn->prefix) {
-		Deref_Prefix (Xrn->prefix);
-		if (Xrn->data && func)
-	    	    func (Xrn->data);
-    	    }
-    	    else {
-		assert (Xrn->data == NULL);
-    	    }
-    	    Delete (Xrn);
-	    patricia->num_active_node--;
-
-            if (l) {
-                if (r) {
-                    *Xsp++ = r;
-                }
-                Xrn = l;
-            } else if (r) {
-                Xrn = r;
-            } else if (Xsp != Xstack) {
-                Xrn = *(--Xsp);
-            } else {
-                Xrn = NULL;
-            }
-        }
-    }
-    assert (patricia->num_active_node == 0);
-    /* Delete (patricia); */
-}
-
-
-void
-Destroy_Patricia (patricia_tree_t *patricia, data_fn_t func)
-{
-    Clear_Patricia (patricia, func);
-    Delete (patricia);
-    num_active_patricia--;
-}
-
-
-/*
- * if func is supplied, it will be called as func(node->prefix, node->data)
- */
-
-void
-patricia_process (patricia_tree_t *patricia, prefix_data_fn_t func)
-{
-    patricia_node_t *node;
-    assert (func);
-
-    PATRICIA_WALK (patricia->head, node) {
-	func (node->prefix, node->data);
-    } PATRICIA_WALK_END;
-}
-
-size_t
-patricia_walk_inorder(patricia_node_t *node, prefix_data_fn_t func)
-{
-    size_t n = 0;
-    assert(func);
-
-    if (node->l) {
-         n += patricia_walk_inorder(node->l, func);
-    }
-
-    if (node->prefix) {
-	func(node->prefix, node->data);
-	n++;
-    }
-
-    if (node->r) {
-         n += patricia_walk_inorder(node->r, func);
-    }
-
-    return n;
-}
-
-
-patricia_node_t *
-patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix)
-{
-    patricia_node_t *node;
-    u_char *addr;
-    u_int bitlen;
-
-    assert (patricia);
-    assert (prefix);
-    assert (prefix->bitlen <= patricia->maxbits);
-
-    if (patricia->head == NULL)
-	return (NULL);
-
-    node = patricia->head;
-    addr = prefix_touchar (prefix);
-    bitlen = prefix->bitlen;
-
-    while (node->bit < bitlen) {
-
-	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_search_exact: take right %s/%d\n",
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_search_exact: take right at %u\n",
-			 node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->r;
-	}
-	else {
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_search_exact: take left %s/%d\n",
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_search_exact: take left at %u\n",
-			 node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->l;
-	}
-
-	if (node == NULL)
-	    return (NULL);
-    }
-
-#ifdef PATRICIA_DEBUG
-    if (node->prefix)
-        fprintf (stderr, "patricia_search_exact: stop at %s/%d\n",
-	         prefix_toa (node->prefix), node->prefix->bitlen);
-    else
-        fprintf (stderr, "patricia_search_exact: stop at %u\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-    if (node->bit > bitlen || node->prefix == NULL)
-	return (NULL);
-    assert (node->bit == bitlen);
-    assert (node->bit == node->prefix->bitlen);
-    if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix),
-			bitlen)) {
-#ifdef PATRICIA_DEBUG
-        fprintf (stderr, "patricia_search_exact: found %s/%d\n",
-	         prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	return (node);
-    }
-    return (NULL);
-}
-
-bool
-patricia_search_all (patricia_tree_t *patricia, prefix_t *prefix, patricia_node_t ***list, int *n)
-{
-	patricia_node_t *node;
-	patricia_node_t *stack[PATRICIA_MAXBITS + 1];
-	u_char *addr;
-	u_int bitlen;
-	int cnt = 0;
-
-	assert (patricia);
-	assert (prefix);
-	assert (prefix->bitlen <= patricia->maxbits);
-	assert (n);
-	assert (list);
-	assert (*list == NULL);
-
-	*n = 0;
-
-	if (patricia->head == NULL)
-		return (NULL);
-
-	node = patricia->head;
-	addr = prefix_touchar (prefix);
-	bitlen = prefix->bitlen;
-
-	while (node->bit < bitlen) {
-
-	if (node->prefix) {
-#ifdef PATRICIA_DEBUG
-		fprintf (stderr, "patricia_search_all: push %s/%d\n",
-			prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-		stack[cnt++] = node;
-	}
-
-	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
-#ifdef PATRICIA_DEBUG
-		if (node->prefix)
-			fprintf (stderr, "patricia_search_all: take right %s/%d\n",
-				prefix_toa (node->prefix), node->prefix->bitlen);
-			else
-			fprintf (stderr, "patricia_search_all: take right at %d\n",
-				node->bit);
-#endif /* PATRICIA_DEBUG */
-		node = node->r;
-	} else {
-#ifdef PATRICIA_DEBUG
-		if (node->prefix)
-			fprintf (stderr, "patricia_search_all: take left %s/%d\n",
-				prefix_toa (node->prefix), node->prefix->bitlen);
-			else
-				fprintf (stderr, "patricia_search_all: take left at %d\n",
-					node->bit);
-#endif /* PATRICIA_DEBUG */
-			node = node->l;
-	}
-
-	if (node == NULL)
-			break;
-	}
-
-	if (node && node->prefix)
-		stack[cnt++] = node;
-
-#ifdef PATRICIA_DEBUG
-		if (node == NULL)
-			fprintf (stderr, "patricia_search_all: stop at null\n");
-		else if (node->prefix)
-			fprintf (stderr, "patricia_search_all: stop at %s/%d\n",
-				prefix_toa (node->prefix), node->prefix->bitlen);
-		else
-			fprintf (stderr, "patricia_search_all: stop at %d\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-
-	if (cnt <= 0)
-		return false;
-
-	// ok, now we have an upper bound of how much we can return. Let's just alloc that...
-	patricia_node_t **outlist = calloc(cnt, sizeof(patricia_node_t*));
-	if (outlist == NULL)
-		out_of_memory("patricia/patricia_search_all: unable to allocate memory");
-
-	while (--cnt >= 0) {
-		node = stack[cnt];
-#ifdef PATRICIA_DEBUG
-		fprintf (stderr, "patricia_search_all: pop %s/%d\n",
-			prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-		if (comp_with_mask (prefix_tochar (node->prefix), prefix_tochar (prefix), node->prefix->bitlen)) {
-#ifdef PATRICIA_DEBUG
-			fprintf (stderr, "patricia_search_all: found %s/%d\n",
-				prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-			outlist[*n] = node;
-			(*n)++;
-		}
-	}
-	*list = outlist;
-	return (*n == 0);
-}
-
-
-/* if inclusive != 0, "best" may be the given prefix itself */
-patricia_node_t *
-patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix, int inclusive)
-{
-    patricia_node_t *node;
-    patricia_node_t *stack[PATRICIA_MAXBITS + 1];
-    u_char *addr;
-    u_int bitlen;
-    int cnt = 0;
-
-    assert (patricia);
-    assert (prefix);
-    assert (prefix->bitlen <= patricia->maxbits);
-
-    if (patricia->head == NULL)
-	return (NULL);
-
-    node = patricia->head;
-    addr = prefix_touchar (prefix);
-    bitlen = prefix->bitlen;
-
-    while (node->bit < bitlen) {
-
-	if (node->prefix) {
-#ifdef PATRICIA_DEBUG
-            fprintf (stderr, "patricia_search_best: push %s/%d\n",
-	             prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	    stack[cnt++] = node;
-	}
-
-	if (BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_search_best: take right %s/%d\n",
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_search_best: take right at %u\n",
-			 node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->r;
-	}
-	else {
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_search_best: take left %s/%d\n",
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_search_best: take left at %u\n",
-			 node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->l;
-	}
-
-	if (node == NULL)
-	    break;
-    }
-
-    if (inclusive && node && node->prefix)
-	stack[cnt++] = node;
-
-#ifdef PATRICIA_DEBUG
-    if (node == NULL)
-        fprintf (stderr, "patricia_search_best: stop at null\n");
-    else if (node->prefix)
-        fprintf (stderr, "patricia_search_best: stop at %s/%d\n",
-	         prefix_toa (node->prefix), node->prefix->bitlen);
-    else
-        fprintf (stderr, "patricia_search_best: stop at %u\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-
-    if (cnt <= 0)
-	return (NULL);
-
-    while (--cnt >= 0) {
-	node = stack[cnt];
-#ifdef PATRICIA_DEBUG
-        fprintf (stderr, "patricia_search_best: pop %s/%d\n",
-	         prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	if (comp_with_mask (prefix_tochar (node->prefix),
-	                    prefix_tochar (prefix),
-	                    node->prefix->bitlen) && node->prefix->bitlen <= bitlen) {
-#ifdef PATRICIA_DEBUG
-            fprintf (stderr, "patricia_search_best: found %s/%d\n",
-	             prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	    return (node);
-	}
-    }
-    return (NULL);
-}
-
-
-patricia_node_t *
-patricia_search_best (patricia_tree_t *patricia, prefix_t *prefix)
-{
-    return (patricia_search_best2 (patricia, prefix, 1));
-}
-
-
-patricia_node_t *
-patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix)
-{
-    patricia_node_t *node, *new_node, *parent, *glue;
-    u_char *addr, *test_addr;
-    u_int bitlen, check_bit, differ_bit;
-    int i, j, r;
-
-    assert (patricia);
-    assert (prefix);
-    assert (prefix->bitlen <= patricia->maxbits);
-
-    if (patricia->head == NULL) {
-	node = calloc(1, sizeof *node);
-        if (node == NULL)
-            out_of_memory("patricia/patricia_lookup: unable to allocate memory");
-
-	node->bit = prefix->bitlen;
-	node->prefix = Ref_Prefix (prefix);
-	node->parent = NULL;
-	node->l = node->r = NULL;
-	node->data = NULL;
-	patricia->head = node;
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new_node #0 %s/%d (head)\n",
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	patricia->num_active_node++;
-	return (node);
-    }
-
-    addr = prefix_touchar (prefix);
-    bitlen = prefix->bitlen;
-    node = patricia->head;
-
-    while (node->bit < bitlen || node->prefix == NULL) {
-
-	if (node->bit < patricia->maxbits &&
-	    BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
-	    if (node->r == NULL)
-		break;
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_lookup: take right %s/%d\n",
-	                 prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_lookup: take right at %u\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->r;
-	}
-	else {
-	    if (node->l == NULL)
-		break;
-#ifdef PATRICIA_DEBUG
-	    if (node->prefix)
-    	        fprintf (stderr, "patricia_lookup: take left %s/%d\n",
-	             prefix_toa (node->prefix), node->prefix->bitlen);
-	    else
-    	        fprintf (stderr, "patricia_lookup: take left at %u\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-	    node = node->l;
-	}
-
-	assert (node);
-    }
-
-    assert (node->prefix);
-#ifdef PATRICIA_DEBUG
-    fprintf (stderr, "patricia_lookup: stop at %s/%d\n",
-	     prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-
-    test_addr = prefix_touchar (node->prefix);
-    /* find the first bit different */
-    check_bit = (node->bit < bitlen)? node->bit: bitlen;
-    differ_bit = 0;
-    for (i = 0; i*8 < check_bit; i++) {
-	if ((r = (addr[i] ^ test_addr[i])) == 0) {
-	    differ_bit = (i + 1) * 8;
-	    continue;
-	}
-	/* I know the better way, but for now */
-	for (j = 0; j < 8; j++) {
-	    if (BIT_TEST (r, (0x80 >> j)))
-		break;
-	}
-	/* must be found */
-	assert (j < 8);
-	differ_bit = i * 8 + j;
-	break;
-    }
-    if (differ_bit > check_bit)
-	differ_bit = check_bit;
-#ifdef PATRICIA_DEBUG
-    fprintf (stderr, "patricia_lookup: differ_bit %d\n", differ_bit);
-#endif /* PATRICIA_DEBUG */
-
-    parent = node->parent;
-    while (parent && parent->bit >= differ_bit) {
-	node = parent;
-	parent = node->parent;
-#ifdef PATRICIA_DEBUG
-	if (node->prefix)
-            fprintf (stderr, "patricia_lookup: up to %s/%d\n",
-	             prefix_toa (node->prefix), node->prefix->bitlen);
-	else
-            fprintf (stderr, "patricia_lookup: up to %u\n", node->bit);
-#endif /* PATRICIA_DEBUG */
-    }
-
-    if (differ_bit == bitlen && node->bit == bitlen) {
-	if (node->prefix) {
-#ifdef PATRICIA_DEBUG
-    	    fprintf (stderr, "patricia_lookup: found %s/%d\n",
-		     prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	    return (node);
-	}
-	node->prefix = Ref_Prefix (prefix);
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new node #1 %s/%d (glue mod)\n",
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	assert (node->data == NULL);
-	return (node);
-    }
-
-    new_node = calloc(1, sizeof *new_node);
-    if (new_node == NULL)
-        out_of_memory("patricia/patricia_lookup: unable to allocate memory");
-
-    new_node->bit = prefix->bitlen;
-    new_node->prefix = Ref_Prefix (prefix);
-    new_node->parent = NULL;
-    new_node->l = new_node->r = NULL;
-    new_node->data = NULL;
-    patricia->num_active_node++;
-
-    if (node->bit == differ_bit) {
-	new_node->parent = node;
-	if (node->bit < patricia->maxbits &&
-	    BIT_TEST (addr[node->bit >> 3], 0x80 >> (node->bit & 0x07))) {
-	    assert (node->r == NULL);
-	    node->r = new_node;
-	}
-	else {
-	    assert (node->l == NULL);
-	    node->l = new_node;
-	}
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new_node #2 %s/%d (child)\n",
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	return (new_node);
-    }
-
-    if (bitlen == differ_bit) {
-	if (bitlen < patricia->maxbits &&
-	    BIT_TEST (test_addr[bitlen >> 3], 0x80 >> (bitlen & 0x07))) {
-	    new_node->r = node;
-	}
-	else {
-	    new_node->l = node;
-	}
-	new_node->parent = node->parent;
-	if (node->parent == NULL) {
-	    assert (patricia->head == node);
-	    patricia->head = new_node;
-	}
-	else if (node->parent->r == node) {
-	    node->parent->r = new_node;
-	}
-	else {
-	    node->parent->l = new_node;
-	}
-	node->parent = new_node;
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new_node #3 %s/%d (parent)\n",
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-    }
-    else {
-        glue = calloc(1, sizeof *glue);
-        if (glue == NULL)
-            out_of_memory("patricia/patricia_lookup: unable to allocate memory");
-
-        glue->bit = differ_bit;
-        glue->prefix = NULL;
-        glue->parent = node->parent;
-        glue->data = NULL;
-        patricia->num_active_node++;
-	if (differ_bit < patricia->maxbits &&
-	    BIT_TEST (addr[differ_bit >> 3], 0x80 >> (differ_bit & 0x07))) {
-	    glue->r = new_node;
-	    glue->l = node;
-	}
-	else {
-	    glue->r = node;
-	    glue->l = new_node;
-	}
-	new_node->parent = glue;
-
-	if (node->parent == NULL) {
-	    assert (patricia->head == node);
-	    patricia->head = glue;
-	}
-	else if (node->parent->r == node) {
-	    node->parent->r = glue;
-	}
-	else {
-	    node->parent->l = glue;
-	}
-	node->parent = glue;
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_lookup: new_node #4 %s/%d (glue+node)\n",
-		 prefix_toa (prefix), prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-    }
-    return (new_node);
-}
-
-
-void
-patricia_remove (patricia_tree_t *patricia, patricia_node_t *node)
-{
-    patricia_node_t *parent, *child;
-
-    assert (patricia);
-    assert (node);
-
-    if (node->r && node->l) {
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_remove: #0 %s/%d (r & l)\n",
-		 prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-
-	/* this might be a placeholder node -- have to check and make sure
-	 * there is a prefix aossciated with it ! */
-	if (node->prefix != NULL)
-	  Deref_Prefix (node->prefix);
-	node->prefix = NULL;
-	/* Also I needed to clear data pointer -- masaki */
-	node->data = NULL;
-	return;
-    }
-
-    if (node->r == NULL && node->l == NULL) {
-#ifdef PATRICIA_DEBUG
-	fprintf (stderr, "patricia_remove: #1 %s/%d (!r & !l)\n",
-		 prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-	parent = node->parent;
-	Deref_Prefix (node->prefix);
-	Delete (node);
-        patricia->num_active_node--;
-
-	if (parent == NULL) {
-	    assert (patricia->head == node);
-	    patricia->head = NULL;
-	    return;
-	}
-
-	if (parent->r == node) {
-	    parent->r = NULL;
-	    child = parent->l;
-	}
-	else {
-	    assert (parent->l == node);
-	    parent->l = NULL;
-	    child = parent->r;
-	}
-
-	if (parent->prefix)
-	    return;
-
-	/* we need to remove parent too */
-
-	if (parent->parent == NULL) {
-	    assert (patricia->head == parent);
-	    patricia->head = child;
-	}
-	else if (parent->parent->r == parent) {
-	    parent->parent->r = child;
-	}
-	else {
-	    assert (parent->parent->l == parent);
-	    parent->parent->l = child;
-	}
-	child->parent = parent->parent;
-	Delete (parent);
-        patricia->num_active_node--;
-	return;
-    }
-
-#ifdef PATRICIA_DEBUG
-    fprintf (stderr, "patricia_remove: #2 %s/%d (r ^ l)\n",
-	     prefix_toa (node->prefix), node->prefix->bitlen);
-#endif /* PATRICIA_DEBUG */
-    if (node->r) {
-	child = node->r;
-    }
-    else {
-	assert (node->l);
-	child = node->l;
-    }
-    parent = node->parent;
-    child->parent = parent;
-
-    Deref_Prefix (node->prefix);
-    Delete (node);
-    patricia->num_active_node--;
-
-    if (parent == NULL) {
-	assert (patricia->head == node);
-	patricia->head = child;
-	return;
-    }
-
-    if (parent->r == node) {
-	parent->r = child;
-    }
-    else {
-        assert (parent->l == node);
-	parent->l = child;
-    }
-}
-
-/* { from demo.c */
-
-patricia_node_t *
-make_and_lookup (patricia_tree_t *tree, char *string)
-{
-    prefix_t *prefix;
-    patricia_node_t *node;
-
-    prefix = ascii2prefix (AF_INET, string);
-    printf ("make_and_lookup: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
-    node = patricia_lookup (tree, prefix);
-    Deref_Prefix (prefix);
-    return (node);
-}
-
-patricia_node_t *
-try_search_exact (patricia_tree_t *tree, char *string)
-{
-    prefix_t *prefix;
-    patricia_node_t *node;
-
-    prefix = ascii2prefix (AF_INET, string);
-    printf ("try_search_exact: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
-    if ((node = patricia_search_exact (tree, prefix)) == NULL) {
-        printf ("try_search_exact: not found\n");
-    }
-    else {
-        printf ("try_search_exact: %s/%d found\n",
-	        prefix_toa (node->prefix), node->prefix->bitlen);
-    }
-    Deref_Prefix (prefix);
-    return (node);
-}
-
-void
-lookup_then_remove (patricia_tree_t *tree, char *string)
-{
-    patricia_node_t *node;
-
-    if ( (node = try_search_exact(tree, string)) )
-        patricia_remove (tree, node);
-}
-
-patricia_node_t *
-try_search_best (patricia_tree_t *tree, char *string)
-{
-    prefix_t *prefix;
-    patricia_node_t *node;
-
-    prefix = ascii2prefix (AF_INET, string);
-    printf ("try_search_best: %s/%d\n", prefix_toa (prefix), prefix->bitlen);
-    if ((node = patricia_search_best (tree, prefix)) == NULL)
-        printf ("try_search_best: not found\n");
-    else
-        printf ("try_search_best: %s/%d found\n",
-	        prefix_toa (node->prefix), node->prefix->bitlen);
-    Deref_Prefix (prefix);
-    return (node);
-}
-
-/* } */
diff --git a/src/patricia.h b/src/patricia.h
deleted file mode 100644
index d4374f2b0b..0000000000
--- a/src/patricia.h
+++ /dev/null
@@ -1,195 +0,0 @@
-/*
- * This code originates from Dave Plonka's Net::Security perl module. An adaptation
- * of it in C is kept at https://github.com/CAIDA/cc-common/tree/master/libpatricia.
- * That repository is considered the upstream version for Zeek's fork. We make some
- * custom changes to this upstream:
- * - Replace void_fn_t with data_fn_t and prefix_data_fn_t
- * - Add patricia_search_all method
- *
- * The current version is based on commit 4a2c61374f507a420d28bd9084c976142d279605
- * from that repo.
- */
-
-/*
- * Dave Plonka <plonka@doit.wisc.edu>
- *
- * This product includes software developed by the University of Michigan,
- * Merit Network, Inc., and their contributors.
- *
- * This file had been called "radix.h" in the MRT sources.
- *
- * I renamed it to "patricia.h" since it's not an implementation of a general
- * radix trie.  Also, pulled in various requirements from "mrt.h" and added
- * some other things it could be used as a standalone API.
- */
-
-/* From copyright.txt:
- *
- * Copyright (c) 1997, 1998, 1999
- *
- *
- * The Regents of the University of Michigan ("The Regents") and Merit Network,
- * Inc.  All rights reserved.
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- * 1.  Redistributions of source code must retain the above
- *     copyright notice, this list of conditions and the
- *     following disclaimer.
- * 2.  Redistributions in binary form must reproduce the above
- *     copyright notice, this list of conditions and the
- *     following disclaimer in the documentation and/or other
- *     materials provided with the distribution.
- * 3.  All advertising materials mentioning features or use of
- *     this software must display the following acknowledgement:
- * This product includes software developed by the University of Michigan, Merit
- * Network, Inc., and their contributors.
- * 4.  Neither the name of the University, Merit Network, nor the
- *     names of their contributors may be used to endorse or
- *     promote products derived from this software without
- *     specific prior written permission.
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY
- * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#pragma once
-
-/* { from defs.h */
-#define prefix_touchar(prefix) ((u_char *)&(prefix)->add.sin)
-#define MAXLINE 1024
-#define BIT_TEST(f, b)  ((f) & (b))
-/* } */
-
-#define addroute make_and_lookup
-
-#include <sys/types.h> /* for u_* definitions (on FreeBSD 5) */
-
-#include <errno.h> /* for EAFNOSUPPORT */
-#ifndef EAFNOSUPPORT
-#  defined EAFNOSUPPORT WSAEAFNOSUPPORT
-#  include <winsock.h>
-#else
-#  include <netinet/in.h> /* for struct in_addr */
-#endif
-
-#include <sys/socket.h> /* for AF_INET */
-
-/* { from mrt.h */
-
-typedef struct _prefix4_t {
-    u_short family;		/* AF_INET | AF_INET6 */
-    u_short bitlen;		/* same as mask? */
-    int ref_count;		/* reference count */
-    struct in_addr sin;
-} prefix4_t;
-
-typedef struct _prefix_t {
-    u_short family;		/* AF_INET | AF_INET6 */
-    u_short bitlen;		/* same as mask? */
-    int ref_count;		/* reference count */
-    union {
-		struct in_addr sin;
-		struct in6_addr sin6;
-    } add;
-} prefix_t;
-
-typedef void (*data_fn_t)(void*);
-typedef void (*prefix_data_fn_t)(prefix_t*, void*);
-
-/* } */
-
-typedef struct _patricia_node_t {
-   u_int bit;			/* flag if this node used */
-   prefix_t *prefix;		/* who we are in patricia tree */
-   struct _patricia_node_t *l, *r;	/* left and right children */
-   struct _patricia_node_t *parent;/* may be used */
-   void *data;			/* pointer to data */
-   void	*user1;			/* pointer to usr data (ex. route flap info) */
-} patricia_node_t;
-
-typedef struct _patricia_tree_t {
-   patricia_node_t 	*head;
-   u_int		maxbits;	/* for IP, 32 bit addresses */
-   int num_active_node;		/* for debug purpose */
-} patricia_tree_t;
-
-
-patricia_node_t *patricia_search_exact (patricia_tree_t *patricia, prefix_t *prefix);
-bool patricia_search_all (patricia_tree_t *patricia, prefix_t *prefix, patricia_node_t ***list, int *n);
-patricia_node_t *patricia_search_best (patricia_tree_t *patricia, prefix_t *prefix);
-patricia_node_t * patricia_search_best2 (patricia_tree_t *patricia, prefix_t *prefix,
-				   int inclusive);
-patricia_node_t *patricia_lookup (patricia_tree_t *patricia, prefix_t *prefix);
-void patricia_remove (patricia_tree_t *patricia, patricia_node_t *node);
-patricia_tree_t *New_Patricia (int maxbits);
-void Clear_Patricia (patricia_tree_t *patricia, data_fn_t func);
-void Destroy_Patricia (patricia_tree_t *patricia, data_fn_t func);
-
-void patricia_process (patricia_tree_t *patricia, prefix_data_fn_t func);
-
-void Deref_Prefix (prefix_t * prefix);
-char *prefix_toa (prefix_t * prefix);
-
-/* { from demo.c */
-
-prefix_t *
-ascii2prefix (int family, char *string);
-
-patricia_node_t *
-make_and_lookup (patricia_tree_t *tree, char *string);
-
-/* } */
-
-#define PATRICIA_MAXBITS        (sizeof(struct in6_addr) * 8)
-#define PATRICIA_NBIT(x)        (0x80 >> ((x) & 0x7f))
-#define PATRICIA_NBYTE(x)       ((x) >> 3)
-
-#define PATRICIA_DATA_GET(node, type) (type *)((node)->data)
-#define PATRICIA_DATA_SET(node, value) ((node)->data = (void *)(value))
-
-#define PATRICIA_WALK(Xhead, Xnode) \
-    do { \
-        patricia_node_t *Xstack[PATRICIA_MAXBITS+1]; \
-        patricia_node_t **Xsp = Xstack; \
-        patricia_node_t *Xrn = (Xhead); \
-        while ((Xnode = Xrn)) { \
-            if (Xnode->prefix)
-
-#define PATRICIA_WALK_ALL(Xhead, Xnode) \
-do { \
-        patricia_node_t *Xstack[PATRICIA_MAXBITS+1]; \
-        patricia_node_t **Xsp = Xstack; \
-        patricia_node_t *Xrn = (Xhead); \
-        while ((Xnode = Xrn)) { \
-	    if (1)
-
-#define PATRICIA_WALK_BREAK { \
-	    if (Xsp != Xstack) { \
-		Xrn = *(--Xsp); \
-	     } else { \
-		Xrn = (patricia_node_t *) 0; \
-	    } \
-	    continue; }
-
-#define PATRICIA_WALK_END \
-            if (Xrn->l) { \
-                if (Xrn->r) { \
-                    *Xsp++ = Xrn->r; \
-                } \
-                Xrn = Xrn->l; \
-            } else if (Xrn->r) { \
-                Xrn = Xrn->r; \
-            } else if (Xsp != Xstack) { \
-                Xrn = *(--Xsp); \
-            } else { \
-                Xrn = (patricia_node_t *) 0; \
-            } \
-        } \
-    } while (0)
diff --git a/src/setsignal.c b/src/setsignal.c
deleted file mode 100644
index d91b91f9e0..0000000000
--- a/src/setsignal.c
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * See the file "COPYING" in the main distribution directory for copyright.
- */
-
-#include "zeek/zeek-config.h"			/* must appear before first ifdef */
-
-#include <sys/types.h>
-
-#ifdef HAVE_MEMORY_H
-#include <memory.h>
-#endif
-#include <signal.h>
-#ifdef HAVE_SIGACTION
-#include <string.h>
-#endif
-
-#include "zeek/setsignal.h"
-
-/*
- * An os independent signal() with BSD semantics, e.g. the signal
- * catcher is restored following service of the signal.
- *
- * When sigset() is available, signal() has SYSV semantics and sigset()
- * has BSD semantics and call interface. Unfortunately, Linux does not
- * have sigset() so we use the more complicated sigaction() interface
- * there.
- *
- * Did I mention that signals suck?
- */
-RETSIGTYPE
-(*setsignal (int sig, RETSIGTYPE (*func)(int)))(int)
-{
-#ifdef HAVE_SIGACTION
-	struct sigaction old, new;
-
-	memset(&new, 0, sizeof(new));
-	new.sa_handler = func;
-#ifdef SA_RESTART
-	new.sa_flags |= SA_RESTART;
-#endif
-	if (sigaction(sig, &new, &old) < 0)
-		return (SIG_ERR);
-	return (old.sa_handler);
-
-#else
-#ifdef HAVE_SIGSET
-	return (sigset(sig, func));
-#else
-	return (signal(sig, func));
-#endif
-#endif
-}
diff --git a/src/setsignal.h b/src/setsignal.h
deleted file mode 100644
index d290265373..0000000000
--- a/src/setsignal.h
+++ /dev/null
@@ -1,7 +0,0 @@
-/*
- * See the file "COPYING" in the main distribution directory for copyright.
- *
- */
-#pragma once
-
-RETSIGTYPE (*setsignal(int, RETSIGTYPE (*)(int)))(int);
diff --git a/src/strsep.c b/src/strsep.c
deleted file mode 100644
index ef0970bd40..0000000000
--- a/src/strsep.c
+++ /dev/null
@@ -1,93 +0,0 @@
-/*-
- * Copyright (c) 1990, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#include "zeek/zeek-config.h"
-
-#ifndef HAVE_STRSEP
-
-#include <sys/types.h>
-
-#include <string.h>
-#include <stdio.h>
-
-char *strsep(char **, const char *);
-
-#if defined(LIBC_SCCS) && !defined(lint)
-static char sccsid[] = "@(#)strsep.c	8.1 (Berkeley) 6/4/93";
-#endif /* LIBC_SCCS and not lint */
-#ifndef lint
-static const char rcsid[] =
-  "$FreeBSD: src/lib/libc/string/strsep.c,v 1.2.12.1 2001/07/09 23:30:07 obrien Exp $";
-#endif
-
-/*
- * Get next token from string *stringp, where tokens are possibly-empty
- * strings separated by characters from delim.
- *
- * Writes NULs into the string at *stringp to end tokens.
- * delim need not remain constant from call to call.
- * On return, *stringp points past the last NUL written (if there might
- * be further tokens), or is NULL (if there are definitely no more tokens).
- *
- * If *stringp is NULL, strsep returns NULL.
- */
-char *
-strsep(stringp, delim)
-	register char **stringp;
-	register const char *delim;
-{
-	register char *s;
-	register const char *spanp;
-	register int c, sc;
-	char *tok;
-
-	if ((s = *stringp) == NULL)
-		return (NULL);
-	for (tok = s;;) {
-		c = *s++;
-		spanp = delim;
-		do {
-			if ((sc = *spanp++) == c) {
-				if (c == 0)
-					s = NULL;
-				else
-					s[-1] = 0;
-				*stringp = s;
-				return (tok);
-			}
-		} while (sc != 0);
-	}
-	/* NOTREACHED */
-}
-
-#endif
diff --git a/src/supervisor/Supervisor.cc b/src/supervisor/Supervisor.cc
index 4b7d67e9a4..53d9f4a77f 100644
--- a/src/supervisor/Supervisor.cc
+++ b/src/supervisor/Supervisor.cc
@@ -21,7 +21,7 @@
 
 extern "C"
 	{
-#include "zeek/setsignal.h"
+#include "zeek/3rdparty/setsignal.h"
 	}
 
 #include "zeek/DebugLogger.h"
diff --git a/src/threading/Formatter.cc b/src/threading/Formatter.cc
index 680a4ece4c..00975567f2 100644
--- a/src/threading/Formatter.cc
+++ b/src/threading/Formatter.cc
@@ -6,7 +6,7 @@
 
 #include <errno.h>
 
-#include "zeek/bro_inet_ntop.h"
+#include "zeek/3rdparty/bro_inet_ntop.h"
 #include "zeek/threading/MsgThread.h"
 
 using zeek::threading::Field;
diff --git a/src/util.cc b/src/util.cc
index d36161b7e0..f63dfdbc83 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -43,8 +43,8 @@
 #include <string>
 #include <vector>
 
+#include "zeek/3rdparty/ConvertUTF.h"
 #include "zeek/3rdparty/doctest.h"
-#include "zeek/ConvertUTF.h"
 #include "zeek/Desc.h"
 #include "zeek/Dict.h"
 #include "zeek/Hash.h"
diff --git a/src/util.h b/src/util.h
index 5126dca59a..c35da260eb 100644
--- a/src/util.h
+++ b/src/util.h
@@ -72,7 +72,7 @@ extern HeapLeakChecker* heap_checker;
 
 extern "C"
 	{
-#include "zeek/modp_numtoa.h"
+#include "zeek/3rdparty/modp_numtoa.h"
 	}
 
 using bro_int_t = int64_t;
diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc
index dad543c282..0a69d78667 100644
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@@ -67,7 +67,7 @@
 
 extern "C"
 	{
-#include "zeek/setsignal.h"
+#include "zeek/3rdparty/setsignal.h"
 	};
 
 zeek::detail::ScriptCoverageManager zeek::detail::script_coverage_mgr;

From b23eb760430bbe44234f2e538ece5da538ccac9f Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Fri, 5 Nov 2021 08:23:02 +0100
Subject: [PATCH 048/210] Disable formatting for files in
 `testing/btest/plugins`

Files in that folder were previously not formatted. With this patch we
now disable formatting in that folder explicitly by adding a dedicated
`clang-format` config which deactivates any formatting changes.
---
 testing/btest/btest.cfg             | 2 +-
 testing/btest/plugins/.clang-format | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 testing/btest/plugins/.clang-format

diff --git a/testing/btest/btest.cfg b/testing/btest/btest.cfg
index e4de72f6c2..7e5eedd02a 100644
--- a/testing/btest/btest.cfg
+++ b/testing/btest/btest.cfg
@@ -3,7 +3,7 @@ TestDirs    = doc bifs language core scripts coverage signatures plugins broker
 TmpDir      = %(testbase)s/.tmp
 BaselineDir = %(testbase)s/Baseline
 IgnoreDirs  = .svn CVS .tmp
-IgnoreFiles = *.tmp *.swp #* *.trace .DS_Store
+IgnoreFiles = *.tmp *.swp .clang-format #* *.trace .DS_Store
 MinVersion  = 0.63
 
 [environment]
diff --git a/testing/btest/plugins/.clang-format b/testing/btest/plugins/.clang-format
new file mode 100644
index 0000000000..9d159247d5
--- /dev/null
+++ b/testing/btest/plugins/.clang-format
@@ -0,0 +1,2 @@
+DisableFormat: true
+SortIncludes: false

From dafc9691c5856000c0f37491c5358bace9522348 Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Fri, 5 Nov 2021 10:41:22 +0100
Subject: [PATCH 049/210] Remove stale files `src/DebugCmdInfoConstants.*`

The files generated from `src/DebugCmdInfoConstants.in` are placed in
`build/src/` by the build setup, and generated file in `src/` removed
here were unused and possibly out-of-date.
---
 .clang-format-ignore         |   3 -
 src/DebugCmdInfoConstants.cc | 286 -----------------------------------
 src/DebugCmdInfoConstants.h  | 205 -------------------------
 3 files changed, 494 deletions(-)
 delete mode 100644 src/DebugCmdInfoConstants.cc
 delete mode 100644 src/DebugCmdInfoConstants.h

diff --git a/.clang-format-ignore b/.clang-format-ignore
index 1300d06344..bb01885b01 100644
--- a/.clang-format-ignore
+++ b/.clang-format-ignore
@@ -1,5 +1,2 @@
 # Ignore everything 3rdparty
 src/3rdparty/*
-
-# These files are generated code
-src/DebugCmdInfoConstants.*
diff --git a/src/DebugCmdInfoConstants.cc b/src/DebugCmdInfoConstants.cc
deleted file mode 100644
index f1043613d8..0000000000
--- a/src/DebugCmdInfoConstants.cc
+++ /dev/null
@@ -1,286 +0,0 @@
-
-//
-// This file was automatically generated from DebugCmdInfoConstants.in
-// DO NOT EDIT.
-//
-
-#include "zeek/util.h"
-namespace zeek::detail {
-
-void init_global_dbg_constants () {
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = { };
-
-		info = new DebugCmdInfo(dcInvalid, names, 0, false, "This function should not be called",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"help"
-		};
-
-		info = new DebugCmdInfo(dcHelp, names, 1, false, "Get help with debugger commands",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"quit"
-		};
-
-		info = new DebugCmdInfo(dcQuit, names, 1, false, "Exit Zeek",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"next"
-		};
-
-		info = new DebugCmdInfo(dcNext, names, 1, true, "Step to the following statement, skipping function calls",
-		                                      true);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"step",
-			"s"
-		};
-
-		info = new DebugCmdInfo(dcStep, names, 2, true, "Step to following statements, stepping in to function calls",
-		                                      true);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"continue",
-			"c"
-		};
-
-		info = new DebugCmdInfo(dcContinue, names, 2, true, "Resume execution of the policy script",
-		                                      true);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"finish"
-		};
-
-		info = new DebugCmdInfo(dcFinish, names, 1, true, "Run until the currently-executing function completes",
-		                                      true);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"break",
-			"b"
-		};
-
-		info = new DebugCmdInfo(dcBreak, names, 2, false, "Set a breakpoint",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"cond"
-		};
-
-		info = new DebugCmdInfo(dcBreakCondition, names, 1, false, "",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"delete",
-			"d"
-		};
-
-		info = new DebugCmdInfo(dcDeleteBreak, names, 2, false, "Delete the specified breakpoints; delete all if no arguments",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"clear"
-		};
-
-		info = new DebugCmdInfo(dcClearBreak, names, 1, false, "",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"disable",
-			"dis"
-		};
-
-		info = new DebugCmdInfo(dcDisableBreak, names, 2, false, "",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"enable"
-		};
-
-		info = new DebugCmdInfo(dcEnableBreak, names, 1, false, "",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"ignore"
-		};
-
-		info = new DebugCmdInfo(dcIgnoreBreak, names, 1, false, "",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"print",
-			"p",
-			"set"
-		};
-
-		info = new DebugCmdInfo(dcPrint, names, 3, false, "Evaluate an expression and print the result (also aliased as 'set')",
-		                                      true);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"backtrace",
-			"bt",
-			"where"
-		};
-
-		info = new DebugCmdInfo(dcBacktrace, names, 3, false, "Print a stack trace (with +- N argument, inner/outer N frames only)",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"frame"
-		};
-
-		info = new DebugCmdInfo(dcFrame, names, 1, false, "Select frame number N",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"up"
-		};
-
-		info = new DebugCmdInfo(dcUp, names, 1, false, "Select the stack frame one level up",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"down"
-		};
-
-		info = new DebugCmdInfo(dcDown, names, 1, false, "Select the stack frame one level down",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"info"
-		};
-
-		info = new DebugCmdInfo(dcInfo, names, 1, false, "Get information about the debugging environment",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"list",
-			"l"
-		};
-
-		info = new DebugCmdInfo(dcList, names, 2, false, "Print source lines surrounding specified context",
-		                                      true);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"display"
-		};
-
-		info = new DebugCmdInfo(dcDisplay, names, 1, false, "",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"undisplay"
-		};
-
-		info = new DebugCmdInfo(dcUndisplay, names, 1, false, "",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-	{
-		DebugCmdInfo* info;
-		const char * const names[] = {
-			"trace"
-		};
-
-		info = new DebugCmdInfo(dcTrace, names, 1, false, "Turn on or off execution tracing (with no arguments, prints current state.)",
-		                                      false);
-		g_DebugCmdInfos.push_back(info);
-	}
-
-}
-
-} // namespace zeek::detail
diff --git a/src/DebugCmdInfoConstants.h b/src/DebugCmdInfoConstants.h
deleted file mode 100644
index 44330482d3..0000000000
--- a/src/DebugCmdInfoConstants.h
+++ /dev/null
@@ -1,205 +0,0 @@
-void InitGlobalDbgConstants () {
-   {
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"help"
-      };
-
-      info = new DebugCmdInfo (dcHelp, names, 1, false, "Get help with debugger commands");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"quit"
-      };
-
-      info = new DebugCmdInfo (dcQuit, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"next"
-      };
-
-      info = new DebugCmdInfo (dcNext, names, 1, true, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"step"
-      };
-
-      info = new DebugCmdInfo (dcStep, names, 1, true, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"continue"
-      };
-
-      info = new DebugCmdInfo (dcContinue, names, 1, true, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"finish"
-      };
-
-      info = new DebugCmdInfo (dcFinish, names, 1, true, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"break"
-      };
-
-      info = new DebugCmdInfo (dcBreak, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"cond"
-      };
-
-      info = new DebugCmdInfo (dcBreakCondition, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"delete"
-      };
-
-      info = new DebugCmdInfo (dcDeleteBreak, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"clear"
-      };
-
-      info = new DebugCmdInfo (dcClearBreak, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"disable"
-      };
-
-      info = new DebugCmdInfo (dcDisableBreak, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"enable"
-      };
-
-      info = new DebugCmdInfo (dcEnableBreak, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"ignore"
-      };
-
-      info = new DebugCmdInfo (dcIgnoreBreak, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"print"
-      };
-
-      info = new DebugCmdInfo (dcPrint, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"backtrace",
-	"bt"
-      };
-
-      info = new DebugCmdInfo (dcBacktrace, names, 2, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"frame"
-      };
-
-      info = new DebugCmdInfo (dcFrame, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"info"
-      };
-
-      info = new DebugCmdInfo (dcInfo, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"list"
-      };
-
-      info = new DebugCmdInfo (dcList, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"display"
-      };
-
-      info = new DebugCmdInfo (dcDisplay, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-   {
-      DebugCmdInfo* info;
-      const char * const names[] = {
-	"undisplay"
-      };
-
-      info = new DebugCmdInfo (dcUndisplay, names, 1, false, "");
-      g_DebugCmdInfos.push_back(info);
-   }
-
-}

From 4e16037acd3e55008101e6cfd4711a74e89f547a Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Fri, 5 Nov 2021 09:02:40 +0100
Subject: [PATCH 050/210] Format code with `clang-format`

This patch formats files not conforming to the C++ formatting with
`clang-format`.
---
 src/script_opt/CPP/RuntimeVec.cc | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/script_opt/CPP/RuntimeVec.cc b/src/script_opt/CPP/RuntimeVec.cc
index 3b8eff9c1f..c8279e7988 100644
--- a/src/script_opt/CPP/RuntimeVec.cc
+++ b/src/script_opt/CPP/RuntimeVec.cc
@@ -89,9 +89,9 @@ static VectorTypePtr base_vector_type__CPP(const VectorTypePtr& vt)
 #define VEC_OP1_WITH_DOUBLE(name, op)                                                              \
 	VEC_OP1(                                                                                       \
 		name, op, case TYPE_INTERNAL_DOUBLE                                                        \
-		:                                                                                          \
-		{                                                                                          \
-			VEC_OP1_KERNEL(AsDouble, DoubleVal, op) break;                                         \
+		: {                                                                                        \
+			VEC_OP1_KERNEL(AsDouble, DoubleVal, op)                                                \
+			break;                                                                                 \
 		})
 
 // The unary operations supported for vectors.
@@ -152,9 +152,9 @@ VEC_OP1(comp, ~, )
 #define VEC_OP2_WITH_DOUBLE(name, op)                                                              \
 	VEC_OP2(                                                                                       \
 		name, op, case TYPE_INTERNAL_DOUBLE                                                        \
-		:                                                                                          \
-		{                                                                                          \
-			VEC_OP2_KERNEL(AsDouble, DoubleVal, op) break;                                         \
+		: {                                                                                        \
+			VEC_OP2_KERNEL(AsDouble, DoubleVal, op)                                                \
+			break;                                                                                 \
 		})
 
 // The binary operations supported for vectors.

From 77e2e8278f18094f0d940f7bb70fcdcbd50b2bd3 Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Fri, 5 Nov 2021 11:01:18 +0100
Subject: [PATCH 051/210] Add pre-commit config.

This patch adds `clang-format` as only linter for now. This replaces the
previously used script from `auxil/run-clang-format` which we remove.

This requires the Python program `pre-commit`
(https://pypi.org/project/pre-commit/). With that one can then run
`clang-format` on the whole codebase with

    $ pre-commit run -a clang-format

or on just the staged files

    # Explicitly selecting linter.
    $ pre-commit run clang-format

    # Run all linters (currently just `clang-format`).
    $ pre-commit

`pre-commit` supports managing Git commit hooks so that linters are run
on commit. Linters can be installed with

    $ pre-commit install

The documentation at https://pre-commit.com/ covers these topics in
addition to more information.
---
 .clang-format           |  7 +----
 .clang-format-ignore    |  2 --
 .gitmodules             |  3 --
 .pre-commit-config.yaml |  8 +++++
 auxil/run-clang-format  |  1 -
 ci/run-clang-format.sh  | 65 -----------------------------------------
 6 files changed, 9 insertions(+), 77 deletions(-)
 delete mode 100644 .clang-format-ignore
 create mode 100644 .pre-commit-config.yaml
 delete mode 160000 auxil/run-clang-format
 delete mode 100755 ci/run-clang-format.sh

diff --git a/.clang-format b/.clang-format
index a105b7df33..4c628b3465 100644
--- a/.clang-format
+++ b/.clang-format
@@ -1,10 +1,5 @@
 # Clang-format configuration for Zeek. This configuration requires
 # at least clang-format 12.0.1 to format correctly.
-#
-# The easiest way to run this from the command-line is using the
-# python script in auxil/run-clang-format:
-#
-# python3 auxil/run-clang-format/run-clang-format.py --clang-format-executable /path/to/clang-format -r src -i
 
 Language: Cpp
 Standard: c++17
@@ -102,4 +97,4 @@ IncludeCategories:
   - Regex: '^"zeek/'
     Priority: 4
   - Regex: '.*'
-    Priority: 5
\ No newline at end of file
+    Priority: 5
diff --git a/.clang-format-ignore b/.clang-format-ignore
deleted file mode 100644
index bb01885b01..0000000000
--- a/.clang-format-ignore
+++ /dev/null
@@ -1,2 +0,0 @@
-# Ignore everything 3rdparty
-src/3rdparty/*
diff --git a/.gitmodules b/.gitmodules
index e3b149e9f9..4318212fe0 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -49,6 +49,3 @@
 [submodule "auxil/zeek-client"]
 	path = auxil/zeek-client
 	url = https://github.com/zeek/zeek-client
-[submodule "auxil/run-clang-format"]
-	path = auxil/run-clang-format
-	url = https://github.com/Sarcasm/run-clang-format
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000000..f3f52012a1
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,8 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+#
+repos:
+- repo: https://github.com/pre-commit/mirrors-clang-format
+  rev: 'v13.0.0'
+  hooks:
+  - id: clang-format
diff --git a/auxil/run-clang-format b/auxil/run-clang-format
deleted file mode 160000
index 39081c9c42..0000000000
--- a/auxil/run-clang-format
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 39081c9c42768ab5e8321127a7494ad1647c6a2f
diff --git a/ci/run-clang-format.sh b/ci/run-clang-format.sh
deleted file mode 100755
index 3bd6d5d898..0000000000
--- a/ci/run-clang-format.sh
+++ /dev/null
@@ -1,65 +0,0 @@
-#! /bin/sh
-#
-# Copyright (c) 2020 by the Zeek Project. See LICENSE for details.
-
-base=$(git rev-parse --show-toplevel)
-fix=0
-pre_commit_hook=0
-
-# Directories to run on by default. When changing, adapt .pre-commit-config.yam
-# as well.
-files="src"
-
-error() {
-    test "${pre_commit_hook}" = 0 && echo "$@" >&2 && exit 1
-    exit 0
-}
-
-if [ $# != 0 ]; then
-    case "$1" in
-        --fixit)
-            shift
-            fix=1
-            ;;
-
-        --pre-commit-hook)
-            shift
-            fix=1
-            pre_commit_hook=1
-            ;;
-
-        -*)
-            echo "usage: $(basename $0) [--fixit | --pre-commit-hook] [<files>]"
-            exit 1
-    esac
-fi
-
-test $# != 0 && files="$@"
-
-if [ -z "${CLANG_FORMAT}" ]; then
-    CLANG_FORMAT=$(which clang-format 2>/dev/null)
-fi
-
-if [ -z "${CLANG_FORMAT}" -o ! -x "${CLANG_FORMAT}" ]; then
-    error "Cannot find clang-format. If not in PATH, set CLANG_FORMAT."
-fi
-
-if ! (cd / && ${CLANG_FORMAT} -dump-config | grep -q SpacesInConditionalStatement); then
-    error "${CLANG_FORMAT} does not support SpacesInConditionalStatement. Install custom version and put it into PATH, or point CLANG_FORMAT to it."
-fi
-
-if [ ! -e .clang-format ]; then
-    error "Must execute in top-level directory."
-fi
-
-cmd="${base}/auxil/run-clang-format/run-clang-format.py -r --clang-format-executable ${CLANG_FORMAT} --exclude '*/3rdparty/*' ${files}"
-tmp=/tmp/$(basename $0).$$.tmp
-trap "rm -f ${tmp}" EXIT
-eval "${cmd}" >"${tmp}"
-
-if [ "${fix}" = 1 ]; then
-    test -s "${tmp}" && cat "${tmp}" | git apply -p0
-    true
-else
-    cat "${tmp}"
-fi

From 84e8000e62a8240f99d3ab22ef3821d74246ecda Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Fri, 5 Nov 2021 11:12:40 +0100
Subject: [PATCH 052/210] Add Github action exercising pre-commit

This patch adds a Github action which exercises pre-commit linters for
commits to the `master` branch or for pull requests.  We adds this task
as a Github action since we expect it to finish quickly; running outside
of Cirrus makes it possible provide feedback quickly.
---
 .github/workflows/pre-commit.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 .github/workflows/pre-commit.yml

diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
new file mode 100644
index 0000000000..925b8accd7
--- /dev/null
+++ b/.github/workflows/pre-commit.yml
@@ -0,0 +1,14 @@
+name: pre-commit
+
+on:
+  pull_request:
+  push:
+    branches: [master]
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/setup-python@v2
+    - uses: pre-commit/action@v2.0.3

From a011b4cb702b425497331aab9ad66bbbb88d8621 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 9 Nov 2021 15:11:27 +0000
Subject: [PATCH 053/210] Packets with TSO: address review feedback.

This addresses review feedback of GH-1831 and additionally fixes one
case in which PayloadLen was used in a way that would have given
problematic results when TSO is enabled.
---
 src/IP.cc | 8 +++++++-
 src/IP.h  | 3 +++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/IP.cc b/src/IP.cc
index 04ac1b6676..330f2b5a85 100644
--- a/src/IP.cc
+++ b/src/IP.cc
@@ -384,7 +384,13 @@ RecordValPtr IP_Hdr::ToPktHdrVal(RecordValPtr pkt_hdr, int sindex) const
 			auto tcp_hdr = make_intrusive<RecordVal>(tcp_hdr_type);
 
 			int tcp_hdr_len = tp->th_off * 4;
-			int data_len = PayloadLen() - tcp_hdr_len;
+
+			// account for cases in which the payload length in the TCP header is not set,
+			// or is set to an impossible value. In these cases, return 0.
+			int data_len = 0;
+			auto payload_len = PayloadLen();
+			if ( payload_len >= tcp_hdr_len )
+				data_len = payload_len - tcp_hdr_len;
 
 			tcp_hdr->Assign(0, val_mgr->Port(ntohs(tp->th_sport), TRANSPORT_TCP));
 			tcp_hdr->Assign(1, val_mgr->Port(ntohs(tp->th_dport), TRANSPORT_TCP));
diff --git a/src/IP.h b/src/IP.h
index 2b670cf72e..0488290b00 100644
--- a/src/IP.h
+++ b/src/IP.h
@@ -411,6 +411,9 @@ public:
 	/**
 	 * Returns the length of the IP packet's payload (length of packet minus
 	 * header length or, for IPv6, also minus length of all extension headers).
+	 *
+	 * Also returns 0 if the IPv4 length field is set to zero - which is, e.g.,
+	 * the case when TCP segment offloading is enabled.
 	 */
 	uint16_t PayloadLen() const
 		{

From 65bc817fcf36b173a7ba9473ad556c7e53da24e3 Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Wed, 10 Nov 2021 09:10:49 +0100
Subject: [PATCH 054/210] Install include headers from `src/3rdparty/`.

This is a fixup commit for 72cbc7cd13b7c1bda98658104431c3b530ff68d6
where we move some header files from `src/` to `src/3rdparty/` but
missed adding install rules for these header. Since some of these
headers are exposed in installed headers they need to be installed as
well.
---
 src/CMakeLists.txt | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 9f7eaffbab..ebc5385094 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -620,6 +620,13 @@ install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/
 )
 
 install(FILES
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/ConvertUTF.h
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/bro_inet_ntop.h
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/bsd-getopt-long.h
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/modp_numtoa.h
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/nb_dns.h
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/patricia.h
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/setsignal.h
         ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h
         DESTINATION include/zeek/3rdparty
 )

From 64e34b52aaad860c7437aab765e85310dafb3f5a Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Wed, 10 Nov 2021 09:39:16 +0100
Subject: [PATCH 055/210] Tweaking a couple of debug message.

As suggested during review.
---
 src/PolicyFile.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/PolicyFile.cc b/src/PolicyFile.cc
index eaee5a9916..c1bd4eac42 100644
--- a/src/PolicyFile.cc
+++ b/src/PolicyFile.cc
@@ -49,7 +49,7 @@ int how_many_lines_in(const char* policy_filename)
 	FILE* throwaway = fopen(policy_filename, "r");
 	if ( ! throwaway )
 		{
-		debug_msg("No such policy file: %s.\n", policy_filename);
+		debug_msg("Could not open policy file: %s.\n", policy_filename);
 		return -1;
 		}
 
@@ -97,7 +97,7 @@ bool LoadPolicyFileText(const char* policy_filename,
 
 		if ( ! f )
 			{
-			debug_msg("No such policy file: %s.\n", policy_filename);
+			debug_msg("Could not open policy file: %s.\n", policy_filename);
 			return false;
 			}
 
@@ -152,7 +152,7 @@ bool PrintLines(const char* policy_filename, unsigned int start_line, unsigned i
 	FILE* throwaway = fopen(policy_filename, "r");
 	if ( ! throwaway )
 		{
-		debug_msg("No such policy file: %s.\n", policy_filename);
+		debug_msg("Could not open policy file: %s.\n", policy_filename);
 		return false;
 		}
 

From 82b3606cdde60c14999ab5902871a883d4af086f Mon Sep 17 00:00:00 2001
From: Abdel <abdelsaidt@gmail.com>
Date: Sun, 31 Oct 2021 00:22:38 +0200
Subject: [PATCH 056/210] case-insensitive-search-features-for-do_find_str

---
 src/strings.bif | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/strings.bif b/src/strings.bif
index 0d3812f267..f4d20dc2cb 100644
--- a/src/strings.bif
+++ b/src/strings.bif
@@ -1145,7 +1145,7 @@ function count_substr%(str: string, sub: string%) : count
 
 %%{
 
-static int64_t do_find_str(zeek::StringVal* str, zeek::StringVal* sub, int64_t start, int64_t end, bool rfind)
+static int64_t do_find_str(zeek::StringVal* str, zeek::StringVal* sub, int64_t start, int64_t end, bool rfind, bool case_sensitive)
 	{
 	// Don't bother if the start is after the end of the string.
 	if ( start > str->Len() )
@@ -1168,11 +1168,19 @@ static int64_t do_find_str(zeek::StringVal* str, zeek::StringVal* sub, int64_t s
 		return -1;
 
 	string s = str->ToStdString().substr(start, end_pos);
+	string sb = sub->ToStdString();
 	size_t pos = string::npos;
+
+	if ( !case_sensitive )
+	{
+		transform(s.begin(), s.end(), s.begin(), ::tolower);
+		transform(sb.begin(), sb.end(), sb.begin(), ::tolower);
+	}
+
 	if ( rfind )
-		pos = s.rfind(sub->ToStdString());
+		pos = s.rfind(sb);
 	else
-		pos = s.find(sub->ToStdString());
+		pos = s.find(sb);
 
 	if ( pos == string::npos )
 		return -1;
@@ -1193,13 +1201,14 @@ static int64_t do_find_str(zeek::StringVal* str, zeek::StringVal* sub, int64_t s
 ## end: An optional position for the end of the substring. A value less than
 ##      zero (such as the default -1) means a search until the end of the
 ##      string.
+## case_sensitive: An optional position for search case insensitively
 ##
 ## Returns: The position of the substring. Returns -1 if the string wasn't
 ##          found. Prints an error if the starting position is after the ending
 ##          position.
-function find_str%(str: string, sub: string, start: count &default=0, end: int &default=-1%) : int
+function find_str%(str: string, sub: string, start: count &default=0, end: int &default=-1, case_sensitive: bool &default=T%) : int
 	%{
-	return zeek::val_mgr->Int(do_find_str(str, sub, start, end, false));
+	return zeek::val_mgr->Int(do_find_str(str, sub, start, end, false, case_sensitive));
 	%}
 
 ## The same as :zeek:see:`find_str`, but returns the highest index matching
@@ -1214,9 +1223,9 @@ function find_str%(str: string, sub: string, start: count &default=0, end: int &
 ## Returns: The position of the substring. Returns -1 if the string wasn't
 ##          found. Prints an error if the starting position is after the ending
 ##          position.
-function rfind_str%(str: string, sub: string, start: count &default=0, end: int &default=-1%) : int
+function rfind_str%(str: string, sub: string, start: count &default=0, end: int &default=-1, case_sensitive: bool &default=T%) : int
 	%{
-	return zeek::val_mgr->Int(do_find_str(str, sub, start, end, true));
+	return zeek::val_mgr->Int(do_find_str(str, sub, start, end, true, case_sensitive));
 	%}
 
 ## Returns whether a string starts with a substring.

From effa8c403f61e1700ceada4da82e2cb9202da34c Mon Sep 17 00:00:00 2001
From: Abdel <abdelsaidt@gmail.com>
Date: Thu, 4 Nov 2021 02:02:48 +0100
Subject: [PATCH 057/210] testing-do-find-str_case-insensitive

---
 testing/btest/bifs/do_find_str.zeek | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 testing/btest/bifs/do_find_str.zeek

diff --git a/testing/btest/bifs/do_find_str.zeek b/testing/btest/bifs/do_find_str.zeek
new file mode 100644
index 0000000000..b598b5c73a
--- /dev/null
+++ b/testing/btest/bifs/do_find_str.zeek
@@ -0,0 +1,22 @@
+#
+# @TEST-EXEC: zeek -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event zeek_init()
+	{
+	local a = "this is the concatenation of HTTP fields of the fOrM of the website that I am protecting";
+	local b = "form";
+	local c = "FORM";
+	local d = "FoRm";
+	local e = "om0";
+	local f = "f0rm";
+	local g = "fOrm";
+
+
+	print find_str(a, b, 0, -1, F);
+	print find_str(a, c, 0, -1, F);
+	print find_str(a, d, 0, -1, F);
+	print find_str(a, e, 0, -1, F);
+	print find_str(a, f, 0, -1, F);
+	print find_str(a, g, 0, -1, F);
+	}

From a6f18d514d14cdb87c50812eddb25e10633acf0b Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Thu, 11 Nov 2021 00:43:13 +0000
Subject: [PATCH 058/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 6bcc7c3e12..207e7c225b 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 6bcc7c3e125e0bef4352d44a57ded9e9e9fc3775
+Subproject commit 207e7c225bb1ee7e7404341e416544ac18c9a016

From 362566369f90a920711d7e88d8b421b981b72211 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 9 Nov 2021 13:07:14 -0700
Subject: [PATCH 059/210] Update libkqueue submodule

---
 auxil/libkqueue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/libkqueue b/auxil/libkqueue
index 6c1717dea2..aeaeed2119 160000
--- a/auxil/libkqueue
+++ b/auxil/libkqueue
@@ -1 +1 @@
-Subproject commit 6c1717dea2dc34a91d32e07d2cae34b1afa0a84e
+Subproject commit aeaeed21198d6f41d0cf70bda63fe0f424922ac5

From 8fece3d8ea3e373d19721b6c6a8f9ab03402eb6d Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 11 Nov 2021 14:35:43 -0800
Subject: [PATCH 060/210] Update cmake submodule [nomail] [skip ci]

---
 cmake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmake b/cmake
index f5f931637e..654400c9ff 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit f5f931637eeabd92e672fa63fae4016a9cd547d7
+Subproject commit 654400c9ffed760140f594603737c5e8750306ff

From fe932944c41ab108ff74a8af0fd9b574bac4db83 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 4 Nov 2021 14:59:16 -0700
Subject: [PATCH 061/210] GH-1620: Add event and plugin hook to track packets
 not processed

---
 NEWS                                          |  9 +++++
 src/RunState.cc                               | 12 +++++-
 src/event.bif                                 |  8 ++++
 src/iosource/Packet.cc                        | 29 ++++++++++++++
 src/iosource/Packet.h                         | 14 +++++++
 src/packet_analysis/Manager.cc                | 11 ++++++
 src/packet_analysis/Manager.h                 |  9 +++++
 src/packet_analysis/protocol/arp/ARP.cc       |  5 +++
 .../protocol/ip/IPBasedAnalyzer.cc            |  4 ++
 src/plugin/Manager.cc                         | 23 +++++++++++
 src/plugin/Manager.h                          |  9 +++++
 src/plugin/Plugin.cc                          |  7 ++++
 src/plugin/Plugin.h                           | 39 +++++++++++++++++--
 src/zeek.bif                                  | 23 ++---------
 .../btest/plugins/hooks-plugin/src/Plugin.cc  | 16 ++++++++
 .../btest/plugins/hooks-plugin/src/Plugin.h   |  1 +
 16 files changed, 194 insertions(+), 25 deletions(-)

diff --git a/NEWS b/NEWS
index d82680803e..ca92bc610e 100644
--- a/NEWS
+++ b/NEWS
@@ -40,6 +40,15 @@ New Functionality
 
 - The ``find_str`` and ``rfind_str`` bifs now support case-insensitive searches.
 
+- Added a new plugin hook for capturing packets that made it through analysis
+  without being processed called ``Plugin::HookUnprocessedPacket``. Currently
+  ARP packets or packets with a valid IP-based transport header are marked as
+  processed. This also adds an event called ``packet_not_processed`` that
+  reports the same packets.
+
+- A new command-line option ``-c`` or ``--capture-unprocessed`` will dump any
+  packets not marked as being processed, similar to the new hook and event above.
+
 Changed Functionality
 ---------------------
 
diff --git a/src/RunState.cc b/src/RunState.cc
index 2161e7ba30..3a8e367714 100644
--- a/src/RunState.cc
+++ b/src/RunState.cc
@@ -390,8 +390,16 @@ void get_final_stats()
 		                         ? ((double)s.dropped / ((double)s.received + (double)s.dropped)) *
 		                               100.0
 		                         : 0.0;
-		reporter->Info("%" PRIu64 " packets received on interface %s, %" PRIu64 " (%.2f%%) dropped",
-		               s.received, ps->Path().c_str(), s.dropped, dropped_pct);
+
+		uint64_t not_processed = packet_mgr->GetUnprocessedCount();
+		double unprocessed_pct = not_processed > 0
+		                             ? ((double)not_processed / (double)s.received) * 100.0
+		                             : 0.0;
+
+		reporter->Info("%" PRIu64 " packets received on interface %s, %" PRIu64
+		               " (%.2f%%) dropped, %" PRIu64 " (%.2f%%) not processed",
+		               s.received, ps->Path().c_str(), s.dropped, dropped_pct, not_processed,
+		               unprocessed_pct);
 		}
 	}
 
diff --git a/src/event.bif b/src/event.bif
index 18ccc7dda9..135cb10680 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -907,3 +907,11 @@ event Pcap::file_done%(path: string%);
 ##
 ## .. zeek:see:: UnknownProtocol::first_bytes_count
 event unknown_protocol%(analyzer_name: string, protocol: count, first_bytes: string%);
+
+## An event for handling packets that reached the end of processing without
+## being marked as processed. Note that this event may lead to unpredictable
+## performance spikes, particularly if a network suddenly receives a burst
+## of packets that are unprocessed.
+##
+## pkt: Data for the unprocessed packet
+event packet_not_processed%(pkt: pcap_packet%);
diff --git a/src/iosource/Packet.cc b/src/iosource/Packet.cc
index 744b289ad2..78b0684650 100644
--- a/src/iosource/Packet.cc
+++ b/src/iosource/Packet.cc
@@ -68,6 +68,8 @@ void Packet::Init(int arg_link_type, pkt_timeval* arg_ts, uint32_t arg_caplen, u
 	tunnel_type = BifEnum::Tunnel::IP;
 	gre_version = -1;
 	gre_link_type = DLT_RAW;
+
+	processed = false;
 	}
 
 Packet::~Packet()
@@ -146,6 +148,33 @@ RecordValPtr Packet::ToRawPktHdrVal() const
 		return pkt_hdr;
 	}
 
+RecordValPtr Packet::ToVal(const Packet* p)
+	{
+	static auto pcap_packet = zeek::id::find_type<zeek::RecordType>("pcap_packet");
+	auto val = zeek::make_intrusive<zeek::RecordVal>(pcap_packet);
+
+	if ( p )
+		{
+		val->Assign(0, static_cast<uint32_t>(p->ts.tv_sec));
+		val->Assign(1, static_cast<uint32_t>(p->ts.tv_usec));
+		val->Assign(2, p->cap_len);
+		val->Assign(3, p->len);
+		val->Assign(4, zeek::make_intrusive<zeek::StringVal>(p->cap_len, (const char*)p->data));
+		val->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(p->link_type));
+		}
+	else
+		{
+		val->Assign(0, 0);
+		val->Assign(1, 0);
+		val->Assign(2, 0);
+		val->Assign(3, 0);
+		val->Assign(4, zeek::val_mgr->EmptyString());
+		val->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_UNKNOWN));
+		}
+
+	return val;
+	}
+
 ValPtr Packet::FmtEUI48(const u_char* mac) const
 	{
 	char buf[20];
diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index 3215810de0..8c61abea3d 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -122,6 +122,12 @@ public:
 	 */
 	RecordValPtr ToRawPktHdrVal() const;
 
+	/**
+	 * Returns a RecordVal that represents the Packet. This is used
+	 * by the get_current_packet bif.
+	 */
+	static RecordValPtr ToVal(const Packet* p);
+
 	/**
 	 * Maximal length of a layer 2 address.
 	 */
@@ -241,6 +247,14 @@ public:
 	 */
 	int gre_link_type = DLT_RAW;
 
+	/**
+	 * This flag indicates whether a packet has been processed. This can
+	 * mean different things depending on the traffic, but generally it
+	 * means that a packet has been logged in some way. We default to
+	 * false, and this can be set to true for any number of reasons.
+	 */
+	bool processed = false;
+
 private:
 	// Renders an MAC address into its ASCII representation.
 	ValPtr FmtEUI48(const u_char* mac) const;
diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc
index 5cd5cf0136..e0c6f2dca6 100644
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@@ -7,6 +7,7 @@
 #include "zeek/iosource/PktDumper.h"
 #include "zeek/packet_analysis/Analyzer.h"
 #include "zeek/packet_analysis/Dispatcher.h"
+#include "zeek/plugin/Manager.h"
 #include "zeek/zeek-bif.h"
 
 using namespace zeek::packet_analysis;
@@ -106,6 +107,16 @@ void Manager::ProcessPacket(Packet* packet)
 	// Start packet analysis
 	root_analyzer->ForwardPacket(packet->cap_len, packet->data, packet, packet->link_type);
 
+	if ( ! packet->processed )
+		{
+		if ( packet_not_processed )
+			event_mgr.Enqueue(packet_not_processed, Packet::ToVal(packet));
+
+		plugin_mgr->HookUnprocessedPacket(packet);
+
+		total_not_processed++;
+		}
+
 	if ( raw_packet )
 		event_mgr.Enqueue(raw_packet, packet->ToRawPktHdrVal());
 
diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h
index db813cb492..806221df77 100644
--- a/src/packet_analysis/Manager.h
+++ b/src/packet_analysis/Manager.h
@@ -2,6 +2,7 @@
 
 #pragma once
 
+#include "zeek/Func.h"
 #include "zeek/PacketFilter.h"
 #include "zeek/iosource/Packet.h"
 #include "zeek/packet_analysis/Component.h"
@@ -126,6 +127,12 @@ public:
 		return pkt_filter;
 		}
 
+	/**
+	 * Returns the total number of packets received that weren't considered
+	 * processed by some analyzer.
+	 */
+	uint64_t GetUnprocessedCount() const { return total_not_processed; }
+
 private:
 	/**
 	 * Instantiates a new analyzer instance.
@@ -163,6 +170,8 @@ private:
 	uint64_t unknown_sampling_rate = 0;
 	double unknown_sampling_duration = 0;
 	uint64_t unknown_first_bytes_count = 0;
+
+	uint64_t total_not_processed = 0;
 	};
 
 	} // namespace packet_analysis
diff --git a/src/packet_analysis/protocol/arp/ARP.cc b/src/packet_analysis/protocol/arp/ARP.cc
index ce70264058..89e98af66e 100644
--- a/src/packet_analysis/protocol/arp/ARP.cc
+++ b/src/packet_analysis/protocol/arp/ARP.cc
@@ -101,6 +101,11 @@ bool ARPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
+	// ARP packets are considered processed if we get to this point. There may be issues
+	// with the processing of them, but they're actually an ARP packet and anything else
+	// will be reported via events.
+	packet->processed = true;
+
 	// Check the address description fields.
 	switch ( ntohs(ah->ar_hrd) )
 		{
diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
index 785d914498..16e411c306 100644
--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
@@ -63,6 +63,10 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
 	if ( ! conn )
 		return false;
 
+	// If we successfuly made a connection for this packet that means it'll eventually
+	// get logged, which means we can mark this packet as having been processed.
+	pkt->processed = true;
+
 	bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort());
 
 	conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel());
diff --git a/src/plugin/Manager.cc b/src/plugin/Manager.cc
index 8215c5c56c..7270191dbf 100644
--- a/src/plugin/Manager.cc
+++ b/src/plugin/Manager.cc
@@ -1012,6 +1012,29 @@ bool Manager::HookReporter(const std::string& prefix, const EventHandlerPtr even
 	return result;
 	}
 
+void Manager::HookUnprocessedPacket(const Packet* packet) const
+	{
+	HookArgumentList args;
+
+	if ( HavePluginForHook(META_HOOK_PRE) )
+		{
+		args.emplace_back(HookArgument{packet});
+		MetaHookPre(HOOK_UNPROCESSED_PACKET, args);
+		}
+
+	hook_list* l = hooks[HOOK_UNPROCESSED_PACKET];
+
+	if ( l )
+		for ( hook_list::iterator i = l->begin(); i != l->end(); ++i )
+			{
+			Plugin* p = (*i).second;
+			p->HookUnprocessedPacket(packet);
+			}
+
+	if ( HavePluginForHook(META_HOOK_POST) )
+		MetaHookPost(HOOK_UNPROCESSED_PACKET, args, HookArgument());
+	}
+
 void Manager::MetaHookPre(HookType hook, const HookArgumentList& args) const
 	{
 	if ( hook_list* l = hooks[HOOK_CALL_FUNCTION] )
diff --git a/src/plugin/Manager.h b/src/plugin/Manager.h
index 4873a271ba..f2324c2b44 100644
--- a/src/plugin/Manager.h
+++ b/src/plugin/Manager.h
@@ -419,6 +419,15 @@ public:
 	                  const zeek::detail::Location* location2, bool time,
 	                  const std::string& message);
 
+	/**
+	 * Hook for packets that are considered unprocessed by an Analyzer. This
+	 * typically means that a packet has not had a log entry written for it by
+	 * the time analysis finishes.
+	 *
+	 * @param packet The data for an unprocessed packet
+	 */
+	void HookUnprocessedPacket(const Packet* packet) const;
+
 	/**
 	 * Internal method that registers a freshly instantiated plugin with
 	 * the manager.
diff --git a/src/plugin/Plugin.cc b/src/plugin/Plugin.cc
index 315a844a3b..c7ef7e4f8f 100644
--- a/src/plugin/Plugin.cc
+++ b/src/plugin/Plugin.cc
@@ -31,6 +31,7 @@ const char* hook_name(HookType h)
 		"SetupAnalyzerTree",
 		"LogInit",
 		"LogWrite",
+		"UnprocessedPacket",
 		// MetaHooks
 		"MetaHookPre",
 		"MetaHookPost",
@@ -244,7 +245,11 @@ void HookArgument::Describe(ODesc* d) const
 				d->Add("<no content>");
 
 			d->Add(")");
+			break;
 			}
+
+		case PACKET:
+			d->Add("<packet>");
 			break;
 		}
 	}
@@ -432,6 +437,8 @@ bool Plugin::HookReporter(const std::string& prefix, const EventHandlerPtr event
 	return true;
 	}
 
+void Plugin::HookUnprocessedPacket(const Packet* packet) { }
+
 void Plugin::MetaHookPre(HookType hook, const HookArgumentList& args) { }
 
 void Plugin::MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result) { }
diff --git a/src/plugin/Plugin.h b/src/plugin/Plugin.h
index f625fc1a49..8f2e75e64b 100644
--- a/src/plugin/Plugin.h
+++ b/src/plugin/Plugin.h
@@ -30,6 +30,7 @@ class ODesc;
 class Event;
 class Func;
 class Obj;
+class Packet;
 
 template <class T> class IntrusivePtr;
 using ValPtr = IntrusivePtr<Val>;
@@ -68,6 +69,7 @@ enum HookType
 	HOOK_LOG_INIT, //< Activates Plugin::HookLogInit
 	HOOK_LOG_WRITE, //< Activates Plugin::HookLogWrite
 	HOOK_REPORTER, //< Activates Plugin::HookReporter
+	HOOK_UNPROCESSED_PACKET, //<Activates Plugin::HookUnprocessedPacket
 
 	// Meta hooks.
 	META_HOOK_PRE, //< Activates Plugin::MetaHookPre().
@@ -208,7 +210,8 @@ public:
 		THREAD_FIELDS,
 		LOCATION,
 		ARG_LIST,
-		INPUT_FILE
+		INPUT_FILE,
+		PACKET
 		};
 
 	/**
@@ -370,7 +373,17 @@ public:
 		}
 
 	/**
-	 * Returns the value for a boolen argument. The argument's type must
+	 * Returns the value for a zeek::Packet* argument. The argument's type must
+	 * Constructor with a zeek::Packet* argument.
+	 */
+	explicit HookArgument(const Packet* packet)
+		{
+		type = PACKET;
+		arg.packet = packet;
+		}
+
+	/**
+	 * Returns the value for a boolean argument. The argument's type must
 	 * match accordingly.
 	 */
 	bool AsBool() const
@@ -509,7 +522,7 @@ public:
 		}
 
 	/**
-	 * Returns the value for a vod pointer argument. The argument's type
+	 * Returns the value for a void pointer argument. The argument's type
 	 * must match accordingly.
 	 */
 	const void* AsVoidPtr() const
@@ -518,6 +531,16 @@ public:
 		return arg.voidp;
 		}
 
+	/**
+	 * Returns the value for a Packet pointer argument. The argument's type
+	 * must match accordingly.
+	 */
+	const Packet* AsPacket() const
+		{
+		assert(type == PACKET);
+		return arg.packet;
+		}
+
 	/**
 	 * Returns the argument's type.
 	 */
@@ -546,6 +569,7 @@ private:
 		const void* voidp;
 		const logging::WriterBackend::WriterInfo* winfo;
 		const detail::Location* loc;
+		const Packet* packet;
 		} arg;
 
 	// Outside union because these have dtors.
@@ -1039,6 +1063,15 @@ protected:
 	                          const zeek::detail::Location* location2, bool time,
 	                          const std::string& message);
 
+	/**
+	 * Hook for packets that are considered unprocessed by an Analyzer. This
+	 * typically means that a packet has not had a log entry written for it by
+	 * the time analysis finishes.
+	 *
+	 * @param packet The data for an unprocessed packet
+	 */
+	virtual void HookUnprocessedPacket(const Packet* packet);
+
 	// Meta hooks.
 	virtual void MetaHookPre(HookType hook, const HookArgumentList& args);
 	virtual void MetaHookPost(HookType hook, const HookArgumentList& args, HookArgument result);
diff --git a/src/zeek.bif b/src/zeek.bif
index 2412945eb1..6bc0382882 100644
--- a/src/zeek.bif
+++ b/src/zeek.bif
@@ -3509,30 +3509,13 @@ function dump_current_packet%(file_name: string%) : bool
 ## .. zeek:see:: dump_current_packet dump_packet
 function get_current_packet%(%) : pcap_packet
 	%{
-	static auto pcap_packet = zeek::id::find_type<zeek::RecordType>("pcap_packet");
-	const Packet* p;
-	auto pkt = zeek::make_intrusive<zeek::RecordVal>(pcap_packet);
+	const Packet* p = nullptr;
 	zeek::iosource::PktSrc* pkt_src = zeek::run_state::detail::current_packet_source();
 
 	if ( ! pkt_src || ! pkt_src->GetCurrentPacket(&p) )
-		{
-		pkt->Assign(0, 0);
-		pkt->Assign(1, 0);
-		pkt->Assign(2, 0);
-		pkt->Assign(3, 0);
-		pkt->Assign(4, zeek::val_mgr->EmptyString());
-		pkt->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(BifEnum::LINK_UNKNOWN));
-		return pkt;
-		}
+		p = nullptr;
 
-	pkt->Assign(0, static_cast<uint32_t>(p->ts.tv_sec));
-	pkt->Assign(1, static_cast<uint32_t>(p->ts.tv_usec));
-	pkt->Assign(2, p->cap_len);
-	pkt->Assign(3, p->len);
-	pkt->Assign(4, zeek::make_intrusive<zeek::StringVal>(p->cap_len, (const char*)p->data));
-	pkt->Assign(5, zeek::BifType::Enum::link_encap->GetEnumVal(p->link_type));
-
-	return pkt;
+	return Packet::ToVal(p);
 	%}
 
 ## Function to get the raw headers of the currently processed packet.
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index 1fd4054f38..05123fb341 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -26,6 +26,7 @@ zeek::plugin::Configuration Plugin::Configure()
 	EnableHook(zeek::plugin::HOOK_SETUP_ANALYZER_TREE);
 	EnableHook(zeek::plugin::HOOK_LOG_INIT);
 	EnableHook(zeek::plugin::HOOK_LOG_WRITE);
+	EnableHook(zeek::plugin::HOOK_UNPROCESSED_PACKET);
 
 	zeek::plugin::Configuration config;
 	config.name = "Demo::Hooks";
@@ -272,3 +273,18 @@ bool Plugin::HookLogWrite(const std::string& writer, const std::string& filter,
 	fprintf(stderr, "%.6f %-15s %s %s\n", zeek::run_state::network_time, "| HookLogWrite", info.path, d.Description());
 	return true;
 	}
+
+void Plugin::HookUnprocessedPacket(const zeek::Packet* packet)
+	{
+	zeek::ODesc d;
+	d.Add("[");
+	d.Add("ts=");
+	d.Add(packet->time);
+	d.Add(" len=");
+	d.Add(packet->len);
+	d.Add(" header=");
+	d.AddN(reinterpret_cast<const char*>(packet->data), 10);
+	d.Add("]");
+
+	fprintf(stderr, "%.6f %-23s %s\n", zeek::run_state::network_time, "| HookUnprocessedPacket", d.Description());
+	}
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.h b/testing/btest/plugins/hooks-plugin/src/Plugin.h
index b721608a6f..22b7ada9a7 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.h
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.h
@@ -24,6 +24,7 @@ protected:
 	                  int num_fields, const zeek::threading::Field* const* fields,
 	                  zeek::threading::Value** vals) override;
 	void HookSetupAnalyzerTree(zeek::Connection *conn) override;
+	void HookUnprocessedPacket(const zeek::Packet* packet) override;
 	void MetaHookPre(zeek::plugin::HookType hook, const zeek::plugin::HookArgumentList& args) override;
 	void MetaHookPost(zeek::plugin::HookType hook, const zeek::plugin::HookArgumentList& args,
 	                  zeek::plugin::HookArgument result) override;

From 92b84a00f998be4a2c42dd505e5666ee77309f17 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 8 Nov 2021 11:04:40 -0700
Subject: [PATCH 062/210] Add command-line option to write unprocessed packets
 to a file

This commit also changes the PcapDumper to automatically flush after
every called to Dump(). This is because pcap_dump has an internal buffer
of some sort that only writes to the file after a set amount of bytes.
When using the new option on a low-traffic network, it might be a while
before you see any packets written since it has to overcome that buffer
limit first.
---
 src/Options.cc                 | 18 ++++++++++++------
 src/Options.h                  |  1 +
 src/iosource/pcap/Dumper.cc    |  1 +
 src/packet_analysis/Manager.cc | 10 +++++++++-
 src/packet_analysis/Manager.h  | 12 +++++++++++-
 src/zeek-setup.cc              |  2 +-
 6 files changed, 35 insertions(+), 9 deletions(-)

diff --git a/src/Options.cc b/src/Options.cc
index 374ae84efe..559061a74c 100644
--- a/src/Options.cc
+++ b/src/Options.cc
@@ -90,6 +90,8 @@ void usage(const char* prog, int code)
 	        "    -a|--parse-only                | exit immediately after parsing scripts\n");
 	fprintf(stderr,
 	        "    -b|--bare-mode                 | don't load scripts from the base/ directory\n");
+	fprintf(stderr,
+	        "    -c|--capture-unprocessed <file>| write unprocessed packets to a tcpdump file\n");
 	fprintf(stderr, "    -d|--debug-script              | activate Zeek script debugging\n");
 	fprintf(stderr, "    -e|--exec <zeek code>          | augment loaded scripts by given code\n");
 	fprintf(stderr, "    -f|--filter <filter>           | tcpdump filter\n");
@@ -103,8 +105,9 @@ void usage(const char* prog, int code)
 	                "allowed, pass '-' as the filename to read from stdin)\n");
 	fprintf(stderr, "    -s|--rulefile <rulefile>       | read rules from given file\n");
 	fprintf(stderr, "    -t|--tracefile <tracefile>     | activate execution tracing\n");
-	fprintf(stderr, "    -u|--usage-issues              | find variable usage issues and exit; use "
-	                "-uu for deeper/more expensive analysis\n");
+	fprintf(stderr,
+	        "    -u|--usage-issues              | find variable usage issues and exit; use "
+	        "-uu for deeper/more expensive analysis\n");
 	fprintf(stderr, "    -v|--version                   | print version and exit\n");
 	fprintf(stderr, "    -w|--writefile <writefile>     | write to given tcpdump file\n");
 #ifdef DEBUG
@@ -165,9 +168,8 @@ void usage(const char* prog, int code)
 	        getenv("ZEEK_DNS_RESOLVER")
 	            ? getenv("ZEEK_DNS_RESOLVER")
 	            : "not set, will use first IPv4 address from /etc/resolv.conf");
-	fprintf(
-		stderr,
-		"    $ZEEK_DEBUG_LOG_STDERR         | Use stderr for debug logs generated via the -B flag");
+	fprintf(stderr, "    $ZEEK_DEBUG_LOG_STDERR         | Use stderr for debug logs generated via "
+	                "the -B flag");
 
 	fprintf(stderr, "\n");
 
@@ -362,6 +364,7 @@ Options parse_cmdline(int argc, char** argv)
 	constexpr struct option long_opts[] = {
 		{"parse-only", no_argument, nullptr, 'a'},
 		{"bare-mode", no_argument, nullptr, 'b'},
+		{"capture-unprocessed", required_argument, nullptr, 'c'},
 		{"debug-script", no_argument, nullptr, 'd'},
 		{"exec", required_argument, nullptr, 'e'},
 		{"filter", required_argument, nullptr, 'f'},
@@ -405,7 +408,7 @@ Options parse_cmdline(int argc, char** argv)
 	};
 
 	char opts[256];
-	util::safe_strncpy(opts, "B:e:f:G:H:I:i:j::n:O:o:p:r:s:T:t:U:w:X:CDFMNPQSWabdhmuv",
+	util::safe_strncpy(opts, "B:c:e:f:G:H:I:i:j::n:O:o:p:r:s:T:t:U:w:X:CDFMNPQSWabdhmuv",
 	                   sizeof(opts));
 
 	int op;
@@ -428,6 +431,9 @@ Options parse_cmdline(int argc, char** argv)
 			case 'b':
 				rval.bare_mode = true;
 				break;
+			case 'c':
+				rval.unprocessed_output_file = optarg;
+				break;
 			case 'd':
 				rval.debug_scripts = true;
 				break;
diff --git a/src/Options.h b/src/Options.h
index b19b9ea0b4..b9bd1c5e9b 100644
--- a/src/Options.h
+++ b/src/Options.h
@@ -72,6 +72,7 @@ struct Options
 	std::optional<std::string> random_seed_output_file;
 	std::optional<std::string> process_status_file;
 	std::optional<std::string> zeekygen_config_file;
+	std::optional<std::string> unprocessed_output_file;
 
 	std::set<std::string> plugins_to_load;
 	std::vector<std::string> scripts_to_load;
diff --git a/src/iosource/pcap/Dumper.cc b/src/iosource/pcap/Dumper.cc
index 3b46c5c15f..3cf7a0dcf7 100644
--- a/src/iosource/pcap/Dumper.cc
+++ b/src/iosource/pcap/Dumper.cc
@@ -110,6 +110,7 @@ bool PcapDumper::Dump(const Packet* pkt)
 	const struct pcap_pkthdr phdr = {.ts = pkt->ts, .caplen = pkt->cap_len, .len = pkt->len};
 
 	pcap_dump((u_char*)dumper, &phdr, pkt->data);
+	pcap_dump_flush(dumper);
 	return true;
 	}
 
diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc
index e0c6f2dca6..dc53ce4bbc 100644
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@@ -4,6 +4,7 @@
 
 #include "zeek/RunState.h"
 #include "zeek/Stats.h"
+#include "zeek/iosource/Manager.h"
 #include "zeek/iosource/PktDumper.h"
 #include "zeek/packet_analysis/Analyzer.h"
 #include "zeek/packet_analysis/Dispatcher.h"
@@ -24,7 +25,7 @@ Manager::~Manager()
 	delete pkt_filter;
 	}
 
-void Manager::InitPostScript()
+void Manager::InitPostScript(const std::string& unprocessed_output_file)
 	{
 	// Instantiate objects for all available analyzers
 	for ( const auto& analyzerComponent : GetComponents() )
@@ -49,6 +50,10 @@ void Manager::InitPostScript()
 	unknown_sampling_threshold = id::find_val("UnknownProtocol::sampling_threshold")->AsCount();
 	unknown_sampling_duration = id::find_val("UnknownProtocol::sampling_duration")->AsInterval();
 	unknown_first_bytes_count = id::find_val("UnknownProtocol::first_bytes_count")->AsCount();
+
+	if ( ! unprocessed_output_file.empty() )
+		// This gets automatically cleaned up by iosource_mgr. No need to delete it locally.
+		unprocessed_dumper = iosource_mgr->OpenPktDumper(unprocessed_output_file, true);
 	}
 
 void Manager::Done() { }
@@ -114,6 +119,9 @@ void Manager::ProcessPacket(Packet* packet)
 
 		plugin_mgr->HookUnprocessedPacket(packet);
 
+		if ( unprocessed_dumper )
+			unprocessed_dumper->Dump(packet);
+
 		total_not_processed++;
 		}
 
diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h
index 806221df77..ecb659db23 100644
--- a/src/packet_analysis/Manager.h
+++ b/src/packet_analysis/Manager.h
@@ -18,6 +18,11 @@ namespace detail
 class PacketProfiler;
 	}
 
+namespace iosource
+	{
+class PktDumper;
+	}
+
 namespace packet_analysis
 	{
 
@@ -40,8 +45,12 @@ public:
 	/**
 	 * Second-stage initialization of the manager. This is called late
 	 * during Zeek's initialization after any scripts are processed.
+	 *
+	 * @param unprocessed_output_file A path to a file where unprocessed
+	 * packets will be written. This can be an empty string to disable
+	 * writing packets.
 	 */
-	void InitPostScript();
+	void InitPostScript(const std::string& unprocessed_output_file);
 
 	/**
 	 * Finished the manager's operations.
@@ -172,6 +181,7 @@ private:
 	uint64_t unknown_first_bytes_count = 0;
 
 	uint64_t total_not_processed = 0;
+	iosource::PktDumper* unprocessed_dumper = nullptr;
 	};
 
 	} // namespace packet_analysis
diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc
index 25d2c439f6..5b2c6de914 100644
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@@ -708,7 +708,7 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 			exit(success ? 0 : 1);
 			}
 
-		packet_mgr->InitPostScript();
+		packet_mgr->InitPostScript(options.unprocessed_output_file.value_or(""));
 		analyzer_mgr->InitPostScript();
 		file_mgr->InitPostScript();
 		dns_mgr->InitPostScript();

From d0f8c50417c2740ba588cbd0ac038f2905965cdd Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 8 Nov 2021 11:53:54 -0700
Subject: [PATCH 063/210] Fix whitespace in help output

---
 src/Options.cc | 98 +++++++++++++++++++++++++-------------------------
 1 file changed, 49 insertions(+), 49 deletions(-)

diff --git a/src/Options.cc b/src/Options.cc
index 559061a74c..3b7224a212 100644
--- a/src/Options.cc
+++ b/src/Options.cc
@@ -85,90 +85,90 @@ void usage(const char* prog, int code)
 
 	fprintf(stderr, "usage: %s [options] [file ...]\n", prog);
 	fprintf(stderr, "usage: %s --test [doctest-options] -- [options] [file ...]\n", prog);
-	fprintf(stderr, "    <file>                         | Zeek script file, or read stdin\n");
+	fprintf(stderr, "    <file>                          | Zeek script file, or read stdin\n");
 	fprintf(stderr,
-	        "    -a|--parse-only                | exit immediately after parsing scripts\n");
+	        "    -a|--parse-only                 | exit immediately after parsing scripts\n");
 	fprintf(stderr,
-	        "    -b|--bare-mode                 | don't load scripts from the base/ directory\n");
+	        "    -b|--bare-mode                  | don't load scripts from the base/ directory\n");
 	fprintf(stderr,
-	        "    -c|--capture-unprocessed <file>| write unprocessed packets to a tcpdump file\n");
-	fprintf(stderr, "    -d|--debug-script              | activate Zeek script debugging\n");
-	fprintf(stderr, "    -e|--exec <zeek code>          | augment loaded scripts by given code\n");
-	fprintf(stderr, "    -f|--filter <filter>           | tcpdump filter\n");
-	fprintf(stderr, "    -h|--help                      | command line help\n");
+	        "    -c|--capture-unprocessed <file> | write unprocessed packets to a tcpdump file\n");
+	fprintf(stderr, "    -d|--debug-script               | activate Zeek script debugging\n");
+	fprintf(stderr, "    -e|--exec <zeek code>           | augment loaded scripts by given code\n");
+	fprintf(stderr, "    -f|--filter <filter>            | tcpdump filter\n");
+	fprintf(stderr, "    -h|--help                       | command line help\n");
 	fprintf(stderr,
-	        "    -i|--iface <interface>         | read from given interface (only one allowed)\n");
+	        "    -i|--iface <interface>          | read from given interface (only one allowed)\n");
 	fprintf(
 		stderr,
-		"    -p|--prefix <prefix>           | add given prefix to Zeek script file resolution\n");
-	fprintf(stderr, "    -r|--readfile <readfile>       | read from given tcpdump file (only one "
+		"    -p|--prefix <prefix>            | add given prefix to Zeek script file resolution\n");
+	fprintf(stderr, "    -r|--readfile <readfile>        | read from given tcpdump file (only one "
 	                "allowed, pass '-' as the filename to read from stdin)\n");
-	fprintf(stderr, "    -s|--rulefile <rulefile>       | read rules from given file\n");
-	fprintf(stderr, "    -t|--tracefile <tracefile>     | activate execution tracing\n");
+	fprintf(stderr, "    -s|--rulefile <rulefile>        | read rules from given file\n");
+	fprintf(stderr, "    -t|--tracefile <tracefile>      | activate execution tracing\n");
 	fprintf(stderr,
-	        "    -u|--usage-issues              | find variable usage issues and exit; use "
+	        "    -u|--usage-issues               | find variable usage issues and exit; use "
 	        "-uu for deeper/more expensive analysis\n");
-	fprintf(stderr, "    -v|--version                   | print version and exit\n");
-	fprintf(stderr, "    -w|--writefile <writefile>     | write to given tcpdump file\n");
+	fprintf(stderr, "    -v|--version                    | print version and exit\n");
+	fprintf(stderr, "    -w|--writefile <writefile>      | write to given tcpdump file\n");
 #ifdef DEBUG
-	fprintf(stderr, "    -B|--debug <dbgstreams>        | Enable debugging output for selected "
+	fprintf(stderr, "    -B|--debug <dbgstreams>         | Enable debugging output for selected "
 	                "streams ('-B help' for help)\n");
 #endif
-	fprintf(stderr, "    -C|--no-checksums              | ignore checksums\n");
-	fprintf(stderr, "    -D|--deterministic             | initialize random seeds to zero\n");
-	fprintf(stderr, "    -F|--force-dns                 | force DNS\n");
-	fprintf(stderr, "    -G|--load-seeds <file>         | load seeds from given file\n");
-	fprintf(stderr, "    -H|--save-seeds <file>         | save seeds to given file\n");
-	fprintf(stderr, "    -I|--print-id <ID name>        | print out given ID\n");
-	fprintf(stderr, "    -N|--print-plugins             | print available plugins and exit (-NN "
+	fprintf(stderr, "    -C|--no-checksums               | ignore checksums\n");
+	fprintf(stderr, "    -D|--deterministic              | initialize random seeds to zero\n");
+	fprintf(stderr, "    -F|--force-dns                  | force DNS\n");
+	fprintf(stderr, "    -G|--load-seeds <file>          | load seeds from given file\n");
+	fprintf(stderr, "    -H|--save-seeds <file>          | save seeds to given file\n");
+	fprintf(stderr, "    -I|--print-id <ID name>         | print out given ID\n");
+	fprintf(stderr, "    -N|--print-plugins              | print available plugins and exit (-NN "
 	                "for verbose)\n");
-	fprintf(stderr, "    -O|--optimize[=<option>]       | enable script optimization (use -O help "
+	fprintf(stderr, "    -O|--optimize[=<option>]        | enable script optimization (use -O help "
 	                "for options)\n");
-	fprintf(stderr, "    -o|--optimize-only=<func>      | enable script optimization only for the "
+	fprintf(stderr, "    -o|--optimize-only=<func>       | enable script optimization only for the "
 	                "given function\n");
-	fprintf(stderr, "    -P|--prime-dns                 | prime DNS\n");
+	fprintf(stderr, "    -P|--prime-dns                  | prime DNS\n");
 	fprintf(stderr,
-	        "    -Q|--time                      | print execution time summary to stderr\n");
-	fprintf(stderr, "    -S|--debug-rules               | enable rule debugging\n");
-	fprintf(stderr, "    -T|--re-level <level>          | set 'RE_level' for rules\n");
-	fprintf(stderr, "    -U|--status-file <file>        | Record process status in file\n");
-	fprintf(stderr, "    -W|--watchdog                  | activate watchdog timer\n");
+	        "    -Q|--time                       | print execution time summary to stderr\n");
+	fprintf(stderr, "    -S|--debug-rules                | enable rule debugging\n");
+	fprintf(stderr, "    -T|--re-level <level>           | set 'RE_level' for rules\n");
+	fprintf(stderr, "    -U|--status-file <file>         | Record process status in file\n");
+	fprintf(stderr, "    -W|--watchdog                   | activate watchdog timer\n");
 	fprintf(stderr,
-	        "    -X|--zeekygen <cfgfile>        | generate documentation based on config file\n");
+	        "    -X|--zeekygen <cfgfile>         | generate documentation based on config file\n");
 
 #ifdef USE_PERFTOOLS_DEBUG
-	fprintf(stderr, "    -m|--mem-leaks                 | show leaks  [perftools]\n");
-	fprintf(stderr, "    -M|--mem-profile               | record heap [perftools]\n");
+	fprintf(stderr, "    -m|--mem-leaks                  | show leaks  [perftools]\n");
+	fprintf(stderr, "    -M|--mem-profile                | record heap [perftools]\n");
 #endif
-	fprintf(stderr, "    --pseudo-realtime[=<speedup>]  | enable pseudo-realtime for performance "
+	fprintf(stderr, "    --pseudo-realtime[=<speedup>]   | enable pseudo-realtime for performance "
 	                "evaluation (default 1)\n");
-	fprintf(stderr, "    -j|--jobs                      | enable supervisor mode\n");
-	fprintf(stderr, "    --test                         | run unit tests ('--test -h' for help, "
+	fprintf(stderr, "    -j|--jobs                       | enable supervisor mode\n");
+	fprintf(stderr, "    --test                          | run unit tests ('--test -h' for help, "
 	                "only when compiling with ENABLE_ZEEK_UNIT_TESTS)\n");
-	fprintf(stderr, "    $ZEEKPATH                      | file search path (%s)\n",
+	fprintf(stderr, "    $ZEEKPATH                       | file search path (%s)\n",
 	        util::zeek_path().c_str());
-	fprintf(stderr, "    $ZEEK_PLUGIN_PATH              | plugin search path (%s)\n",
+	fprintf(stderr, "    $ZEEK_PLUGIN_PATH               | plugin search path (%s)\n",
 	        util::zeek_plugin_path());
-	fprintf(stderr, "    $ZEEK_PLUGIN_ACTIVATE          | plugins to always activate (%s)\n",
+	fprintf(stderr, "    $ZEEK_PLUGIN_ACTIVATE           | plugins to always activate (%s)\n",
 	        util::zeek_plugin_activate());
-	fprintf(stderr, "    $ZEEK_PREFIXES                 | prefix list (%s)\n",
+	fprintf(stderr, "    $ZEEK_PREFIXES                  | prefix list (%s)\n",
 	        util::zeek_prefixes().c_str());
-	fprintf(stderr, "    $ZEEK_DNS_FAKE                 | disable DNS lookups (%s)\n",
+	fprintf(stderr, "    $ZEEK_DNS_FAKE                  | disable DNS lookups (%s)\n",
 	        fake_dns() ? "on" : "off");
-	fprintf(stderr, "    $ZEEK_SEED_FILE                | file to load seeds from (not set)\n");
-	fprintf(stderr, "    $ZEEK_LOG_SUFFIX               | ASCII log file extension (.%s)\n",
+	fprintf(stderr, "    $ZEEK_SEED_FILE                 | file to load seeds from (not set)\n");
+	fprintf(stderr, "    $ZEEK_LOG_SUFFIX                | ASCII log file extension (.%s)\n",
 	        logging::writer::detail::Ascii::LogExt().c_str());
-	fprintf(stderr, "    $ZEEK_PROFILER_FILE            | Output file for script execution "
+	fprintf(stderr, "    $ZEEK_PROFILER_FILE             | Output file for script execution "
 	                "statistics (not set)\n");
 	fprintf(stderr,
-	        "    $ZEEK_DISABLE_ZEEKYGEN         | Disable Zeekygen documentation support (%s)\n",
+	        "    $ZEEK_DISABLE_ZEEKYGEN          | Disable Zeekygen documentation support (%s)\n",
 	        getenv("ZEEK_DISABLE_ZEEKYGEN") ? "set" : "not set");
 	fprintf(stderr,
-	        "    $ZEEK_DNS_RESOLVER             | IPv4/IPv6 address of DNS resolver to use (%s)\n",
+	        "    $ZEEK_DNS_RESOLVER              | IPv4/IPv6 address of DNS resolver to use (%s)\n",
 	        getenv("ZEEK_DNS_RESOLVER")
 	            ? getenv("ZEEK_DNS_RESOLVER")
 	            : "not set, will use first IPv4 address from /etc/resolv.conf");
-	fprintf(stderr, "    $ZEEK_DEBUG_LOG_STDERR         | Use stderr for debug logs generated via "
+	fprintf(stderr, "    $ZEEK_DEBUG_LOG_STDERR          | Use stderr for debug logs generated via "
 	                "the -B flag");
 
 	fprintf(stderr, "\n");

From 6e8dae316b57c05a29aaa17ce307cc06eef23c78 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 11 Nov 2021 14:36:32 -0700
Subject: [PATCH 064/210] Added plugin.unprocessed_packet_hook btest

---
 .../plugins.unprocessed-packet-hook/output    | 132 +++++++
 .../unprocessed.pcap.hex                      | 336 ++++++++++++++++++
 .../btest/plugins/hooks-plugin/src/Plugin.cc  |   2 -
 .../.btest-ignore                             |   0
 .../scripts/__load__.zeek                     |   4 +
 .../src/Plugin.cc                             |  39 ++
 .../src/Plugin.h                              |  19 +
 .../plugins/unprocessed-packet-hook.zeek      |  10 +
 8 files changed, 540 insertions(+), 2 deletions(-)
 create mode 100644 testing/btest/Baseline/plugins.unprocessed-packet-hook/output
 create mode 100644 testing/btest/Baseline/plugins.unprocessed-packet-hook/unprocessed.pcap.hex
 create mode 100644 testing/btest/plugins/unprocessed-packet-hook-plugin/.btest-ignore
 create mode 100644 testing/btest/plugins/unprocessed-packet-hook-plugin/scripts/__load__.zeek
 create mode 100644 testing/btest/plugins/unprocessed-packet-hook-plugin/src/Plugin.cc
 create mode 100644 testing/btest/plugins/unprocessed-packet-hook-plugin/src/Plugin.h
 create mode 100644 testing/btest/plugins/unprocessed-packet-hook.zeek

diff --git a/testing/btest/Baseline/plugins.unprocessed-packet-hook/output b/testing/btest/Baseline/plugins.unprocessed-packet-hook/output
new file mode 100644
index 0000000000..c09f2f4d74
--- /dev/null
+++ b/testing/btest/Baseline/plugins.unprocessed-packet-hook/output
@@ -0,0 +1,132 @@
+1529347003.888515 | HookUnprocessedPacket [ts=1529347003.888515 len=60]
+packet_not_processed: ts=1529347003.888515
+1529347003.889372 | HookUnprocessedPacket [ts=1529347003.889372 len=62]
+packet_not_processed: ts=1529347003.889372
+1529347003.890009 | HookUnprocessedPacket [ts=1529347003.890009 len=60]
+packet_not_processed: ts=1529347003.890009
+1529347003.890881 | HookUnprocessedPacket [ts=1529347003.890881 len=62]
+packet_not_processed: ts=1529347003.890881
+1529347003.891520 | HookUnprocessedPacket [ts=1529347003.89152 len=60]
+packet_not_processed: ts=1529347003.891520
+1529347003.892374 | HookUnprocessedPacket [ts=1529347003.892374 len=62]
+packet_not_processed: ts=1529347003.892374
+1529347003.893010 | HookUnprocessedPacket [ts=1529347003.89301 len=60]
+packet_not_processed: ts=1529347003.893010
+1529347003.893973 | HookUnprocessedPacket [ts=1529347003.893973 len=62]
+packet_not_processed: ts=1529347003.893973
+1529347003.894627 | HookUnprocessedPacket [ts=1529347003.894627 len=60]
+packet_not_processed: ts=1529347003.894627
+1529347003.895482 | HookUnprocessedPacket [ts=1529347003.895482 len=62]
+packet_not_processed: ts=1529347003.895482
+1529347003.896120 | HookUnprocessedPacket [ts=1529347003.89612 len=60]
+packet_not_processed: ts=1529347003.896120
+1529347003.896974 | HookUnprocessedPacket [ts=1529347003.896974 len=62]
+packet_not_processed: ts=1529347003.896974
+1529347003.897608 | HookUnprocessedPacket [ts=1529347003.897608 len=60]
+packet_not_processed: ts=1529347003.897608
+1529347003.898627 | HookUnprocessedPacket [ts=1529347003.898627 len=62]
+packet_not_processed: ts=1529347003.898627
+1529347003.899558 | HookUnprocessedPacket [ts=1529347003.899558 len=60]
+packet_not_processed: ts=1529347003.899558
+1529347003.900941 | HookUnprocessedPacket [ts=1529347003.900941 len=62]
+packet_not_processed: ts=1529347003.900941
+1529347003.901790 | HookUnprocessedPacket [ts=1529347003.90179 len=66]
+packet_not_processed: ts=1529347003.901790
+1529347003.902972 | HookUnprocessedPacket [ts=1529347003.902972 len=82]
+packet_not_processed: ts=1529347003.902972
+1529347003.903806 | HookUnprocessedPacket [ts=1529347003.903806 len=66]
+packet_not_processed: ts=1529347003.903806
+1529347003.904631 | HookUnprocessedPacket [ts=1529347003.904631 len=82]
+packet_not_processed: ts=1529347003.904631
+1529347003.905200 | HookUnprocessedPacket [ts=1529347003.9052 len=66]
+packet_not_processed: ts=1529347003.905200
+1529347003.905985 | HookUnprocessedPacket [ts=1529347003.905985 len=82]
+packet_not_processed: ts=1529347003.905985
+1529347003.906561 | HookUnprocessedPacket [ts=1529347003.906561 len=66]
+packet_not_processed: ts=1529347003.906561
+1529347003.907448 | HookUnprocessedPacket [ts=1529347003.907448 len=82]
+packet_not_processed: ts=1529347003.907448
+1529347003.908018 | HookUnprocessedPacket [ts=1529347003.908018 len=66]
+packet_not_processed: ts=1529347003.908018
+1529347003.908803 | HookUnprocessedPacket [ts=1529347003.908803 len=82]
+packet_not_processed: ts=1529347003.908803
+1529347003.909373 | HookUnprocessedPacket [ts=1529347003.909373 len=66]
+packet_not_processed: ts=1529347003.909373
+1529347003.910163 | HookUnprocessedPacket [ts=1529347003.910163 len=82]
+packet_not_processed: ts=1529347003.910163
+1529347003.910733 | HookUnprocessedPacket [ts=1529347003.910733 len=66]
+packet_not_processed: ts=1529347003.910733
+1529347003.911522 | HookUnprocessedPacket [ts=1529347003.911522 len=82]
+packet_not_processed: ts=1529347003.911522
+1529347003.912089 | HookUnprocessedPacket [ts=1529347003.912089 len=66]
+packet_not_processed: ts=1529347003.912089
+1529347003.912976 | HookUnprocessedPacket [ts=1529347003.912976 len=82]
+packet_not_processed: ts=1529347003.912976
+1529347003.913490 | HookUnprocessedPacket [ts=1529347003.91349 len=60]
+packet_not_processed: ts=1529347003.913490
+1529347003.914244 | HookUnprocessedPacket [ts=1529347003.914244 len=60]
+packet_not_processed: ts=1529347003.914244
+1529347003.914754 | HookUnprocessedPacket [ts=1529347003.914754 len=60]
+packet_not_processed: ts=1529347003.914754
+1529347003.915493 | HookUnprocessedPacket [ts=1529347003.915493 len=60]
+packet_not_processed: ts=1529347003.915493
+1529347003.916000 | HookUnprocessedPacket [ts=1529347003.916 len=60]
+packet_not_processed: ts=1529347003.916000
+1529347003.916730 | HookUnprocessedPacket [ts=1529347003.91673 len=60]
+packet_not_processed: ts=1529347003.916730
+1529347003.917240 | HookUnprocessedPacket [ts=1529347003.91724 len=60]
+packet_not_processed: ts=1529347003.917240
+1529347003.917969 | HookUnprocessedPacket [ts=1529347003.917969 len=60]
+packet_not_processed: ts=1529347003.917969
+1529347003.918497 | HookUnprocessedPacket [ts=1529347003.918497 len=60]
+packet_not_processed: ts=1529347003.918497
+1529347003.919336 | HookUnprocessedPacket [ts=1529347003.919336 len=60]
+packet_not_processed: ts=1529347003.919336
+1529347003.919847 | HookUnprocessedPacket [ts=1529347003.919847 len=60]
+packet_not_processed: ts=1529347003.919847
+1529347003.920577 | HookUnprocessedPacket [ts=1529347003.920577 len=60]
+packet_not_processed: ts=1529347003.920577
+1529347003.921087 | HookUnprocessedPacket [ts=1529347003.921087 len=60]
+packet_not_processed: ts=1529347003.921087
+1529347003.921815 | HookUnprocessedPacket [ts=1529347003.921815 len=60]
+packet_not_processed: ts=1529347003.921815
+1529347003.922337 | HookUnprocessedPacket [ts=1529347003.922337 len=60]
+packet_not_processed: ts=1529347003.922337
+1529347003.923067 | HookUnprocessedPacket [ts=1529347003.923067 len=60]
+packet_not_processed: ts=1529347003.923067
+1529347003.923524 | HookUnprocessedPacket [ts=1529347003.923524 len=60]
+packet_not_processed: ts=1529347003.923524
+1529347003.924192 | HookUnprocessedPacket [ts=1529347003.924192 len=70]
+packet_not_processed: ts=1529347003.924192
+1529347003.924644 | HookUnprocessedPacket [ts=1529347003.924644 len=60]
+packet_not_processed: ts=1529347003.924644
+1529347003.925420 | HookUnprocessedPacket [ts=1529347003.92542 len=70]
+packet_not_processed: ts=1529347003.925420
+1529347003.925870 | HookUnprocessedPacket [ts=1529347003.92587 len=60]
+packet_not_processed: ts=1529347003.925870
+1529347003.926550 | HookUnprocessedPacket [ts=1529347003.92655 len=70]
+packet_not_processed: ts=1529347003.926550
+1529347003.926999 | HookUnprocessedPacket [ts=1529347003.926999 len=60]
+packet_not_processed: ts=1529347003.926999
+1529347003.927662 | HookUnprocessedPacket [ts=1529347003.927662 len=70]
+packet_not_processed: ts=1529347003.927662
+1529347003.928108 | HookUnprocessedPacket [ts=1529347003.928108 len=60]
+packet_not_processed: ts=1529347003.928108
+1529347003.928773 | HookUnprocessedPacket [ts=1529347003.928773 len=70]
+packet_not_processed: ts=1529347003.928773
+1529347003.929220 | HookUnprocessedPacket [ts=1529347003.92922 len=60]
+packet_not_processed: ts=1529347003.929220
+1529347003.929885 | HookUnprocessedPacket [ts=1529347003.929885 len=70]
+packet_not_processed: ts=1529347003.929885
+1529347003.930352 | HookUnprocessedPacket [ts=1529347003.930352 len=60]
+packet_not_processed: ts=1529347003.930352
+1529347003.931118 | HookUnprocessedPacket [ts=1529347003.931118 len=70]
+packet_not_processed: ts=1529347003.931118
+1529347003.931567 | HookUnprocessedPacket [ts=1529347003.931567 len=60]
+packet_not_processed: ts=1529347003.931567
+1529347003.932231 | HookUnprocessedPacket [ts=1529347003.932231 len=70]
+packet_not_processed: ts=1529347003.932231
+1529347003.932477 | HookUnprocessedPacket [ts=1529347003.932477 len=60]
+packet_not_processed: ts=1529347003.932477
+1529347003.932971 | HookUnprocessedPacket [ts=1529347003.932971 len=60]
+packet_not_processed: ts=1529347003.932971
diff --git a/testing/btest/Baseline/plugins.unprocessed-packet-hook/unprocessed.pcap.hex b/testing/btest/Baseline/plugins.unprocessed-packet-hook/unprocessed.pcap.hex
new file mode 100644
index 0000000000..5403ed285b
--- /dev/null
+++ b/testing/btest/Baseline/plugins.unprocessed-packet-hook/unprocessed.pcap.hex
@@ -0,0 +1,336 @@
+00000000  d4 c3 b2 a1 02 00 04 00  00 00 00 00 00 00 00 00  |................|
+00000010  00 24 00 00 01 00 00 00  bb fb 27 5b c3 8e 0d 00  |.$........'[....|
+00000020  3c 00 00 00 3c 00 00 00  a7 ab 16 9f 39 00 d4 f1  |<...<.......9...|
+00000030  20 a6 03 c3 08 00 45 00  00 20 00 01 00 00 40 84  | .....E.. ....@.|
+00000040  74 4f 01 01 01 06 02 02  02 02 de ad be ef 00 00  |tO..............|
+00000050  00 00 4e 61 be 7a 00 00  00 00 00 00 00 00 00 00  |..Na.z..........|
+00000060  00 00 00 00 bb fb 27 5b  1c 92 0d 00 3e 00 00 00  |......'[....>...|
+00000070  3e 00 00 00 8c 71 c7 b1  fd 00 39 ad 7d 5e 0d c4  |>....q....9.}^..|
+00000080  89 03 00 00 a7 ab 16 9f  39 c1 d4 f1 20 a6 03 c3  |........9... ...|
+00000090  08 00 45 00 00 20 00 01  00 00 40 84 74 4f 01 01  |..E.. ....@.tO..|
+000000a0  01 06 02 02 02 02 de ad  be ef 00 00 00 00 4e 61  |..............Na|
+000000b0  be 7a bb fb 27 5b 99 94  0d 00 3c 00 00 00 3c 00  |.z..'[....<...<.|
+000000c0  00 00 5a 71 7a 02 7d 01  15 b2 9a 53 00 c1 08 00  |..Zqz.}....S....|
+000000d0  45 00 00 20 00 01 00 00  40 84 74 51 01 01 01 04  |E.. ....@.tQ....|
+000000e0  02 02 02 02 de ad be ef  00 00 00 00 4e 61 be 7a  |............Na.z|
+000000f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 bb fb  |................|
+00000100  27 5b 01 98 0d 00 3e 00  00 00 3e 00 00 00 ea b8  |'[....>...>.....|
+00000110  ac 2b 4f 01 68 be ce d7  aa 97 89 03 00 00 5a 71  |.+O.h.........Zq|
+00000120  7a 02 7d e3 15 b2 9a 53  00 c1 08 00 45 00 00 20  |z.}....S....E.. |
+00000130  00 01 00 00 40 84 74 51  01 01 01 04 02 02 02 02  |....@.tQ........|
+00000140  de ad be ef 00 00 00 00  4e 61 be 7a bb fb 27 5b  |........Na.z..'[|
+00000150  80 9a 0d 00 3c 00 00 00  3c 00 00 00 07 21 7a b4  |....<...<....!z.|
+00000160  15 02 de e3 dd 85 00 77  08 00 45 00 00 20 00 01  |.......w..E.. ..|
+00000170  00 00 40 84 74 47 01 01  01 0e 02 02 02 02 de ad  |..@.tG..........|
+00000180  be ef 00 00 00 00 4e 61  be 7a 00 00 00 00 00 00  |......Na.z......|
+00000190  00 00 00 00 00 00 00 00  bb fb 27 5b d6 9d 0d 00  |..........'[....|
+000001a0  3e 00 00 00 3e 00 00 00  1b ad 85 88 cf 02 f6 df  |>...>...........|
+000001b0  33 01 f7 de 89 03 00 00  07 21 7a b4 15 1e de e3  |3........!z.....|
+000001c0  dd 85 00 77 08 00 45 00  00 20 00 01 00 00 40 84  |...w..E.. ....@.|
+000001d0  74 47 01 01 01 0e 02 02  02 02 de ad be ef 00 00  |tG..............|
+000001e0  00 00 4e 61 be 7a bb fb  27 5b 52 a0 0d 00 3c 00  |..Na.z..'[R...<.|
+000001f0  00 00 3c 00 00 00 dd d2  34 28 20 03 5a 52 ca 2e  |..<.....4( .ZR..|
+00000200  98 e5 08 00 45 00 00 20  00 01 00 00 40 84 74 49  |....E.. ....@.tI|
+00000210  01 01 01 0c 02 02 02 02  de ad be ef 00 00 00 00  |................|
+00000220  4e 61 be 7a 00 00 00 00  00 00 00 00 00 00 00 00  |Na.z............|
+00000230  00 00 bb fb 27 5b 15 a4  0d 00 3e 00 00 00 3e 00  |....'[....>...>.|
+00000240  00 00 1b 1a cb fc 0c 03  77 45 7b 36 65 7a 89 03  |........wE{6ez..|
+00000250  00 00 dd d2 34 28 20 92  5a 52 ca 2e 98 e5 08 00  |....4( .ZR......|
+00000260  45 00 00 20 00 01 00 00  40 84 74 49 01 01 01 0c  |E.. ....@.tI....|
+00000270  02 02 02 02 de ad be ef  00 00 00 00 4e 61 be 7a  |............Na.z|
+00000280  bb fb 27 5b a3 a6 0d 00  3c 00 00 00 3c 00 00 00  |..'[....<...<...|
+00000290  fb 21 a9 34 94 04 45 62  50 d6 35 a0 08 00 45 00  |.!.4..EbP.5...E.|
+000002a0  00 20 00 01 00 00 40 84  74 55 01 01 01 00 02 02  |. ....@.tU......|
+000002b0  02 02 de ad be ef 00 00  00 00 4e 61 be 7a 00 00  |..........Na.z..|
+000002c0  00 00 00 00 00 00 00 00  00 00 00 00 bb fb 27 5b  |..............'[|
+000002d0  fa a9 0d 00 3e 00 00 00  3e 00 00 00 7e b9 2f de  |....>...>...~./.|
+000002e0  88 04 86 c5 f7 b1 99 a6  89 03 00 00 fb 21 a9 34  |.............!.4|
+000002f0  94 74 45 62 50 d6 35 a0  08 00 45 00 00 20 00 01  |.tEbP.5...E.. ..|
+00000300  00 00 40 84 74 55 01 01  01 00 02 02 02 02 de ad  |..@.tU..........|
+00000310  be ef 00 00 00 00 4e 61  be 7a bb fb 27 5b 78 ac  |......Na.z..'[x.|
+00000320  0d 00 3c 00 00 00 3c 00  00 00 7f 3c 8f ef 67 05  |..<...<....<..g.|
+00000330  b5 44 ab 5c 51 6e 08 00  45 00 00 20 00 01 00 00  |.D.\Qn..E.. ....|
+00000340  40 84 74 53 01 01 01 02  02 02 02 02 de ad be ef  |@.tS............|
+00000350  00 00 00 00 4e 61 be 7a  00 00 00 00 00 00 00 00  |....Na.z........|
+00000360  00 00 00 00 00 00 bb fb  27 5b ce af 0d 00 3e 00  |........'[....>.|
+00000370  00 00 3e 00 00 00 f9 b4  40 06 3a 05 29 2c 74 fa  |..>.....@.:.),t.|
+00000380  8a a9 89 03 00 00 7f 3c  8f ef 67 cb b5 44 ab 5c  |.......<..g..D.\|
+00000390  51 6e 08 00 45 00 00 20  00 01 00 00 40 84 74 53  |Qn..E.. ....@.tS|
+000003a0  01 01 01 02 02 02 02 02  de ad be ef 00 00 00 00  |................|
+000003b0  4e 61 be 7a bb fb 27 5b  48 b2 0d 00 3c 00 00 00  |Na.z..'[H...<...|
+000003c0  3c 00 00 00 b4 92 07 fa  3d 06 80 46 5d bd b8 6a  |<.......=..F]..j|
+000003d0  08 00 45 00 00 20 00 01  00 00 40 84 74 4d 01 01  |..E.. ....@.tM..|
+000003e0  01 08 02 02 02 02 de ad  be ef 00 00 00 00 4e 61  |..............Na|
+000003f0  be 7a 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |.z..............|
+00000400  bb fb 27 5b 43 b6 0d 00  3e 00 00 00 3e 00 00 00  |..'[C...>...>...|
+00000410  47 1f c4 81 7f 06 ec ba  a9 51 3c 0a 89 03 00 00  |G........Q<.....|
+00000420  b4 92 07 fa 3d 82 80 46  5d bd b8 6a 08 00 45 00  |....=..F]..j..E.|
+00000430  00 20 00 01 00 00 40 84  74 4d 01 01 01 08 02 02  |. ....@.tM......|
+00000440  02 02 de ad be ef 00 00  00 00 4e 61 be 7a bb fb  |..........Na.z..|
+00000450  27 5b e6 b9 0d 00 3c 00  00 00 3c 00 00 00 01 1a  |'[....<...<.....|
+00000460  72 65 2d 07 e7 43 32 3e  5e fb 08 00 45 00 00 20  |re-..C2>^...E.. |
+00000470  00 01 00 00 40 84 74 4b  01 01 01 0a 02 02 02 02  |....@.tK........|
+00000480  de ad be ef 00 00 00 00  4e 61 be 7a 00 00 00 00  |........Na.z....|
+00000490  00 00 00 00 00 00 00 00  00 00 bb fb 27 5b 4d bf  |............'[M.|
+000004a0  0d 00 3e 00 00 00 3e 00  00 00 7e 86 23 7f 61 07  |..>...>...~.#.a.|
+000004b0  bb 5f a0 46 c4 4f 89 03  00 00 01 1a 72 65 2d 80  |._.F.O......re-.|
+000004c0  e7 43 32 3e 5e fb 08 00  45 00 00 20 00 01 00 00  |.C2>^...E.. ....|
+000004d0  40 84 74 4b 01 01 01 0a  02 02 02 02 de ad be ef  |@.tK............|
+000004e0  00 00 00 00 4e 61 be 7a  bb fb 27 5b 9e c2 0d 00  |....Na.z..'[....|
+000004f0  42 00 00 00 42 00 00 00  6a 1f e4 d6 dd 00 f2 8f  |B...B...j.......|
+00000500  23 41 61 f0 86 dd 60 00  00 00 00 0c 84 40 12 34  |#Aa...`......@.4|
+00000510  00 00 00 00 00 00 00 00  00 00 00 00 00 0e 56 78  |..............Vx|
+00000520  00 00 00 00 00 00 00 00  00 00 00 00 00 00 de ad  |................|
+00000530  be ef 00 00 00 00 4e 61  be 7a bb fb 27 5b 3c c7  |......Na.z..'[<.|
+00000540  0d 00 52 00 00 00 52 00  00 00 66 0b 62 a8 88 00  |..R...R...f.b...|
+00000550  0a ad 9a a9 1e 97 89 03  00 00 6a 1f e4 d6 dd ef  |..........j.....|
+00000560  f2 8f 23 41 61 f0 86 dd  60 00 00 00 00 0c 84 40  |..#Aa...`......@|
+00000570  12 34 00 00 00 00 00 00  00 00 00 00 00 00 00 0e  |.4..............|
+00000580  56 78 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |Vx..............|
+00000590  de ad be ef 00 00 00 00  4e 61 be 7a bb fb 27 5b  |........Na.z..'[|
+000005a0  7e ca 0d 00 42 00 00 00  42 00 00 00 85 60 e6 6b  |~...B...B....`.k|
+000005b0  83 01 7b 41 63 96 85 e6  86 dd 60 00 00 00 00 0c  |..{Ac.....`.....|
+000005c0  84 40 12 34 00 00 00 00  00 00 00 00 00 00 00 00  |.@.4............|
+000005d0  00 0c 56 78 00 00 00 00  00 00 00 00 00 00 00 00  |..Vx............|
+000005e0  00 00 de ad be ef 00 00  00 00 4e 61 be 7a bb fb  |..........Na.z..|
+000005f0  27 5b b7 cd 0d 00 52 00  00 00 52 00 00 00 5d 0e  |'[....R...R...].|
+00000600  08 a3 7b 01 80 1f c3 9d  d1 d9 89 03 00 00 85 60  |..{............`|
+00000610  e6 6b 83 14 7b 41 63 96  85 e6 86 dd 60 00 00 00  |.k..{Ac.....`...|
+00000620  00 0c 84 40 12 34 00 00  00 00 00 00 00 00 00 00  |...@.4..........|
+00000630  00 00 00 0c 56 78 00 00  00 00 00 00 00 00 00 00  |....Vx..........|
+00000640  00 00 00 00 de ad be ef  00 00 00 00 4e 61 be 7a  |............Na.z|
+00000650  bb fb 27 5b f0 cf 0d 00  42 00 00 00 42 00 00 00  |..'[....B...B...|
+00000660  ae 24 47 01 9e 02 62 c6  11 c1 8c fd 86 dd 60 00  |.$G...b.......`.|
+00000670  00 00 00 0c 84 40 12 34  00 00 00 00 00 00 00 00  |.....@.4........|
+00000680  00 00 00 00 00 06 56 78  00 00 00 00 00 00 00 00  |......Vx........|
+00000690  00 00 00 00 00 00 de ad  be ef 00 00 00 00 4e 61  |..............Na|
+000006a0  be 7a bb fb 27 5b 01 d3  0d 00 52 00 00 00 52 00  |.z..'[....R...R.|
+000006b0  00 00 7d 31 25 ee cc 02  78 1b aa d2 29 67 89 03  |..}1%...x...)g..|
+000006c0  00 00 ae 24 47 01 9e 88  62 c6 11 c1 8c fd 86 dd  |...$G...b.......|
+000006d0  60 00 00 00 00 0c 84 40  12 34 00 00 00 00 00 00  |`......@.4......|
+000006e0  00 00 00 00 00 00 00 06  56 78 00 00 00 00 00 00  |........Vx......|
+000006f0  00 00 00 00 00 00 00 00  de ad be ef 00 00 00 00  |................|
+00000700  4e 61 be 7a bb fb 27 5b  41 d5 0d 00 42 00 00 00  |Na.z..'[A...B...|
+00000710  42 00 00 00 10 ea 0a 20  67 03 38 aa ef 53 9c 1d  |B...... g.8..S..|
+00000720  86 dd 60 00 00 00 00 0c  84 40 12 34 00 00 00 00  |..`......@.4....|
+00000730  00 00 00 00 00 00 00 00  00 04 56 78 00 00 00 00  |..........Vx....|
+00000740  00 00 00 00 00 00 00 00  00 00 de ad be ef 00 00  |................|
+00000750  00 00 4e 61 be 7a bb fb  27 5b b8 d8 0d 00 52 00  |..Na.z..'[....R.|
+00000760  00 00 52 00 00 00 99 81  5f e9 cb 03 53 02 b0 7f  |..R....._...S...|
+00000770  97 d7 89 03 00 00 10 ea  0a 20 67 c0 38 aa ef 53  |......... g.8..S|
+00000780  9c 1d 86 dd 60 00 00 00  00 0c 84 40 12 34 00 00  |....`......@.4..|
+00000790  00 00 00 00 00 00 00 00  00 00 00 04 56 78 00 00  |............Vx..|
+000007a0  00 00 00 00 00 00 00 00  00 00 00 00 de ad be ef  |................|
+000007b0  00 00 00 00 4e 61 be 7a  bb fb 27 5b f2 da 0d 00  |....Na.z..'[....|
+000007c0  42 00 00 00 42 00 00 00  58 dd f8 44 97 04 e3 17  |B...B...X..D....|
+000007d0  e3 dc 91 fe 86 dd 60 00  00 00 00 0c 84 40 12 34  |......`......@.4|
+000007e0  00 00 00 00 00 00 00 00  00 00 00 00 00 08 56 78  |..............Vx|
+000007f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 de ad  |................|
+00000800  be ef 00 00 00 00 4e 61  be 7a bb fb 27 5b 03 de  |......Na.z..'[..|
+00000810  0d 00 52 00 00 00 52 00  00 00 6d 78 c2 70 5f 04  |..R...R...mx.p_.|
+00000820  8e cc 87 4b e6 5e 89 03  00 00 58 dd f8 44 97 76  |...K.^....X..D.v|
+00000830  e3 17 e3 dc 91 fe 86 dd  60 00 00 00 00 0c 84 40  |........`......@|
+00000840  12 34 00 00 00 00 00 00  00 00 00 00 00 00 00 08  |.4..............|
+00000850  56 78 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |Vx..............|
+00000860  de ad be ef 00 00 00 00  4e 61 be 7a bb fb 27 5b  |........Na.z..'[|
+00000870  3d e0 0d 00 42 00 00 00  42 00 00 00 a3 e2 21 1b  |=...B...B.....!.|
+00000880  ef 05 35 29 8f 97 f9 aa  86 dd 60 00 00 00 00 0c  |..5)......`.....|
+00000890  84 40 12 34 00 00 00 00  00 00 00 00 00 00 00 00  |.@.4............|
+000008a0  00 0a 56 78 00 00 00 00  00 00 00 00 00 00 00 00  |..Vx............|
+000008b0  00 00 de ad be ef 00 00  00 00 4e 61 be 7a bb fb  |..........Na.z..|
+000008c0  27 5b 53 e3 0d 00 52 00  00 00 52 00 00 00 3c 97  |'[S...R...R...<.|
+000008d0  50 ba a0 05 e8 79 60 77  c7 1c 89 03 00 00 a3 e2  |P....y`w........|
+000008e0  21 1b ef 54 35 29 8f 97  f9 aa 86 dd 60 00 00 00  |!..T5)......`...|
+000008f0  00 0c 84 40 12 34 00 00  00 00 00 00 00 00 00 00  |...@.4..........|
+00000900  00 00 00 0a 56 78 00 00  00 00 00 00 00 00 00 00  |....Vx..........|
+00000910  00 00 00 00 de ad be ef  00 00 00 00 4e 61 be 7a  |............Na.z|
+00000920  bb fb 27 5b 8d e5 0d 00  42 00 00 00 42 00 00 00  |..'[....B...B...|
+00000930  c6 60 5c 89 df 06 53 9a  0b 1e 70 34 86 dd 60 00  |.`\...S...p4..`.|
+00000940  00 00 00 0c 84 40 12 34  00 00 00 00 00 00 00 00  |.....@.4........|
+00000950  00 00 00 00 00 00 56 78  00 00 00 00 00 00 00 00  |......Vx........|
+00000960  00 00 00 00 00 00 de ad  be ef 00 00 00 00 4e 61  |..............Na|
+00000970  be 7a bb fb 27 5b a2 e8  0d 00 52 00 00 00 52 00  |.z..'[....R...R.|
+00000980  00 00 a7 14 e8 32 79 06  dd 2e 86 a4 fb cf 89 03  |.....2y.........|
+00000990  00 00 c6 60 5c 89 df 2e  53 9a 0b 1e 70 34 86 dd  |...`\...S...p4..|
+000009a0  60 00 00 00 00 0c 84 40  12 34 00 00 00 00 00 00  |`......@.4......|
+000009b0  00 00 00 00 00 00 00 00  56 78 00 00 00 00 00 00  |........Vx......|
+000009c0  00 00 00 00 00 00 00 00  de ad be ef 00 00 00 00  |................|
+000009d0  4e 61 be 7a bb fb 27 5b  d9 ea 0d 00 42 00 00 00  |Na.z..'[....B...|
+000009e0  42 00 00 00 a3 2e 8a 05  ba 07 c7 5c 4e c5 56 78  |B..........\N.Vx|
+000009f0  86 dd 60 00 00 00 00 0c  84 40 12 34 00 00 00 00  |..`......@.4....|
+00000a00  00 00 00 00 00 00 00 00  00 02 56 78 00 00 00 00  |..........Vx....|
+00000a10  00 00 00 00 00 00 00 00  00 00 de ad be ef 00 00  |................|
+00000a20  00 00 4e 61 be 7a bb fb  27 5b 50 ee 0d 00 52 00  |..Na.z..'[P...R.|
+00000a30  00 00 52 00 00 00 7a 28  70 6e 32 07 96 b4 35 f7  |..R...z(pn2...5.|
+00000a40  d9 bc 89 03 00 00 a3 2e  8a 05 ba 7e c7 5c 4e c5  |...........~.\N.|
+00000a50  56 78 86 dd 60 00 00 00  00 0c 84 40 12 34 00 00  |Vx..`......@.4..|
+00000a60  00 00 00 00 00 00 00 00  00 00 00 02 56 78 00 00  |............Vx..|
+00000a70  00 00 00 00 00 00 00 00  00 00 00 00 de ad be ef  |................|
+00000a80  00 00 00 00 4e 61 be 7a  bb fb 27 5b 52 f0 0d 00  |....Na.z..'[R...|
+00000a90  3c 00 00 00 3c 00 00 00  8b 82 9c 7f e6 00 ab 7a  |<...<..........z|
+00000aa0  ad 7e d6 79 08 00 45 00  00 14 00 01 00 00 40 63  |.~.y..E.......@c|
+00000ab0  74 72 01 01 01 10 02 02  02 02 00 00 00 00 00 00  |tr..............|
+00000ac0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000ad0  00 00 00 00 bb fb 27 5b  44 f3 0d 00 3c 00 00 00  |......'[D...<...|
+00000ae0  3c 00 00 00 ef 44 46 03  42 00 59 3f 99 a4 bc 0e  |<....DF.B.Y?....|
+00000af0  89 03 00 00 8b 82 9c 7f  e6 3e ab 7a ad 7e d6 79  |.........>.z.~.y|
+00000b00  08 00 45 00 00 14 00 01  00 00 40 63 74 72 01 01  |..E.......@ctr..|
+00000b10  01 10 02 02 02 02 00 00  00 00 00 00 00 00 00 00  |................|
+00000b20  bb fb 27 5b 42 f5 0d 00  3c 00 00 00 3c 00 00 00  |..'[B...<...<...|
+00000b30  99 75 1b 46 1f 01 06 e0  3c a2 29 15 08 00 45 00  |.u.F....<.)...E.|
+00000b40  00 14 00 01 00 00 40 63  74 81 01 01 01 01 02 02  |......@ct.......|
+00000b50  02 02 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000b60  00 00 00 00 00 00 00 00  00 00 00 00 bb fb 27 5b  |..............'[|
+00000b70  25 f8 0d 00 3c 00 00 00  3c 00 00 00 ae 12 1d 31  |%...<...<......1|
+00000b80  ce 01 5a 59 6e 95 c5 ee  89 03 00 00 99 75 1b 46  |..ZYn........u.F|
+00000b90  1f cb 06 e0 3c a2 29 15  08 00 45 00 00 14 00 01  |....<.)...E.....|
+00000ba0  00 00 40 63 74 81 01 01  01 01 02 02 02 02 00 00  |..@ct...........|
+00000bb0  00 00 00 00 00 00 00 00  bb fb 27 5b 20 fa 0d 00  |..........'[ ...|
+00000bc0  3c 00 00 00 3c 00 00 00  6f 9d 5a 56 44 02 c8 e2  |<...<...o.ZVD...|
+00000bd0  90 22 87 e6 08 00 45 00  00 14 00 01 00 00 40 63  |."....E.......@c|
+00000be0  74 32 01 01 01 50 02 02  02 02 00 00 00 00 00 00  |t2...P..........|
+00000bf0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000c00  00 00 00 00 bb fb 27 5b  fa fc 0d 00 3c 00 00 00  |......'[....<...|
+00000c10  3c 00 00 00 14 b4 40 74  94 02 1c d9 67 6b 01 6c  |<.....@t....gk.l|
+00000c20  89 03 00 00 6f 9d 5a 56  44 ef c8 e2 90 22 87 e6  |....o.ZVD...."..|
+00000c30  08 00 45 00 00 14 00 01  00 00 40 63 74 32 01 01  |..E.......@ct2..|
+00000c40  01 50 02 02 02 02 00 00  00 00 00 00 00 00 00 00  |.P..............|
+00000c50  bb fb 27 5b f8 fe 0d 00  3c 00 00 00 3c 00 00 00  |..'[....<...<...|
+00000c60  19 17 dc 5d 82 03 70 7a  3d 74 1e 09 08 00 45 00  |...]..pz=t....E.|
+00000c70  00 14 00 01 00 00 40 63  74 41 01 01 01 41 02 02  |......@ctA...A..|
+00000c80  02 02 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000c90  00 00 00 00 00 00 00 00  00 00 00 00 bb fb 27 5b  |..............'[|
+00000ca0  d1 01 0e 00 3c 00 00 00  3c 00 00 00 ab db 1f 05  |....<...<.......|
+00000cb0  3b 03 59 38 d1 ad 79 77  89 03 00 00 19 17 dc 5d  |;.Y8..yw.......]|
+00000cc0  82 99 70 7a 3d 74 1e 09  08 00 45 00 00 14 00 01  |..pz=t....E.....|
+00000cd0  00 00 40 63 74 41 01 01  01 41 02 02 02 02 00 00  |..@ctA...A......|
+00000ce0  00 00 00 00 00 00 00 00  bb fb 27 5b e1 03 0e 00  |..........'[....|
+00000cf0  3c 00 00 00 3c 00 00 00  67 cf d1 a1 51 04 5d 9b  |<...<...g...Q.].|
+00000d00  41 45 8a 91 08 00 45 00  00 14 00 01 00 00 40 63  |AE....E.......@c|
+00000d10  74 82 01 01 01 00 02 02  02 02 00 00 00 00 00 00  |t...............|
+00000d20  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000d30  00 00 00 00 bb fb 27 5b  28 07 0e 00 3c 00 00 00  |......'[(...<...|
+00000d40  3c 00 00 00 72 b8 f1 f8  c0 04 3d 5c 78 94 45 c5  |<...r.....=\x.E.|
+00000d50  89 03 00 00 67 cf d1 a1  51 de 5d 9b 41 45 8a 91  |....g...Q.].AE..|
+00000d60  08 00 45 00 00 14 00 01  00 00 40 63 74 82 01 01  |..E.......@ct...|
+00000d70  01 00 02 02 02 02 00 00  00 00 00 00 00 00 00 00  |................|
+00000d80  bb fb 27 5b 27 09 0e 00  3c 00 00 00 3c 00 00 00  |..'['...<...<...|
+00000d90  50 f0 c4 dd d9 05 64 8b  e6 7b 53 8a 08 00 45 00  |P.....d..{S...E.|
+00000da0  00 14 00 01 00 00 40 63  74 71 01 01 01 11 02 02  |......@ctq......|
+00000db0  02 02 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000dc0  00 00 00 00 00 00 00 00  00 00 00 00 bb fb 27 5b  |..............'[|
+00000dd0  01 0c 0e 00 3c 00 00 00  3c 00 00 00 25 62 c1 dc  |....<...<...%b..|
+00000de0  7c 05 ef fe 10 61 4f c1  89 03 00 00 50 f0 c4 dd  ||....aO.....P...|
+00000df0  d9 be 64 8b e6 7b 53 8a  08 00 45 00 00 14 00 01  |..d..{S...E.....|
+00000e00  00 00 40 63 74 71 01 01  01 11 02 02 02 02 00 00  |..@ctq..........|
+00000e10  00 00 00 00 00 00 00 00  bb fb 27 5b ff 0d 0e 00  |..........'[....|
+00000e20  3c 00 00 00 3c 00 00 00  e1 ba 64 6d f5 06 b8 c2  |<...<.....dm....|
+00000e30  37 58 6c b4 08 00 45 00  00 14 00 01 00 00 40 63  |7Xl...E.......@c|
+00000e40  74 42 01 01 01 40 02 02  02 02 00 00 00 00 00 00  |tB...@..........|
+00000e50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000e60  00 00 00 00 bb fb 27 5b  d7 10 0e 00 3c 00 00 00  |......'[....<...|
+00000e70  3c 00 00 00 86 bc 60 68  69 06 f6 6a 7f 52 74 db  |<.....`hi..j.Rt.|
+00000e80  89 03 00 00 e1 ba 64 6d  f5 5c b8 c2 37 58 6c b4  |......dm.\..7Xl.|
+00000e90  08 00 45 00 00 14 00 01  00 00 40 63 74 42 01 01  |..E.......@ctB..|
+00000ea0  01 40 02 02 02 02 00 00  00 00 00 00 00 00 00 00  |.@..............|
+00000eb0  bb fb 27 5b e1 12 0e 00  3c 00 00 00 3c 00 00 00  |..'[....<...<...|
+00000ec0  f1 77 fe 53 2d 07 39 aa  e2 64 19 65 08 00 45 00  |.w.S-.9..d.e..E.|
+00000ed0  00 14 00 01 00 00 40 63  74 31 01 01 01 51 02 02  |......@ct1...Q..|
+00000ee0  02 02 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000ef0  00 00 00 00 00 00 00 00  00 00 00 00 bb fb 27 5b  |..............'[|
+00000f00  bb 15 0e 00 3c 00 00 00  3c 00 00 00 8e 6d 08 31  |....<...<....m.1|
+00000f10  4a 07 e9 8c 40 4c a0 e4  89 03 00 00 f1 77 fe 53  |J...@L.......w.S|
+00000f20  2d 1a 39 aa e2 64 19 65  08 00 45 00 00 14 00 01  |-.9..d.e..E.....|
+00000f30  00 00 40 63 74 31 01 01  01 51 02 02 02 02 00 00  |..@ct1...Q......|
+00000f40  00 00 00 00 00 00 00 00  bb fb 27 5b 84 17 0e 00  |..........'[....|
+00000f50  3c 00 00 00 3c 00 00 00  3c 93 ba 49 bb 00 27 7f  |<...<...<..I..'.|
+00000f60  43 b2 e8 77 86 dd 60 00  00 00 00 00 63 40 12 34  |C..w..`.....c@.4|
+00000f70  00 00 00 00 00 00 00 00  00 00 00 00 00 50 56 78  |.............PVx|
+00000f80  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000f90  00 00 00 00 bb fb 27 5b  20 1a 0e 00 46 00 00 00  |......'[ ...F...|
+00000fa0  46 00 00 00 ce 55 2e 87  58 00 40 64 a3 18 fb f5  |F....U..X.@d....|
+00000fb0  89 03 00 00 3c 93 ba 49  bb 2e 27 7f 43 b2 e8 77  |....<..I..'.C..w|
+00000fc0  86 dd 60 00 00 00 00 00  63 40 12 34 00 00 00 00  |..`.....c@.4....|
+00000fd0  00 00 00 00 00 00 00 00  00 50 56 78 00 00 00 00  |.........PVx....|
+00000fe0  00 00 00 00 00 00 00 00  00 00 bb fb 27 5b e4 1b  |............'[..|
+00000ff0  0e 00 3c 00 00 00 3c 00  00 00 84 6b 01 8b 40 01  |..<...<....k..@.|
+00001000  1a cd e6 65 f4 67 86 dd  60 00 00 00 00 00 63 40  |...e.g..`.....c@|
+00001010  12 34 00 00 00 00 00 00  00 00 00 00 00 00 00 41  |.4.............A|
+00001020  56 78 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |Vx..............|
+00001030  00 00 00 00 00 00 bb fb  27 5b ec 1e 0e 00 46 00  |........'[....F.|
+00001040  00 00 46 00 00 00 43 ba  f0 04 50 01 4c ba 61 b3  |..F...C...P.L.a.|
+00001050  79 cb 89 03 00 00 84 6b  01 8b 40 7b 1a cd e6 65  |y......k..@{...e|
+00001060  f4 67 86 dd 60 00 00 00  00 00 63 40 12 34 00 00  |.g..`.....c@.4..|
+00001070  00 00 00 00 00 00 00 00  00 00 00 41 56 78 00 00  |...........AVx..|
+00001080  00 00 00 00 00 00 00 00  00 00 00 00 bb fb 27 5b  |..............'[|
+00001090  ae 20 0e 00 3c 00 00 00  3c 00 00 00 d1 3d fc f0  |. ..<...<....=..|
+000010a0  83 02 73 8a 4e 03 a9 37  86 dd 60 00 00 00 00 00  |..s.N..7..`.....|
+000010b0  63 40 12 34 00 00 00 00  00 00 00 00 00 00 00 00  |c@.4............|
+000010c0  00 10 56 78 00 00 00 00  00 00 00 00 00 00 00 00  |..Vx............|
+000010d0  00 00 00 00 00 00 00 00  bb fb 27 5b 56 23 0e 00  |..........'[V#..|
+000010e0  46 00 00 00 46 00 00 00  a2 c9 b9 b3 a2 02 2a a7  |F...F.........*.|
+000010f0  20 c3 02 71 89 03 00 00  d1 3d fc f0 83 5f 73 8a  | ..q.....=..._s.|
+00001100  4e 03 a9 37 86 dd 60 00  00 00 00 00 63 40 12 34  |N..7..`.....c@.4|
+00001110  00 00 00 00 00 00 00 00  00 00 00 00 00 10 56 78  |..............Vx|
+00001120  00 00 00 00 00 00 00 00  00 00 00 00 00 00 bb fb  |................|
+00001130  27 5b 17 25 0e 00 3c 00  00 00 3c 00 00 00 17 08  |'[.%..<...<.....|
+00001140  c1 80 9d 03 07 e5 5e 46  ab 62 86 dd 60 00 00 00  |......^F.b..`...|
+00001150  00 00 63 40 12 34 00 00  00 00 00 00 00 00 00 00  |..c@.4..........|
+00001160  00 00 00 01 56 78 00 00  00 00 00 00 00 00 00 00  |....Vx..........|
+00001170  00 00 00 00 00 00 00 00  00 00 bb fb 27 5b ae 27  |............'[.'|
+00001180  0e 00 46 00 00 00 46 00  00 00 d6 45 44 fa 13 03  |..F...F....ED...|
+00001190  db 88 79 13 f2 11 89 03  00 00 17 08 c1 80 9d 25  |..y............%|
+000011a0  07 e5 5e 46 ab 62 86 dd  60 00 00 00 00 00 63 40  |..^F.b..`.....c@|
+000011b0  12 34 00 00 00 00 00 00  00 00 00 00 00 00 00 01  |.4..............|
+000011c0  56 78 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |Vx..............|
+000011d0  bb fb 27 5b 6c 29 0e 00  3c 00 00 00 3c 00 00 00  |..'[l)..<...<...|
+000011e0  77 60 23 a4 06 04 b3 b3  6b bf 90 b9 86 dd 60 00  |w`#.....k.....`.|
+000011f0  00 00 00 00 63 40 12 34  00 00 00 00 00 00 00 00  |....c@.4........|
+00001200  00 00 00 00 00 40 56 78  00 00 00 00 00 00 00 00  |.....@Vx........|
+00001210  00 00 00 00 00 00 00 00  00 00 00 00 bb fb 27 5b  |..............'[|
+00001220  05 2c 0e 00 46 00 00 00  46 00 00 00 78 97 40 ef  |.,..F...F...x.@.|
+00001230  69 04 9a 6d b9 6b 9c ee  89 03 00 00 77 60 23 a4  |i..m.k......w`#.|
+00001240  06 69 b3 b3 6b bf 90 b9  86 dd 60 00 00 00 00 00  |.i..k.....`.....|
+00001250  63 40 12 34 00 00 00 00  00 00 00 00 00 00 00 00  |c@.4............|
+00001260  00 40 56 78 00 00 00 00  00 00 00 00 00 00 00 00  |.@Vx............|
+00001270  00 00 bb fb 27 5b c4 2d  0e 00 3c 00 00 00 3c 00  |....'[.-..<...<.|
+00001280  00 00 f1 3e 40 44 93 05  e9 24 90 83 39 d8 86 dd  |...>@D...$..9...|
+00001290  60 00 00 00 00 00 63 40  12 34 00 00 00 00 00 00  |`.....c@.4......|
+000012a0  00 00 00 00 00 00 00 51  56 78 00 00 00 00 00 00  |.......QVx......|
+000012b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 bb fb  |................|
+000012c0  27 5b 5d 30 0e 00 46 00  00 00 46 00 00 00 b6 1c  |'[]0..F...F.....|
+000012d0  f7 71 11 05 dd ef d6 e7  eb 55 89 03 00 00 f1 3e  |.q.......U.....>|
+000012e0  40 44 93 35 e9 24 90 83  39 d8 86 dd 60 00 00 00  |@D.5.$..9...`...|
+000012f0  00 00 63 40 12 34 00 00  00 00 00 00 00 00 00 00  |..c@.4..........|
+00001300  00 00 00 51 56 78 00 00  00 00 00 00 00 00 00 00  |...QVx..........|
+00001310  00 00 00 00 bb fb 27 5b  30 32 0e 00 3c 00 00 00  |......'[02..<...|
+00001320  3c 00 00 00 50 0c f8 a7  55 06 c5 21 3a fd a1 3d  |<...P...U..!:..=|
+00001330  86 dd 60 00 00 00 00 00  63 40 12 34 00 00 00 00  |..`.....c@.4....|
+00001340  00 00 00 00 00 00 00 00  00 00 56 78 00 00 00 00  |..........Vx....|
+00001350  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00001360  bb fb 27 5b 2e 35 0e 00  46 00 00 00 46 00 00 00  |..'[.5..F...F...|
+00001370  0f ee ff c1 df 06 8e 51  01 4a 68 42 89 03 00 00  |.......Q.JhB....|
+00001380  50 0c f8 a7 55 29 c5 21  3a fd a1 3d 86 dd 60 00  |P...U).!:..=..`.|
+00001390  00 00 00 00 63 40 12 34  00 00 00 00 00 00 00 00  |....c@.4........|
+000013a0  00 00 00 00 00 00 56 78  00 00 00 00 00 00 00 00  |......Vx........|
+000013b0  00 00 00 00 00 00 bb fb  27 5b ef 36 0e 00 3c 00  |........'[.6..<.|
+000013c0  00 00 3c 00 00 00 f3 63  6c 97 68 07 52 01 44 11  |..<....cl.h.R.D.|
+000013d0  10 8b 86 dd 60 00 00 00  00 00 63 40 12 34 00 00  |....`.....c@.4..|
+000013e0  00 00 00 00 00 00 00 00  00 00 00 11 56 78 00 00  |............Vx..|
+000013f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00001400  00 00 bb fb 27 5b 87 39  0e 00 46 00 00 00 46 00  |....'[.9..F...F.|
+00001410  00 00 37 94 7b 3c e5 07  50 3c 33 a0 2e 4f 89 03  |..7.{<..P<3..O..|
+00001420  00 00 f3 63 6c 97 68 1d  52 01 44 11 10 8b 86 dd  |...cl.h.R.D.....|
+00001430  60 00 00 00 00 00 63 40  12 34 00 00 00 00 00 00  |`.....c@.4......|
+00001440  00 00 00 00 00 00 00 11  56 78 00 00 00 00 00 00  |........Vx......|
+00001450  00 00 00 00 00 00 00 00  bb fb 27 5b 7d 3a 0e 00  |..........'[}:..|
+00001460  3c 00 00 00 3c 00 00 00  9f 29 3b cb 41 ff 94 59  |<...<....);.A..Y|
+00001470  94 2c c3 ab 99 99 00 00  00 00 00 00 00 00 00 00  |.,..............|
+00001480  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+*
+000014a0  00 00 00 00 bb fb 27 5b  6b 3c 0e 00 3c 00 00 00  |......'[k<..<...|
+000014b0  3c 00 00 00 af f1 a4 d6  e0 ff ee 26 30 bc 81 dc  |<..........&0...|
+000014c0  89 03 00 00 9f 29 3b cb  41 cf 94 59 94 2c c3 ab  |.....);.A..Y.,..|
+000014d0  99 99 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000014e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000014f0
diff --git a/testing/btest/plugins/hooks-plugin/src/Plugin.cc b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
index 05123fb341..ec0b527b6a 100644
--- a/testing/btest/plugins/hooks-plugin/src/Plugin.cc
+++ b/testing/btest/plugins/hooks-plugin/src/Plugin.cc
@@ -282,8 +282,6 @@ void Plugin::HookUnprocessedPacket(const zeek::Packet* packet)
 	d.Add(packet->time);
 	d.Add(" len=");
 	d.Add(packet->len);
-	d.Add(" header=");
-	d.AddN(reinterpret_cast<const char*>(packet->data), 10);
 	d.Add("]");
 
 	fprintf(stderr, "%.6f %-23s %s\n", zeek::run_state::network_time, "| HookUnprocessedPacket", d.Description());
diff --git a/testing/btest/plugins/unprocessed-packet-hook-plugin/.btest-ignore b/testing/btest/plugins/unprocessed-packet-hook-plugin/.btest-ignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/plugins/unprocessed-packet-hook-plugin/scripts/__load__.zeek b/testing/btest/plugins/unprocessed-packet-hook-plugin/scripts/__load__.zeek
new file mode 100644
index 0000000000..6bc237b788
--- /dev/null
+++ b/testing/btest/plugins/unprocessed-packet-hook-plugin/scripts/__load__.zeek
@@ -0,0 +1,4 @@
+event packet_not_processed(pkt: pcap_packet)
+{
+print fmt("packet_not_processed: ts=%d.%d", pkt$ts_sec, pkt$ts_usec);
+}
\ No newline at end of file
diff --git a/testing/btest/plugins/unprocessed-packet-hook-plugin/src/Plugin.cc b/testing/btest/plugins/unprocessed-packet-hook-plugin/src/Plugin.cc
new file mode 100644
index 0000000000..f30aa18965
--- /dev/null
+++ b/testing/btest/plugins/unprocessed-packet-hook-plugin/src/Plugin.cc
@@ -0,0 +1,39 @@
+
+#include "Plugin.h"
+
+#include <Func.h>
+#include <Event.h>
+#include <Conn.h>
+#include <Desc.h>
+#include <threading/Formatter.h>
+#include <RunState.h>
+
+namespace btest::plugin::Demo_Unprocessed_Packet { Plugin plugin; }
+
+using namespace btest::plugin::Demo_Unprocessed_Packet;
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	EnableHook(zeek::plugin::HOOK_UNPROCESSED_PACKET);
+
+	zeek::plugin::Configuration config;
+	config.name = "Demo::Unprocessed_Packet";
+	config.description = "Exercises all plugin hooks";
+	config.version.major = 1;
+	config.version.minor = 0;
+	config.version.patch = 0;
+	return config;
+	}
+
+void Plugin::HookUnprocessedPacket(const zeek::Packet* packet)
+	{
+	zeek::ODesc d;
+	d.Add("[");
+	d.Add("ts=");
+	d.Add(packet->time);
+	d.Add(" len=");
+	d.Add(packet->len);
+	d.Add("]");
+
+	fprintf(stdout, "%.6f %-23s %s\n", zeek::run_state::network_time, "| HookUnprocessedPacket", d.Description());
+	}
diff --git a/testing/btest/plugins/unprocessed-packet-hook-plugin/src/Plugin.h b/testing/btest/plugins/unprocessed-packet-hook-plugin/src/Plugin.h
new file mode 100644
index 0000000000..201bcb2f10
--- /dev/null
+++ b/testing/btest/plugins/unprocessed-packet-hook-plugin/src/Plugin.h
@@ -0,0 +1,19 @@
+
+#pragma once
+
+#include <plugin/Plugin.h>
+
+namespace btest::plugin::Demo_Unprocessed_Packet {
+
+class Plugin : public zeek::plugin::Plugin
+{
+protected:
+	void HookUnprocessedPacket(const zeek::Packet* packet) override;
+
+	// Overridden from zeek::plugin::Plugin.
+	zeek::plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+}
diff --git a/testing/btest/plugins/unprocessed-packet-hook.zeek b/testing/btest/plugins/unprocessed-packet-hook.zeek
new file mode 100644
index 0000000000..f3e2f5da18
--- /dev/null
+++ b/testing/btest/plugins/unprocessed-packet-hook.zeek
@@ -0,0 +1,10 @@
+# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Unprocessed_Packet
+# @TEST-EXEC: cp -r %DIR/unprocessed-packet-hook-plugin/* .
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::Unprocessed_Packet" ZEEK_PLUGIN_PATH=`pwd` zeek -c unprocessed.pcap -b -r $TRACES/cisco-fabric-path.pcap %INPUT 2>&1 > output
+# @TEST-EXEC: btest-diff output
+# @TEST-EXEC: hexdump -C unprocessed.pcap > unprocessed.pcap.hex
+# @TEST-EXEC: btest-diff unprocessed.pcap.hex
+
+@unload base/misc/version
+@load base/init-default

From 59d7d2896cdcb1eeb97afc43797cac14dd9e361f Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Sat, 13 Nov 2021 00:42:02 +0000
Subject: [PATCH 065/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 207e7c225b..834027ec7c 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 207e7c225bb1ee7e7404341e416544ac18c9a016
+Subproject commit 834027ec7c6463aa37c1d8233b0ef0052b2ebf0a

From 9675d866bbe71bb4b384f4e95f6c49823b1a13c6 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 15 Nov 2021 09:49:18 -0800
Subject: [PATCH 066/210] Fix ref-naming typo in the Github Docker workflow

When triggering upon a tag push, we now correctly compute the Docker image tag
based on the VERSION file.
---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 459e81e417..d84c714ee1 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -61,7 +61,7 @@ jobs:
             echo "::set-output name=tag::zeek:latest"
           elif [ "${GITHUB_REF}" = "refs/heads/master" ]; then
             echo "::set-output name=tag::zeek-dev:latest"
-          elif [[ "${GITHUB_REF}" = refs/heads/v* ]] && [[ "${GITHUB_REF}" != refs/heads/v*-dev ]]; then
+          elif [[ "${GITHUB_REF}" = refs/tags/v* ]] && [[ "${GITHUB_REF}" != refs/tags/v*-dev ]]; then
             echo "::set-output name=tag::zeek:${RELEASE_VERSION}"
           fi
 

From 14f919895de00ad1c5ae686f39709874f31e2ce3 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 16 Nov 2021 13:51:29 +0000
Subject: [PATCH 067/210] Add documentation for GH-1829

This adds documentation that clarifies that the `ignore_checksums`
option now also allows IPv4 packets with a length of 0.
---
 NEWS                        |  7 +++++++
 man/zeek.8                  |  2 +-
 scripts/base/init-bare.zeek | 13 ++++++++++---
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 2ece09bee0..836a19189a 100644
--- a/NEWS
+++ b/NEWS
@@ -53,6 +53,13 @@ Changed Functionality
 - The ``SYN_packet`` record now records TCP timestamps (TSval/TSecr)
   when available.
 
+- The ``ignore_checksums`` options and the ``-C`` command-line option now additionally cause
+  Zeek to accept IPv4 packets that provide a length of zero in the total-length IPv4 header
+  field. When the length is set to zero, the capture length of the packet is used instead.
+  This can be used to replay traces, or analyze traffic when TCP sequence offloading is enabled
+  on the local NIC - which typically causes the total-length of affected packets to be set to
+	zero.
+
 Removed Functionality
 ---------------------
 
diff --git a/man/zeek.8 b/man/zeek.8
index 1a667f5630..7b6e046ed6 100644
--- a/man/zeek.8
+++ b/man/zeek.8
@@ -66,7 +66,7 @@ print version and exit
 print contents of state file
 .TP
 \fB\-C\fR,\ \-\-no\-checksums
-ignore checksums
+When this option is set, Zeek ignores invalid packet checksums and does process the packets. Furthermore, if this option is set Zeek also processes IP packets with a zero total length field, which is typically caused by TCP (TCP Segment Offloading) on the NIC.
 .TP
 \fB\-F\fR,\ \-\-force\-dns
 force DNS
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index a4d4e1ae17..3ab33fb8eb 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -1016,9 +1016,16 @@ const TCP_RESET = 6;	##< Endpoint has sent RST.
 const UDP_INACTIVE = 0;	##< Endpoint is still inactive.
 const UDP_ACTIVE = 1;	##< Endpoint has sent something.
 
-## If true, don't verify checksums.  Useful for running on altered trace
-## files, and for saving a few cycles, but at the risk of analyzing invalid
-## data. Note that the ``-C`` command-line option overrides the setting of this
+## If true, don't verify checksums, and accept packets that give a length of
+## zero in the IPv4 header. This is useful when running against traces of local
+## traffic and the NIC checksum offloading feature is enabled. It can also
+## be useful for running on altered trace files, and for saving a few cycles
+## at the risk of analyzing invalid data.
+## With this option, packets that have a value of zero in the total-length field
+## of the IPv4 header are also accepted, and the capture-length is used instead.
+## The total-length field is commonly set to zero when the NIC sequence offloading
+## feature is enabled.
+## Note that the ``-C`` command-line option overrides the setting of this
 ## variable.
 const ignore_checksums = F &redef;
 

From 6217851d6db3859b2add34773be5a6b3ecba49f0 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 16 Nov 2021 15:33:31 +0000
Subject: [PATCH 068/210] Switch OpaqueVal hashing back to legacy OpenSSL
 implementation

This commit switches hashing from the more modern EVP message digest to
the older direct function calls, that are deprecated as of OpenSSL 3.0.

The reason is that we require the ability to store the internal state of
hash operations to disk. This is no longer possible with the
architecture that is used by the EVP digests; it is, however, possible
when using the legacy methods.

There might be a way to do this more cleanly in OpenSSL 3.1 - but for
the moment this seems like the easiest solution - even though I am not
really happy about it.

For details see zeek/zeek#1379 and openssl/openssl#14222
---
 src/OpaqueVal.cc | 194 +++++++++++++++--------------------------------
 src/OpaqueVal.h  |   7 +-
 2 files changed, 65 insertions(+), 136 deletions(-)

diff --git a/src/OpaqueVal.cc b/src/OpaqueVal.cc
index 66a5aa1d31..e18d6e7e28 100644
--- a/src/OpaqueVal.cc
+++ b/src/OpaqueVal.cc
@@ -1,5 +1,12 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+// We use deprecated APIs for MD5, SHA1 and SHA256. The reason is that, as of OpenSSL 3.0, there is
+// no API anymore that lets you store the internal state of hashing functions. For more information,
+// see https://github.com/zeek/zeek/issues/1379 and https://github.com/openssl/openssl/issues/14222
+// Since I don't feel like getting warnings every time we compile this file - let's silence them.
+
+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include "zeek/OpaqueVal.h"
 
 #include <broker/data.hh>
@@ -210,11 +217,7 @@ HashVal::HashVal(OpaqueTypePtr t) : OpaqueVal(std::move(t))
 
 MD5Val::MD5Val() : HashVal(md5_type) { }
 
-MD5Val::~MD5Val()
-	{
-	if ( IsValid() )
-		EVP_MD_CTX_free(ctx);
-	}
+MD5Val::~MD5Val() { }
 
 void HashVal::digest_one(EVP_MD_CTX* h, const Val* v)
 	{
@@ -245,7 +248,7 @@ ValPtr MD5Val::DoClone(CloneState* state)
 		if ( ! out->Init() )
 			return nullptr;
 
-		EVP_MD_CTX_copy_ex(out->ctx, ctx);
+		out->ctx = ctx;
 		}
 
 	return state->NewClone(this, std::move(out));
@@ -254,7 +257,7 @@ ValPtr MD5Val::DoClone(CloneState* state)
 bool MD5Val::DoInit()
 	{
 	assert(! IsValid());
-	ctx = detail::hash_init(detail::Hash_MD5);
+	MD5_Init(&ctx);
 	return true;
 	}
 
@@ -263,7 +266,7 @@ bool MD5Val::DoFeed(const void* data, size_t size)
 	if ( ! IsValid() )
 		return false;
 
-	detail::hash_update(ctx, data, size);
+	MD5_Update(&ctx, data, size);
 	return true;
 	}
 
@@ -273,7 +276,7 @@ StringValPtr MD5Val::DoGet()
 		return val_mgr->EmptyString();
 
 	u_char digest[MD5_DIGEST_LENGTH];
-	detail::hash_final(ctx, digest);
+	MD5_Final(digest, &ctx);
 	return make_intrusive<StringVal>(detail::md5_digest_print(digest));
 	}
 
@@ -284,20 +287,9 @@ broker::expected<broker::data> MD5Val::DoSerialize() const
 	if ( ! IsValid() )
 		return {broker::vector{false}};
 
-	MD5_CTX* md = (MD5_CTX*)EVP_MD_CTX_md_data(ctx);
-
-	broker::vector d = {true,
-	                    static_cast<uint64_t>(md->A),
-	                    static_cast<uint64_t>(md->B),
-	                    static_cast<uint64_t>(md->C),
-	                    static_cast<uint64_t>(md->D),
-	                    static_cast<uint64_t>(md->Nl),
-	                    static_cast<uint64_t>(md->Nh),
-	                    static_cast<uint64_t>(md->num)};
-
-	for ( int i = 0; i < MD5_LBLOCK; ++i )
-		d.emplace_back(static_cast<uint64_t>(md->data[i]));
+	auto data = std::string(reinterpret_cast<const char*>(&ctx), sizeof(ctx));
 
+	broker::vector d = {true, data};
 	return {std::move(d)};
 	}
 
@@ -317,40 +309,24 @@ bool MD5Val::DoUnserialize(const broker::data& data)
 		return true;
 		}
 
+	if ( (*d).size() != 2 )
+		return false;
+
+	auto s = caf::get_if<std::string>(&(*d)[1]);
+	if ( ! s )
+		return false;
+
+	if ( sizeof(ctx) != s->size() )
+		return false;
+
 	Init();
-	MD5_CTX* md = (MD5_CTX*)EVP_MD_CTX_md_data(ctx);
-
-	if ( ! get_vector_idx<uint64_t>(*d, 1, &md->A) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 2, &md->B) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 3, &md->C) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 4, &md->D) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 5, &md->Nl) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 6, &md->Nh) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 7, &md->num) )
-		return false;
-
-	for ( int i = 0; i < MD5_LBLOCK; ++i )
-		{
-		if ( ! get_vector_idx<uint64_t>(*d, 8 + i, &md->data[i]) )
-			return false;
-		}
-
+	memcpy(&ctx, s->data(), s->size());
 	return true;
 	}
 
 SHA1Val::SHA1Val() : HashVal(sha1_type) { }
 
-SHA1Val::~SHA1Val()
-	{
-	if ( IsValid() )
-		EVP_MD_CTX_free(ctx);
-	}
+SHA1Val::~SHA1Val() { }
 
 ValPtr SHA1Val::DoClone(CloneState* state)
 	{
@@ -361,7 +337,7 @@ ValPtr SHA1Val::DoClone(CloneState* state)
 		if ( ! out->Init() )
 			return nullptr;
 
-		EVP_MD_CTX_copy_ex(out->ctx, ctx);
+		out->ctx = ctx;
 		}
 
 	return state->NewClone(this, std::move(out));
@@ -370,7 +346,7 @@ ValPtr SHA1Val::DoClone(CloneState* state)
 bool SHA1Val::DoInit()
 	{
 	assert(! IsValid());
-	ctx = detail::hash_init(detail::Hash_SHA1);
+	SHA1_Init(&ctx);
 	return true;
 	}
 
@@ -379,7 +355,7 @@ bool SHA1Val::DoFeed(const void* data, size_t size)
 	if ( ! IsValid() )
 		return false;
 
-	detail::hash_update(ctx, data, size);
+	SHA1_Update(&ctx, data, size);
 	return true;
 	}
 
@@ -389,7 +365,7 @@ StringValPtr SHA1Val::DoGet()
 		return val_mgr->EmptyString();
 
 	u_char digest[SHA_DIGEST_LENGTH];
-	detail::hash_final(ctx, digest);
+	SHA1_Final(digest, &ctx);
 	return make_intrusive<StringVal>(detail::sha1_digest_print(digest));
 	}
 
@@ -400,20 +376,9 @@ broker::expected<broker::data> SHA1Val::DoSerialize() const
 	if ( ! IsValid() )
 		return {broker::vector{false}};
 
-	SHA_CTX* md = (SHA_CTX*)EVP_MD_CTX_md_data(ctx);
+	auto data = std::string(reinterpret_cast<const char*>(&ctx), sizeof(ctx));
 
-	broker::vector d = {true,
-	                    static_cast<uint64_t>(md->h0),
-	                    static_cast<uint64_t>(md->h1),
-	                    static_cast<uint64_t>(md->h2),
-	                    static_cast<uint64_t>(md->h3),
-	                    static_cast<uint64_t>(md->h4),
-	                    static_cast<uint64_t>(md->Nl),
-	                    static_cast<uint64_t>(md->Nh),
-	                    static_cast<uint64_t>(md->num)};
-
-	for ( int i = 0; i < SHA_LBLOCK; ++i )
-		d.emplace_back(static_cast<uint64_t>(md->data[i]));
+	broker::vector d = {true, data};
 
 	return {std::move(d)};
 	}
@@ -434,42 +399,24 @@ bool SHA1Val::DoUnserialize(const broker::data& data)
 		return true;
 		}
 
+	if ( (*d).size() != 2 )
+		return false;
+
+	auto s = caf::get_if<std::string>(&(*d)[1]);
+	if ( ! s )
+		return false;
+
+	if ( sizeof(ctx) != s->size() )
+		return false;
+
 	Init();
-	SHA_CTX* md = (SHA_CTX*)EVP_MD_CTX_md_data(ctx);
-
-	if ( ! get_vector_idx<uint64_t>(*d, 1, &md->h0) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 2, &md->h1) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 3, &md->h2) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 4, &md->h3) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 5, &md->h4) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 6, &md->Nl) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 7, &md->Nh) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 8, &md->num) )
-		return false;
-
-	for ( int i = 0; i < SHA_LBLOCK; ++i )
-		{
-		if ( ! get_vector_idx<uint64_t>(*d, 9 + i, &md->data[i]) )
-			return false;
-		}
-
+	memcpy(&ctx, s->data(), s->size());
 	return true;
 	}
 
 SHA256Val::SHA256Val() : HashVal(sha256_type) { }
 
-SHA256Val::~SHA256Val()
-	{
-	if ( IsValid() )
-		EVP_MD_CTX_free(ctx);
-	}
+SHA256Val::~SHA256Val() { }
 
 ValPtr SHA256Val::DoClone(CloneState* state)
 	{
@@ -480,7 +427,7 @@ ValPtr SHA256Val::DoClone(CloneState* state)
 		if ( ! out->Init() )
 			return nullptr;
 
-		EVP_MD_CTX_copy_ex(out->ctx, ctx);
+		out->ctx = ctx;
 		}
 
 	return state->NewClone(this, std::move(out));
@@ -489,7 +436,7 @@ ValPtr SHA256Val::DoClone(CloneState* state)
 bool SHA256Val::DoInit()
 	{
 	assert(! IsValid());
-	ctx = detail::hash_init(detail::Hash_SHA256);
+	SHA256_Init(&ctx);
 	return true;
 	}
 
@@ -498,7 +445,7 @@ bool SHA256Val::DoFeed(const void* data, size_t size)
 	if ( ! IsValid() )
 		return false;
 
-	detail::hash_update(ctx, data, size);
+	SHA256_Update(&ctx, data, size);
 	return true;
 	}
 
@@ -508,7 +455,7 @@ StringValPtr SHA256Val::DoGet()
 		return val_mgr->EmptyString();
 
 	u_char digest[SHA256_DIGEST_LENGTH];
-	detail::hash_final(ctx, digest);
+	SHA256_Final(digest, &ctx);
 	return make_intrusive<StringVal>(detail::sha256_digest_print(digest));
 	}
 
@@ -519,16 +466,9 @@ broker::expected<broker::data> SHA256Val::DoSerialize() const
 	if ( ! IsValid() )
 		return {broker::vector{false}};
 
-	SHA256_CTX* md = (SHA256_CTX*)EVP_MD_CTX_md_data(ctx);
+	auto data = std::string(reinterpret_cast<const char*>(&ctx), sizeof(ctx));
 
-	broker::vector d = {true, static_cast<uint64_t>(md->Nl), static_cast<uint64_t>(md->Nh),
-	                    static_cast<uint64_t>(md->num), static_cast<uint64_t>(md->md_len)};
-
-	for ( int i = 0; i < 8; ++i )
-		d.emplace_back(static_cast<uint64_t>(md->h[i]));
-
-	for ( int i = 0; i < SHA_LBLOCK; ++i )
-		d.emplace_back(static_cast<uint64_t>(md->data[i]));
+	broker::vector d = {true, data};
 
 	return {std::move(d)};
 	}
@@ -549,30 +489,18 @@ bool SHA256Val::DoUnserialize(const broker::data& data)
 		return true;
 		}
 
+	if ( (*d).size() != 2 )
+		return false;
+
+	auto s = caf::get_if<std::string>(&(*d)[1]);
+	if ( ! s )
+		return false;
+
+	if ( sizeof(ctx) != s->size() )
+		return false;
+
 	Init();
-	SHA256_CTX* md = (SHA256_CTX*)EVP_MD_CTX_md_data(ctx);
-
-	if ( ! get_vector_idx<uint64_t>(*d, 1, &md->Nl) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 2, &md->Nh) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 3, &md->num) )
-		return false;
-	if ( ! get_vector_idx<uint64_t>(*d, 4, &md->md_len) )
-		return false;
-
-	for ( int i = 0; i < 8; ++i )
-		{
-		if ( ! get_vector_idx<uint64_t>(*d, 5 + i, &md->h[i]) )
-			return false;
-		}
-
-	for ( int i = 0; i < SHA_LBLOCK; ++i )
-		{
-		if ( ! get_vector_idx<uint64_t>(*d, 13 + i, &md->data[i]) )
-			return false;
-		}
-
+	memcpy(&ctx, s->data(), s->size());
 	return true;
 	}
 
diff --git a/src/OpaqueVal.h b/src/OpaqueVal.h
index e790a31533..c02dce0691 100644
--- a/src/OpaqueVal.h
+++ b/src/OpaqueVal.h
@@ -3,6 +3,7 @@
 #pragma once
 
 #include <broker/expected.hh>
+#include <openssl/md5.h>
 #include <paraglob/paraglob.h>
 #include <sys/types.h> // for u_char
 
@@ -245,7 +246,7 @@ protected:
 
 	DECLARE_OPAQUE_VALUE(MD5Val)
 private:
-	EVP_MD_CTX* ctx;
+	MD5_CTX ctx;
 	};
 
 class SHA1Val : public HashVal
@@ -270,7 +271,7 @@ protected:
 
 	DECLARE_OPAQUE_VALUE(SHA1Val)
 private:
-	EVP_MD_CTX* ctx;
+	SHA_CTX ctx;
 	};
 
 class SHA256Val : public HashVal
@@ -295,7 +296,7 @@ protected:
 
 	DECLARE_OPAQUE_VALUE(SHA256Val)
 private:
-	EVP_MD_CTX* ctx;
+	SHA256_CTX ctx;
 	};
 
 class EntropyVal : public OpaqueVal

From 1dd6c1d716625ba47bbbf42a65deba364f24f9f3 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 16 Nov 2021 15:02:05 -0800
Subject: [PATCH 069/210] Clean up fully after successful Docker btests

If we leave files sitting around, we trigger a Docker image double-build in CI,
because the build runs once, gets tested, and then gets run again when we push
the Docker image: the additional btest files cause Docker to detect a different
source tree, causing an image layer violation.

Also rename "cleanup" target to "clean", to align with rest of our tree.
---
 docker/btest/Makefile | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docker/btest/Makefile b/docker/btest/Makefile
index 65d4d65c98..30d0348a72 100644
--- a/docker/btest/Makefile
+++ b/docker/btest/Makefile
@@ -1,11 +1,11 @@
 DIAG=diag.log
 BTEST=../../auxil/btest/btest
 
-all: cleanup btest-verbose
+all: btest-verbose clean
 
 # Showing all tests.
 btest-verbose:
 	@$(BTEST) -d -j -f $(DIAG)
 
-cleanup:
-	@rm -f $(DIAG)
+clean:
+	@rm -rf $(DIAG) .tmp .btest.failed.dat

From 253d214126fe7837d9a2f7558441418d6f3fe4c1 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 17 Nov 2021 12:59:27 +0000
Subject: [PATCH 070/210] OpenSSL 3: fix warnings and tests

This commit fixes the compile-time warnings that OpenSSL 3.0 raises for
our source-code. For the cases where this was necessary we now have two
implementations - one for OpenSSL 1.1 and earlier, and one for OpenSSL
3.0.

This also makes our testsuite pass with OpenSSL 3.0

Relates to GH-1379
---
 CMakeLists.txt                                |  3 +
 src/file_analysis/analyzer/x509/X509.cc       | 56 +++++++++++++++++--
 .../stdout-openssl-3.0                        | 19 +++++++
 .../base/protocols/ssl/x509_extensions.test   |  5 +-
 .../scripts/policy/misc/dump-events.zeek      |  4 ++
 5 files changed, 82 insertions(+), 5 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/stdout-openssl-3.0

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 908c15a057..494cb2efa2 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -490,6 +490,9 @@ include(FindKqueue)
 if ( (OPENSSL_VERSION VERSION_EQUAL "1.1.0") OR (OPENSSL_VERSION VERSION_GREATER "1.1.0") )
   set(ZEEK_HAVE_OPENSSL_1_1 true CACHE INTERNAL "" FORCE)
 endif()
+if ( (OPENSSL_VERSION VERSION_EQUAL "3.0.0") OR (OPENSSL_VERSION VERSION_GREATER "3.0.0") )
+  set(ZEEK_HAVE_OPENSSL_3_0 true CACHE INTERNAL "" FORCE)
+endif()
 
 # Tell the plugin code that we're building as part of the main tree.
 set(ZEEK_PLUGIN_INTERNAL_BUILD true CACHE INTERNAL "" FORCE)
diff --git a/src/file_analysis/analyzer/x509/X509.cc b/src/file_analysis/analyzer/x509/X509.cc
index 2851c241ce..e5841cca33 100644
--- a/src/file_analysis/analyzer/x509/X509.cc
+++ b/src/file_analysis/analyzer/x509/X509.cc
@@ -11,6 +11,9 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <string>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/core_names.h>
+#endif
 
 #include "zeek/Event.h"
 #include "zeek/file_analysis/File.h"
@@ -204,9 +207,20 @@ RecordValPtr X509::ParseCertificate(X509Val* cert_val, file_analysis::File* f)
 			{
 			pX509Cert->Assign(9, "rsa");
 
-			const BIGNUM* e;
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+			const BIGNUM* e = nullptr;
 			RSA_get0_key(EVP_PKEY_get0_RSA(pkey), NULL, &e, NULL);
+#else
+			BIGNUM* e = nullptr;
+			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &e);
+#endif
 			char* exponent = BN_bn2dec(e);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+			// the OpenSSL 3.0 API allocates a new bignum; earlier APIs give a direct pointer
+			// to the internal data structure that should not be freed.
+			BN_free(e);
+			e = nullptr;
+#endif
 			if ( exponent != NULL )
 				{
 				pX509Cert->Assign(11, exponent);
@@ -456,6 +470,7 @@ StringValPtr X509::KeyCurve(EVP_PKEY* key)
 		return nullptr;
 		}
 
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	const EC_GROUP* group;
 	int nid;
 	if ( (group = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(key))) == NULL )
@@ -472,7 +487,14 @@ StringValPtr X509::KeyCurve(EVP_PKEY* key)
 		return nullptr;
 
 	return make_intrusive<StringVal>(curve_name);
-#endif
+#else
+	static char buf[256];
+	if ( ! EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME, buf, 255, nullptr) )
+		return nullptr;
+
+	return make_intrusive<StringVal>(buf);
+#endif /* OPENSSL_VERSION_NUMBER */
+#endif /* OPENSSL_NO_EC */
 	}
 
 unsigned int X509::KeyLength(EVP_PKEY* key)
@@ -482,18 +504,40 @@ unsigned int X509::KeyLength(EVP_PKEY* key)
 	switch ( EVP_PKEY_base_id(key) )
 		{
 		case EVP_PKEY_RSA:
-			const BIGNUM* n;
+			{
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+			const BIGNUM* n = nullptr;
 			RSA_get0_key(EVP_PKEY_get0_RSA(key), &n, NULL, NULL);
 			return BN_num_bits(n);
+#else
+			BIGNUM* n = nullptr;
+			EVP_PKEY_get_bn_param(key, OSSL_PKEY_PARAM_RSA_N, &n);
+			auto num_bits = BN_num_bits(n);
+			BN_free(n);
+			return num_bits;
+#endif
+			}
 
 		case EVP_PKEY_DSA:
+			{
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 			const BIGNUM* p;
 			DSA_get0_pqg(EVP_PKEY_get0_DSA(key), &p, NULL, NULL);
 			return BN_num_bits(p);
+#else
+			BIGNUM* p = nullptr;
+			EVP_PKEY_get_bn_param(key, OSSL_PKEY_PARAM_FFC_P, &p);
+			auto num_bits = BN_num_bits(p);
+			BN_free(p);
+			return num_bits;
+#endif
+			}
 
 #ifndef OPENSSL_NO_EC
+
 		case EVP_PKEY_EC:
 			{
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 			BIGNUM* ec_order = BN_new();
 			if ( ! ec_order )
 				// could not malloc bignum?
@@ -514,12 +558,16 @@ unsigned int X509::KeyLength(EVP_PKEY* key)
 				BN_free(ec_order);
 				return 0;
 				}
+#else
+			BIGNUM* ec_order = nullptr;
+			EVP_PKEY_get_bn_param(key, OSSL_PKEY_PARAM_EC_ORDER, &ec_order);
+#endif /* OPENSSL_VERSION_NUMBER */
 
 			unsigned int length = BN_num_bits(ec_order);
 			BN_free(ec_order);
 			return length;
 			}
-#endif
+#endif /* OPENSSL_NO_EC */
 		default:
 			return 0; // unknown public key type
 		}
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/stdout-openssl-3.0 b/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/stdout-openssl-3.0
new file mode 100644
index 0000000000..07a33c12a0
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.x509_extensions/stdout-openssl-3.0
@@ -0,0 +1,19 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B]
+[name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=A2:76:09:20:A8:40:FD:A1:AC:C8:E9:35:B9:11:A6:61:FF:8C:FF:A3]
+[name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
+[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
+[name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
+[name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.3.6.1.4.1.6449.1.2.1.3.4\x0a  CPS: https://secure.comodo.com/CPS]
+[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.comodoca.com/COMODOHigh-AssuranceSecureServerCA.crt\x0aOCSP - URI:http://ocsp.comodoca.com]
+[name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.taleo.net, DNS:taleo.net]
+[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A]
+[name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=3F:D5:B5:D0:D6:44:79:50:4A:17:A3:9B:8C:4A:DC:B8:B0:22:64:6B]
+[name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
+[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
+[name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: X509v3 Any Policy]
+[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=CA Issuers - URI:http://crt.usertrust.com/AddTrustExternalCARoot.p7c\x0aCA Issuers - URI:http://crt.usertrust.com/AddTrustUTNSGCCA.crt\x0aOCSP - URI:http://ocsp.usertrust.com]
+[name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A]
+[name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=F, value=Certificate Sign, CRL Sign]
+[name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE]
+[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A\x0aDirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root\x0aserial:01]
diff --git a/testing/btest/scripts/base/protocols/ssl/x509_extensions.test b/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
index 3cf04ab513..f2726f3e7d 100644
--- a/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
+++ b/testing/btest/scripts/base/protocols/ssl/x509_extensions.test
@@ -1,5 +1,8 @@
 # @TEST-EXEC: zeek -b -r $TRACES/tls/tls1.2.trace %INPUT
-# @TEST-EXEC: btest-diff .stdout
+# This is a hack to get around the fact that the output format changed between OpenSSL 1.1 and OpenSS:
+# 3.0.
+# @TEST-EXEC: cp .stdout stdout-openssl-3.0
+# @TEST-EXEC: grep -q "^ZEEK_HAVE_OPENSSL_3_0.*true" $BUILD/CMakeCache.txt && btest-diff stdout-openssl-3.0 || btest-diff .stdout
 
 @load base/protocols/ssl
 @load base/files/x509
diff --git a/testing/btest/scripts/policy/misc/dump-events.zeek b/testing/btest/scripts/policy/misc/dump-events.zeek
index 68ee932b78..70f47a2907 100644
--- a/testing/btest/scripts/policy/misc/dump-events.zeek
+++ b/testing/btest/scripts/policy/misc/dump-events.zeek
@@ -1,3 +1,7 @@
+# Skip this test for OpenSSL 3.0 at the moment. We will switch it to only OpenSSL 3.0, once
+# a majority of distributions use is.
+# @TEST-REQUIRES: grep -q "^ZEEK_HAVE_OPENSSL_3_0.*true" $BUILD/CMakeCache.txt && test $? != 0
+
 # @TEST-EXEC: zeek -r $TRACES/smtp.trace policy/misc/dump-events %INPUT >all-events.log
 # @TEST-EXEC: zeek -r $TRACES/smtp.trace policy/misc/dump-events %INPUT DumpEvents::include_args=F >all-events-no-args.log
 # @TEST-EXEC: zeek -r $TRACES/smtp.trace policy/misc/dump-events %INPUT DumpEvents::include=/smtp_/ >smtp-events.log

From ce38b5a05629f3ba06aeee5f9ad344d1cba8ae6c Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 17 Nov 2021 13:18:04 +0000
Subject: [PATCH 071/210] Add OpenSSL 3.0 CI test

---
 .cirrus.yml               | 12 ++++++++++++
 ci/openssl-3.0/Dockerfile | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+)
 create mode 100644 ci/openssl-3.0/Dockerfile

diff --git a/.cirrus.yml b/.cirrus.yml
index 3b0b6bc8d9..c6cc08954b 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -14,6 +14,7 @@ config: &CONFIG --build-type=release --enable-cpp-tests --disable-broker-tests -
 static_config: &STATIC_CONFIG --build-type=release --enable-cpp-tests --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install
 sanitizer_config: &SANITIZER_CONFIG --build-type=debug --enable-cpp-tests --disable-broker-tests --sanitizers=address,undefined --enable-fuzzers --enable-coverage
 mobile_ipv6_config: &MOBILE_IPV6_CONFIG --build-type=release --enable-cpp-tests --enable-mobile-ipv6 --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install
+openssl30_config: &OPENSSL30_CONFIG --build-type=release --enable-cpp-tests  --disable-broker-tests --with-openssl=/opt/openssl --prefix=$CIRRUS_WORKING_DIR/install
 
 resources_template: &RESOURCES_TEMPLATE
   cpu: *CPUS
@@ -268,6 +269,17 @@ freebsd12_task:
   prepare_script: ./ci/freebsd/prepare.sh
   << : *CI_TEMPLATE
 
+# This can be removed as soon as the first distribution that we use ships
+# OpenSSL 3.0
+openssl30_task:
+  container:
+    # Tweaked Ubuntu 20.04 EOL: April 2025
+    dockerfile: ci/openssl-3.0/Dockerfile
+    << : *RESOURCES_TEMPLATE
+  << : *CI_TEMPLATE
+  env:
+    ZEEK_CI_CONFIGURE_FLAGS: *OPENSSL30_CONFIG
+
 sanitizer_task:
   container:
     # Just uses a recent/common distro to run memory error/leak checks.
diff --git a/ci/openssl-3.0/Dockerfile b/ci/openssl-3.0/Dockerfile
new file mode 100644
index 0000000000..3fa5873699
--- /dev/null
+++ b/ci/openssl-3.0/Dockerfile
@@ -0,0 +1,35 @@
+FROM ubuntu:20.04
+
+ENV DEBIAN_FRONTEND="noninteractive" TZ="America/Los_Angeles"
+
+RUN apt-get update && apt-get -y install \
+    git \
+    cmake \
+    make \
+    gcc \
+    g++ \
+    flex \
+    bison \
+    libpcap-dev \
+    libssl-dev \
+    python3 \
+    python3-dev \
+    python3-pip\
+    swig \
+    zlib1g-dev \
+    libmaxminddb-dev \
+    libkrb5-dev \
+    bsdmainutils \
+    sqlite3 \
+    curl \
+    wget \
+    unzip \
+    ruby \
+    bc \
+    lcov \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN wget https://www.openssl.org/source/openssl-3.0.0.tar.gz && tar xvf ./openssl-3.0.0.tar.gz && cd ./openssl-3.0.0 && ./Configure --prefix=/opt/openssl && make install && cd .. && rm -rf openssl-3.0.0
+
+RUN pip3 install junit2html
+RUN gem install coveralls-lcov

From 0dc8dfacb7bb5da64c2eb8e4f0f4ea4e80e3cab3 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 17 Nov 2021 14:57:23 +0000
Subject: [PATCH 072/210] Make cmake & ci like OpenSSL 3.0

Older cmake versions have problems with the version number. When
installing OpenSSL on a 64 bit linux one also needs to create an
additional symlink to get cmake to use the correct library.
---
 ci/openssl-3.0/Dockerfile | 3 ++-
 cmake                     | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/ci/openssl-3.0/Dockerfile b/ci/openssl-3.0/Dockerfile
index 3fa5873699..321afae31d 100644
--- a/ci/openssl-3.0/Dockerfile
+++ b/ci/openssl-3.0/Dockerfile
@@ -29,7 +29,8 @@ RUN apt-get update && apt-get -y install \
     lcov \
   && rm -rf /var/lib/apt/lists/*
 
-RUN wget https://www.openssl.org/source/openssl-3.0.0.tar.gz && tar xvf ./openssl-3.0.0.tar.gz && cd ./openssl-3.0.0 && ./Configure --prefix=/opt/openssl && make install && cd .. && rm -rf openssl-3.0.0
+# Note - the symlink is important, otherwise cmake uses the wrong .so files.
+RUN wget https://www.openssl.org/source/openssl-3.0.0.tar.gz && tar xvf ./openssl-3.0.0.tar.gz && cd ./openssl-3.0.0 && ./Configure --prefix=/opt/openssl && make install && cd .. && rm -rf openssl-3.0.0 && ln -sf /opt/openssl/lib64 /opt/openssl/lib
 
 RUN pip3 install junit2html
 RUN gem install coveralls-lcov
diff --git a/cmake b/cmake
index 654400c9ff..40458aa1e1 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 654400c9ffed760140f594603737c5e8750306ff
+Subproject commit 40458aa1e143b69a96ec8558e503a6f5fa79a592

From ff0bc86021a7983c9dcdeff4d8c77b1d712aa2ea Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Wed, 17 Nov 2021 17:21:21 +0000
Subject: [PATCH 073/210] OpenSSL 3: normalize self-signed-cert error message

The message changed between OpenSSL 1.1 and 3.0 - we just use the old
one to not mess up the external test baselines.
---
 src/file_analysis/analyzer/x509/functions.bif | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/file_analysis/analyzer/x509/functions.bif b/src/file_analysis/analyzer/x509/functions.bif
index 2a41969e21..d288cb2147 100644
--- a/src/file_analysis/analyzer/x509/functions.bif
+++ b/src/file_analysis/analyzer/x509/functions.bif
@@ -628,7 +628,12 @@ function x509_verify%(certs: x509_opaque_vector, root_certs: table_string_of_str
 
 x509_verify_chainerror:
 
-	auto rrecord = x509_result_record(X509_STORE_CTX_get_error(csc), X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc)), std::move(chainVector));
+	auto error_string = X509_verify_cert_error_string(X509_STORE_CTX_get_error(csc));
+	// this string representation changed between OpenSSL 1 and 3 and messes up our test baselines.
+	if ( X509_STORE_CTX_get_error(csc) == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT )
+		error_string = "self signed certificate";
+
+	auto rrecord = x509_result_record(X509_STORE_CTX_get_error(csc), error_string, std::move(chainVector));
 
 	X509_STORE_CTX_cleanup(csc);
 	X509_STORE_CTX_free(csc);

From 67cbec91231e45b987c9a0481679d06281ea0eaf Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Wed, 17 Nov 2021 16:42:04 -0800
Subject: [PATCH 074/210] Update cmake and aux/zeek-aux submodules [nomail]
 [skip ci]

---
 auxil/zeek-aux | 2 +-
 cmake          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index 00ec86d2da..b47e31916b 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit 00ec86d2dad3c2d23438431a3ccb07e11dc59543
+Subproject commit b47e31916b79f776b57a0d36da680d2d14eed597
diff --git a/cmake b/cmake
index 654400c9ff..1607f0a3cb 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 654400c9ffed760140f594603737c5e8750306ff
+Subproject commit 1607f0a3cbcc6b1f8fb27f1222c0cf8ee14448f1

From 0b517c01e049f9e74381db6c4449f97c8a95b55f Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 18 Nov 2021 07:44:01 +0000
Subject: [PATCH 075/210] Update cmake submodule for OpenSSL 3.0 changes

---
 cmake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmake b/cmake
index 40458aa1e1..9b6b9fe5cc 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 40458aa1e143b69a96ec8558e503a6f5fa79a592
+Subproject commit 9b6b9fe5cc454949493dc24c782917f19b41b6ce

From 8e77e3e92cc7fd8a18ab6d1caa700d23baf87cc1 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Thu, 18 Nov 2021 08:56:24 -0800
Subject: [PATCH 076/210] efficiency fix - return a reference rather than a
 copy of a map

---
 src/script_opt/CPP/Compile.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/script_opt/CPP/Compile.h b/src/script_opt/CPP/Compile.h
index 7974c9206a..16f9312b89 100644
--- a/src/script_opt/CPP/Compile.h
+++ b/src/script_opt/CPP/Compile.h
@@ -186,7 +186,7 @@ public:
 	// Returns a mapping of from Attr objects to their associated
 	// initialization information.  The Attr must have previously
 	// been registered.
-	auto ProcessedAttr() { return processed_attr; }
+	auto& ProcessedAttr() { return processed_attr; }
 
 	// True if the given expression is simple enough that we can
 	// generate code to evaluate it directly, and don't need to

From 6f82c1610e4378907dd89e9f0b6dd18ad34c42a7 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Thu, 18 Nov 2021 08:57:03 -0800
Subject: [PATCH 077/210] remove unused local variables

---
 src/script_opt/CPP/InitsInfo.cc | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/src/script_opt/CPP/InitsInfo.cc b/src/script_opt/CPP/InitsInfo.cc
index 4eb670de37..eab425d658 100644
--- a/src/script_opt/CPP/InitsInfo.cc
+++ b/src/script_opt/CPP/InitsInfo.cc
@@ -126,9 +126,6 @@ void CPP_BasicConstInitsInfo::BuildCohortElement(CPPCompile* c, string init_type
 
 string CPP_InitInfo::ValElem(CPPCompile* c, ValPtr v)
 	{
-	string init_type;
-	string init_args;
-
 	if ( v )
 		{
 		int consts_offset;
@@ -246,8 +243,6 @@ void FuncConstInfo::InitializerVals(std::vector<std::string>& ivs) const
 	ivs.emplace_back(Fmt(type));
 	ivs.emplace_back(Fmt(c->TrackString(fn)));
 
-	string hashes;
-
 	if ( ! c->NotFullyCompilable(fn) )
 		{
 		const auto& bodies = f->GetBodies();

From ffbbacd3b18761ab704e650d58fa5e2c760b1f04 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Thu, 18 Nov 2021 08:58:04 -0800
Subject: [PATCH 078/210] switch looping over vectors to use iterators

---
 src/script_opt/CPP/RuntimeInits.cc | 97 ++++++++++++++----------------
 1 file changed, 46 insertions(+), 51 deletions(-)

diff --git a/src/script_opt/CPP/RuntimeInits.cc b/src/script_opt/CPP/RuntimeInits.cc
index 739ed9a4d9..4f52171ffe 100644
--- a/src/script_opt/CPP/RuntimeInits.cc
+++ b/src/script_opt/CPP/RuntimeInits.cc
@@ -57,13 +57,10 @@ template <class T>
 void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<ListValPtr>& ivec, int offset,
                                    ValElemVec& init_vals) const
 	{
-	auto n = init_vals.size();
-	auto i = 0U;
-
 	auto l = make_intrusive<ListVal>(TYPE_ANY);
 
-	while ( i < n )
-		l->Append(im->ConstVals(init_vals[i++]));
+	for ( auto& iv : init_vals )
+		l->Append(im->ConstVals(iv));
 
 	ivec[offset] = l;
 	}
@@ -72,15 +69,15 @@ template <class T>
 void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<VectorValPtr>& ivec, int offset,
                                    ValElemVec& init_vals) const
 	{
-	auto n = init_vals.size();
-	auto i = 0U;
-	auto t = init_vals[i++];
+	auto iv_it = init_vals.begin();
+	auto iv_end = init_vals.end();
+	auto t = *(iv_it++);
 
 	auto vt = cast_intrusive<VectorType>(im->Types(t));
 	auto vv = make_intrusive<VectorVal>(vt);
 
-	while ( i < n )
-		vv->Append(im->ConstVals(init_vals[i++]));
+	while ( iv_it != iv_end )
+		vv->Append(im->ConstVals(*(iv_it++)));
 
 	ivec[offset] = vv;
 	}
@@ -89,19 +86,20 @@ template <class T>
 void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<RecordValPtr>& ivec, int offset,
                                    ValElemVec& init_vals) const
 	{
-	auto n = init_vals.size();
-	auto i = 0U;
-	auto t = init_vals[i++];
+	auto iv_it = init_vals.begin();
+	auto iv_end = init_vals.end();
+	auto t = *(iv_it++);
 
 	auto rt = cast_intrusive<RecordType>(im->Types(t));
 	auto rv = make_intrusive<RecordVal>(rt);
 
-	while ( i < n )
+	auto field = 0;
+	while ( iv_it != iv_end )
 		{
-		auto v = init_vals[i];
+		auto v = *(iv_it++);
 		if ( v >= 0 )
-			rv->Assign(i - 1, im->ConstVals(v));
-		++i;
+			rv->Assign(field, im->ConstVals(v));
+		++field;
 		}
 
 	ivec[offset] = rv;
@@ -111,17 +109,17 @@ template <class T>
 void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<TableValPtr>& ivec, int offset,
                                    ValElemVec& init_vals) const
 	{
-	auto n = init_vals.size();
-	auto i = 0U;
-	auto t = init_vals[i++];
+	auto iv_it = init_vals.begin();
+	auto iv_end = init_vals.end();
+	auto t = *(iv_it++);
 
 	auto tt = cast_intrusive<TableType>(im->Types(t));
 	auto tv = make_intrusive<TableVal>(tt);
 
-	while ( i < n )
+	while ( iv_it != iv_end )
 		{
-		auto index = im->ConstVals(init_vals[i++]);
-		auto v = init_vals[i++];
+		auto index = im->ConstVals(*(iv_it++));
+		auto v = *(iv_it++);
 		auto value = v >= 0 ? im->ConstVals(v) : nullptr;
 		tv->Assign(index, value);
 		}
@@ -133,11 +131,9 @@ template <class T>
 void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<FileValPtr>& ivec, int offset,
                                    ValElemVec& init_vals) const
 	{
-	auto n = init_vals.size();
-	auto i = 0U;
-	auto t = init_vals[i++]; // not used
-
-	auto fn = im->Strings(init_vals[i++]);
+	// Note, in the following we use element 1, not 0, because we
+	// don't need the "type" value in element 0.
+	auto fn = im->Strings(init_vals[1]);
 	auto fv = make_intrusive<FileVal>(make_intrusive<File>(fn, "w"));
 
 	ivec[offset] = fv;
@@ -147,16 +143,15 @@ template <class T>
 void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<FuncValPtr>& ivec, int offset,
                                    ValElemVec& init_vals) const
 	{
-	auto n = init_vals.size();
-	auto i = 0U;
-	auto t = init_vals[i++];
-
-	auto fn = im->Strings(init_vals[i++]);
+	auto iv_it = init_vals.begin();
+	auto iv_end = init_vals.end();
+	auto t = *(iv_it++);
+	auto fn = im->Strings(*(iv_it++));
 
 	std::vector<p_hash_type> hashes;
 
-	while ( i < n )
-		hashes.push_back(im->Hashes(init_vals[i++]));
+	while ( iv_it != iv_end )
+		hashes.push_back(im->Hashes(*(iv_it++)));
 
 	ivec[offset] = lookup_func__CPP(fn, hashes, im->Types(t));
 	}
@@ -211,12 +206,10 @@ template <class T>
 void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<AttributesPtr>& ivec, int offset,
                                    ValElemVec& init_vals) const
 	{
-	auto n = init_vals.size();
-	auto i = 0U;
-
 	std::vector<AttrPtr> a_list;
-	while ( i < n )
-		a_list.emplace_back(im->Attrs(init_vals[i++]));
+
+	for ( auto& iv : init_vals )
+		a_list.emplace_back(im->Attrs(iv));
 
 	ivec[offset] = make_intrusive<Attributes>(a_list, nullptr, false, false);
 	}
@@ -333,18 +326,18 @@ void CPP_TypeInits::Generate(InitsManager* im, vector<TypePtr>& ivec, int offset
 
 TypePtr CPP_TypeInits::BuildEnumType(InitsManager* im, ValElemVec& init_vals) const
 	{
-	auto name = im->Strings(init_vals[1]);
+	auto iv_it = init_vals.begin();
+	auto iv_end = init_vals.end();
+	auto name = im->Strings(*++iv_it); // skip element [0]
 	auto et = get_enum_type__CPP(name);
 
 	if ( et->Names().empty() )
 		{
-		auto n = init_vals.size();
-		auto i = 2U;
-
-		while ( i < n )
+		++iv_it;
+		while ( iv_it != iv_end )
 			{
-			auto e_name = im->Strings(init_vals[i++]);
-			auto e_val = init_vals[i++];
+			auto e_name = im->Strings(*(iv_it++));
+			auto e_val = *(iv_it++);
 			et->AddNameInternal(e_name, e_val);
 			}
 		}
@@ -374,11 +367,13 @@ TypePtr CPP_TypeInits::BuildTypeList(InitsManager* im, ValElemVec& init_vals, in
 	{
 	const auto& tl = cast_intrusive<TypeList>(inits_vec[offset]);
 
-	auto n = init_vals.size();
-	auto i = 1U;
+	auto iv_it = init_vals.begin();
+	auto iv_end = init_vals.end();
 
-	while ( i < n )
-		tl->Append(im->Types(init_vals[i++]));
+	++iv_it;
+
+	while ( iv_it != iv_end )
+		tl->Append(im->Types(*(iv_it++)));
 
 	return tl;
 	}

From ee28e3e8b10d2b3bb1534646fbe1e02194fa0b1a Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 18 Nov 2021 17:09:40 -0800
Subject: [PATCH 079/210] Update doc and auxil/zeek-aux submodules [nomail]
 [skip ci]

---
 auxil/zeek-aux | 2 +-
 doc            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index b47e31916b..9100b9d524 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit b47e31916b79f776b57a0d36da680d2d14eed597
+Subproject commit 9100b9d524dddfade02f1b4fceb54265a113b68c
diff --git a/doc b/doc
index 834027ec7c..43e7a5d288 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 834027ec7c6463aa37c1d8233b0ef0052b2ebf0a
+Subproject commit 43e7a5d288e0dd60d4113a8ef8f42ec8df4e080e

From f6a9dc416e60833ce80f96051eef3112f5b0e8ff Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 18 Nov 2021 17:25:36 -0800
Subject: [PATCH 080/210] Updates to NEWS to cover recent additions. [nomail]
 [skip ci]

---
 NEWS | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/NEWS b/NEWS
index ca92bc610e..053314904a 100644
--- a/NEWS
+++ b/NEWS
@@ -49,6 +49,12 @@ New Functionality
 - A new command-line option ``-c`` or ``--capture-unprocessed`` will dump any
   packets not marked as being processed, similar to the new hook and event above.
 
+- In Zeek plugins, the new cmake function ``zeek_plugin_scripts()`` should be
+  used alongside ``zeek_plugin_cc()`` and related functions to establish
+  dependency tracking between Zeek scripts shipped with the plugin and plugin
+  rebuilds.  Previously, updates to included Zeek scripts didn't reliably
+  trigger a rebuild.
+
 Changed Functionality
 ---------------------
 
@@ -64,6 +70,10 @@ Changed Functionality
 - The ``SYN_packet`` record now records TCP timestamps (TSval/TSecr)
   when available.
 
+- The ``init-plugin`` script now focuses purely on dynamic Zeek plugins. It no
+  longer generates Zeek packages. To instantiate new Zeek packages, use the
+  ``zkg create`` command instead.
+
 Removed Functionality
 ---------------------
 

From 735d584d9fde6c83e4d94ad5a07433be3b4b6258 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Mon, 22 Nov 2021 10:55:38 -0800
Subject: [PATCH 081/210] const-ify member function

---
 src/script_opt/CPP/Compile.h    | 2 +-
 src/script_opt/CPP/InitsInfo.cc | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/script_opt/CPP/Compile.h b/src/script_opt/CPP/Compile.h
index 16f9312b89..033ed4fa67 100644
--- a/src/script_opt/CPP/Compile.h
+++ b/src/script_opt/CPP/Compile.h
@@ -186,7 +186,7 @@ public:
 	// Returns a mapping of from Attr objects to their associated
 	// initialization information.  The Attr must have previously
 	// been registered.
-	auto& ProcessedAttr() { return processed_attr; }
+	auto& ProcessedAttr() const { return processed_attr; }
 
 	// True if the given expression is simple enough that we can
 	// generate code to evaluate it directly, and don't need to
diff --git a/src/script_opt/CPP/InitsInfo.cc b/src/script_opt/CPP/InitsInfo.cc
index eab425d658..f02f7f04b2 100644
--- a/src/script_opt/CPP/InitsInfo.cc
+++ b/src/script_opt/CPP/InitsInfo.cc
@@ -309,7 +309,7 @@ AttrsInfo::AttrsInfo(CPPCompile* _c, const AttributesPtr& _attrs) : CompoundItem
 	for ( const auto& a : _attrs->GetAttrs() )
 		{
 		ASSERT(c->ProcessedAttr().count(a.get()) > 0);
-		auto gi = c->ProcessedAttr()[a.get()];
+		const auto& gi = c->ProcessedAttr().at(a.get());
 		init_cohort = max(init_cohort, gi->InitCohort() + 1);
 		vals.emplace_back(Fmt(gi->Offset()));
 		}

From 84423369b4f8eb4134ef7cea6338e52dca6c578e Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Mon, 22 Nov 2021 15:28:15 -0800
Subject: [PATCH 082/210] use iterator-based idiom for
 check-if-present-then-access

---
 src/script_opt/CPP/Attrs.cc              | 10 +++++----
 src/script_opt/CPP/Compile.h             | 28 ++++++++++++++----------
 src/script_opt/CPP/Consts.cc             | 12 +++++-----
 src/script_opt/CPP/Driver.cc             | 10 +++++----
 src/script_opt/CPP/Exprs.cc              | 23 ++++++++++---------
 src/script_opt/CPP/GenFunc.cc            | 10 +++++----
 src/script_opt/CPP/Inits.cc              | 10 +++++----
 src/script_opt/CPP/InitsInfo.cc          |  7 ++++--
 src/script_opt/CPP/RuntimeInitSupport.cc | 10 +++++----
 src/script_opt/CPP/Tracker.cc            |  5 +++--
 src/script_opt/CPP/Types.cc              |  5 +++--
 src/script_opt/CPP/Vars.cc               | 15 ++++++++-----
 12 files changed, 86 insertions(+), 59 deletions(-)

diff --git a/src/script_opt/CPP/Attrs.cc b/src/script_opt/CPP/Attrs.cc
index 6c2594be2d..437270a7d4 100644
--- a/src/script_opt/CPP/Attrs.cc
+++ b/src/script_opt/CPP/Attrs.cc
@@ -13,9 +13,10 @@ shared_ptr<CPP_InitInfo> CPPCompile::RegisterAttributes(const AttributesPtr& att
 		return nullptr;
 
 	auto a = attrs.get();
+	auto pa = processed_attrs.find(a);
 
-	if ( processed_attrs.count(a) > 0 )
-		return processed_attrs[a];
+	if ( pa != processed_attrs.end() )
+		return pa->second;
 
 	attributes.AddKey(attrs);
 
@@ -41,9 +42,10 @@ shared_ptr<CPP_InitInfo> CPPCompile::RegisterAttributes(const AttributesPtr& att
 shared_ptr<CPP_InitInfo> CPPCompile::RegisterAttr(const AttrPtr& attr)
 	{
 	auto a = attr.get();
+	auto pa = processed_attr.find(a);
 
-	if ( processed_attr.count(a) > 0 )
-		return processed_attr[a];
+	if ( pa != processed_attr.end() )
+		return pa->second;
 
 	const auto& e = a->GetExpr();
 	if ( e && ! IsSimpleInitExpr(e) )
diff --git a/src/script_opt/CPP/Compile.h b/src/script_opt/CPP/Compile.h
index 033ed4fa67..dbac78469b 100644
--- a/src/script_opt/CPP/Compile.h
+++ b/src/script_opt/CPP/Compile.h
@@ -212,26 +212,30 @@ public:
 	// an offset into the global vector that will hold these.
 	int TrackString(std::string s)
 		{
-		if ( tracked_strings.count(s) == 0 )
-			{
-			tracked_strings[s] = ordered_tracked_strings.size();
-			ordered_tracked_strings.emplace_back(s);
-			}
+		auto ts = tracked_strings.find(s);
+		if ( ts != tracked_strings.end() )
+			return ts->second;
 
-		return tracked_strings[s];
+		int offset = ordered_tracked_strings.size();
+		tracked_strings[s] = offset;
+		ordered_tracked_strings.emplace_back(s);
+
+		return offset;
 		}
 
 	// Tracks a profile hash value needed for initialization.  Returns
 	// an offset into the global vector that will hold these.
 	int TrackHash(p_hash_type h)
 		{
-		if ( tracked_hashes.count(h) == 0 )
-			{
-			tracked_hashes[h] = ordered_tracked_hashes.size();
-			ordered_tracked_hashes.emplace_back(h);
-			}
+		auto th = tracked_hashes.find(h);
+		if ( th != tracked_hashes.end() )
+			return th->second;
 
-		return tracked_hashes[h];
+		int offset = ordered_tracked_hashes.size();
+		tracked_hashes[h] = offset;
+		ordered_tracked_hashes.emplace_back(h);
+
+		return offset;
 		}
 
 	// Returns the hash associated with a given function body.
diff --git a/src/script_opt/CPP/Consts.cc b/src/script_opt/CPP/Consts.cc
index 30b758df99..c53f5b0395 100644
--- a/src/script_opt/CPP/Consts.cc
+++ b/src/script_opt/CPP/Consts.cc
@@ -17,12 +17,13 @@ shared_ptr<CPP_InitInfo> CPPCompile::RegisterConstant(const ValPtr& vp, int& con
 	cv_indices.push_back(vp);
 
 	auto v = vp.get();
+	auto cv = const_vals.find(v);
 
-	if ( const_vals.count(v) > 0 )
+	if ( cv != const_vals.end() )
 		{
 		// Already did this one.
 		consts_offset = const_offsets[v];
-		return const_vals[v];
+		return cv->second;
 		}
 
 	// Formulate a key that's unique per distinct constant.
@@ -50,11 +51,12 @@ shared_ptr<CPP_InitInfo> CPPCompile::RegisterConstant(const ValPtr& vp, int& con
 		c_desc = d.Description();
 		}
 
-	if ( constants.count(c_desc) > 0 )
+	auto c = constants.find(c_desc);
+	if ( c != constants.end() )
 		{
-		const_vals[v] = constants[c_desc];
+		const_vals[v] = c->second;
 		consts_offset = const_offsets[v] = constants_offsets[c_desc];
-		return const_vals[v];
+		return c->second;
 		}
 
 	auto tag = t->Tag();
diff --git a/src/script_opt/CPP/Driver.cc b/src/script_opt/CPP/Driver.cc
index 7e446a302f..dd7348ddca 100644
--- a/src/script_opt/CPP/Driver.cc
+++ b/src/script_opt/CPP/Driver.cc
@@ -258,8 +258,9 @@ void CPPCompile::RegisterCompiledBody(const string& f)
 
 	// Build up an initializer of the events relevant to the function.
 	string events;
-	if ( body_events.count(f) > 0 )
-		for ( const auto& e : body_events[f] )
+	auto be = body_events.find(f);
+	if ( be != body_events.end() )
+		for ( const auto& e : be->second )
 			{
 			if ( events.size() > 0 )
 				events += ", ";
@@ -278,8 +279,9 @@ void CPPCompile::RegisterCompiledBody(const string& f)
 		// same binary).
 		h = merge_p_hashes(h, p_hash(cf_locs[f]));
 
-	ASSERT(func_index.count(f) > 0);
-	auto type_signature = casting_index[func_index[f]];
+	auto fi = func_index.find(f);
+	ASSERT(fi != func_index.end());
+	auto type_signature = casting_index[fi->second];
 	Emit("\tCPP_RegisterBody(\"%s\", (void*) %s, %s, %s, %s, std::vector<std::string>(%s)),", f, f,
 	     Fmt(type_signature), Fmt(p), Fmt(h), events);
 	}
diff --git a/src/script_opt/CPP/Exprs.cc b/src/script_opt/CPP/Exprs.cc
index 3caf7805f3..dd3baa995c 100644
--- a/src/script_opt/CPP/Exprs.cc
+++ b/src/script_opt/CPP/Exprs.cc
@@ -1173,23 +1173,25 @@ string CPPCompile::GenField(const ExprPtr& rec, int field)
 	// Need to dynamically map the field.
 	int mapping_slot;
 
-	if ( record_field_mappings.count(rt) > 0 && record_field_mappings[rt].count(field) > 0 )
+	auto rfm = record_field_mappings.find(rt);
+	if ( rfm != record_field_mappings.end() && rfm->second.count(field) > 0 )
 		// We're already tracking this field.
-		mapping_slot = record_field_mappings[rt][field];
+		mapping_slot = rfm->second[field];
 
 	else
 		{
 		// New mapping.
 		mapping_slot = num_rf_mappings++;
 
-		ASSERT(processed_types.count(rt) > 0);
-		auto rt_offset = processed_types[rt]->Offset();
+		auto pt = processed_types.find(rt);
+		ASSERT(pt != processed_types.end());
+		auto rt_offset = pt->second->Offset();
 		string field_name = rt->FieldName(field);
 		field_decls.emplace_back(pair(rt_offset, rt->FieldDecl(field)));
 
-		if ( record_field_mappings.count(rt) > 0 )
+		if ( rfm != record_field_mappings.end() )
 			// We're already tracking this record.
-			record_field_mappings[rt][field] = mapping_slot;
+			rfm->second[field] = mapping_slot;
 		else
 			{
 			// Need to start tracking this record.
@@ -1214,9 +1216,10 @@ string CPPCompile::GenEnum(const TypePtr& t, const ValPtr& ev)
 	// Need to dynamically map the access.
 	int mapping_slot;
 
-	if ( enum_val_mappings.count(et) > 0 && enum_val_mappings[et].count(v) > 0 )
+	auto evm = enum_val_mappings.find(et);
+	if ( evm != enum_val_mappings.end() && evm->second.count(v) > 0 )
 		// We're already tracking this value.
-		mapping_slot = enum_val_mappings[et][v];
+		mapping_slot = evm->second[v];
 
 	else
 		{
@@ -1226,10 +1229,10 @@ string CPPCompile::GenEnum(const TypePtr& t, const ValPtr& ev)
 		string enum_name = et->Lookup(v);
 		enum_names.emplace_back(pair(TypeOffset(t), move(enum_name)));
 
-		if ( enum_val_mappings.count(et) > 0 )
+		if ( evm != enum_val_mappings.end() )
 			{
 			// We're already tracking this enum.
-			enum_val_mappings[et][v] = mapping_slot;
+			evm->second[v] = mapping_slot;
 			}
 		else
 			{
diff --git a/src/script_opt/CPP/GenFunc.cc b/src/script_opt/CPP/GenFunc.cc
index 4cd57e7c7d..47a9ec33bc 100644
--- a/src/script_opt/CPP/GenFunc.cc
+++ b/src/script_opt/CPP/GenFunc.cc
@@ -233,12 +233,14 @@ string CPPCompile::BodyName(const FuncInfo& func)
 
 p_hash_type CPPCompile::BodyHash(const Stmt* body)
 	{
-	ASSERT(body_names.count(body) > 0);
+	auto bn = body_names.find(body);
+	ASSERT(bn != body_names.end());
 
-	auto& body_name = body_names[body];
-	ASSERT(body_hashes.count(body_name) > 0);
+	auto& body_name = bn->second;
+	auto bh = body_hashes.find(body_name);
+	ASSERT(bh != body_hashes.end());
 
-	return body_hashes[body_name];
+	return bh->second;
 	}
 
 string CPPCompile::GenArgs(const RecordTypePtr& params, const Expr* e)
diff --git a/src/script_opt/CPP/Inits.cc b/src/script_opt/CPP/Inits.cc
index 61b1c18ca7..2e51b95412 100644
--- a/src/script_opt/CPP/Inits.cc
+++ b/src/script_opt/CPP/Inits.cc
@@ -18,8 +18,9 @@ std::shared_ptr<CPP_InitInfo> CPPCompile::RegisterInitExpr(const ExprPtr& ep)
 	{
 	auto ename = InitExprName(ep);
 
-	if ( init_infos.count(ename) )
-		return init_infos[ename];
+	auto ii = init_infos.find(ename);
+	if ( ii != init_infos.end() )
+		return ii->second;
 
 	auto wrapper_cl = string("wrapper_") + ename + "_cl";
 
@@ -247,8 +248,9 @@ void CPPCompile::GenStandaloneActivation()
 			// We didn't wind up compiling it.
 			continue;
 
-		ASSERT(body_hashes.count(bname) > 0);
-		func_bodies[f].push_back(body_hashes[bname]);
+		auto bh = body_hashes.find(bname);
+		ASSERT(bh != body_hashes.end());
+		func_bodies[f].push_back(bh->second);
 		}
 
 	for ( auto& fb : func_bodies )
diff --git a/src/script_opt/CPP/InitsInfo.cc b/src/script_opt/CPP/InitsInfo.cc
index f02f7f04b2..c83b78f5ed 100644
--- a/src/script_opt/CPP/InitsInfo.cc
+++ b/src/script_opt/CPP/InitsInfo.cc
@@ -306,10 +306,13 @@ AttrInfo::AttrInfo(CPPCompile* _c, const AttrPtr& attr) : CompoundItemInfo(_c)
 
 AttrsInfo::AttrsInfo(CPPCompile* _c, const AttributesPtr& _attrs) : CompoundItemInfo(_c)
 	{
+	const auto& pas = c->ProcessedAttr();
+
 	for ( const auto& a : _attrs->GetAttrs() )
 		{
-		ASSERT(c->ProcessedAttr().count(a.get()) > 0);
-		const auto& gi = c->ProcessedAttr().at(a.get());
+		auto pa = pas.find(a.get());
+		ASSERT(pa != pas.end());
+		const auto& gi = pa->second;
 		init_cohort = max(init_cohort, gi->InitCohort() + 1);
 		vals.emplace_back(Fmt(gi->Offset()));
 		}
diff --git a/src/script_opt/CPP/RuntimeInitSupport.cc b/src/script_opt/CPP/RuntimeInitSupport.cc
index 87a7fb484e..6a657d0713 100644
--- a/src/script_opt/CPP/RuntimeInitSupport.cc
+++ b/src/script_opt/CPP/RuntimeInitSupport.cc
@@ -154,8 +154,9 @@ void activate_bodies__CPP(const char* fn, const char* module, bool exported, Typ
 			continue;
 
 		// Add in the new body.
-		ASSERT(compiled_scripts.count(h) > 0);
-		auto cs = compiled_scripts[h];
+		auto csi = compiled_scripts.find(h);
+		ASSERT(csi != compiled_scripts.end());
+		auto cs = csi->second;
 
 		f->AddBody(cs.body, no_inits, num_params, cs.priority);
 		added_bodies[fn].insert(h);
@@ -220,9 +221,10 @@ FuncValPtr lookup_func__CPP(string name, vector<p_hash_type> hashes, const TypeP
 
 	for ( auto h : hashes )
 		{
-		ASSERT(compiled_scripts.count(h) > 0);
+		auto cs = compiled_scripts.find(h);
+		ASSERT(cs != compiled_scripts.end());
 
-		const auto& f = compiled_scripts[h];
+		const auto& f = cs->second;
 		bodies.push_back(f.body);
 		priorities.push_back(f.priority);
 
diff --git a/src/script_opt/CPP/Tracker.cc b/src/script_opt/CPP/Tracker.cc
index 8eeb616e5e..d4491274bd 100644
--- a/src/script_opt/CPP/Tracker.cc
+++ b/src/script_opt/CPP/Tracker.cc
@@ -52,8 +52,9 @@ template <class T> string CPPTracker<T>::KeyName(const T* key)
 	ASSERT(hash != 0);
 
 	auto rep = reps[hash];
-	if ( gi_s.count(rep) > 0 )
-		return gi_s[rep]->Name();
+	auto gi = gi_s.find(rep);
+	if ( gi != gi_s.end() )
+		return gi->second->Name();
 
 	auto index = map2[hash];
 
diff --git a/src/script_opt/CPP/Types.cc b/src/script_opt/CPP/Types.cc
index c55a2287f8..9a482d072e 100644
--- a/src/script_opt/CPP/Types.cc
+++ b/src/script_opt/CPP/Types.cc
@@ -280,8 +280,9 @@ shared_ptr<CPP_InitInfo> CPPCompile::RegisterType(const TypePtr& tp)
 	{
 	auto t = TypeRep(tp);
 
-	if ( processed_types.count(t) > 0 )
-		return processed_types[t];
+	auto pt = processed_types.find(t);
+	if ( pt != processed_types.end() )
+		return pt->second;
 
 	processed_types[t] = nullptr;
 
diff --git a/src/script_opt/CPP/Vars.cc b/src/script_opt/CPP/Vars.cc
index 432dce39a9..c62aae0869 100644
--- a/src/script_opt/CPP/Vars.cc
+++ b/src/script_opt/CPP/Vars.cc
@@ -120,7 +120,9 @@ void CPPCompile::CreateGlobal(const ID* g)
 
 std::shared_ptr<CPP_InitInfo> CPPCompile::RegisterGlobal(const ID* g)
 	{
-	if ( global_gis.count(g) == 0 )
+	auto gg = global_gis.find(g);
+
+	if ( gg == global_gis.end() )
 		{
 		auto gn = string(g->Name());
 
@@ -131,9 +133,10 @@ std::shared_ptr<CPP_InitInfo> CPPCompile::RegisterGlobal(const ID* g)
 		auto gi = make_shared<GlobalInitInfo>(this, g, globals[gn]);
 		global_id_info->AddInstance(gi);
 		global_gis[g] = gi;
+		return gi;
 		}
-
-	return global_gis[g];
+	else
+		return gg->second;
 	}
 
 void CPPCompile::AddBiF(const ID* b, bool is_var)
@@ -184,9 +187,9 @@ const string& CPPCompile::IDNameStr(const ID* id)
 		return globals[g];
 		}
 
-	ASSERT(locals.count(id) > 0);
-
-	return locals[id];
+	auto l = locals.find(id);
+	ASSERT(l != locals.end());
+	return l->second;
 	}
 
 string CPPCompile::LocalName(const ID* l) const

From d3f16af4abeb19a0df38a355fad3141e620feaca Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 23 Nov 2021 12:37:55 +0000
Subject: [PATCH 083/210] Add testcase for TCP segment offloading.

Relates to GH-1829
---
 .../kerberos.log                              |  21 ++++++++++++++++++
 testing/btest/Traces/krb/kerberos_tso.pcap    | Bin 0 -> 85764 bytes
 .../base/protocols/tcp/krb-tcp-tso.test       |   6 +++++
 3 files changed, 27 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.tcp.krb-tcp-tso/kerberos.log
 create mode 100644 testing/btest/Traces/krb/kerberos_tso.pcap
 create mode 100644 testing/btest/scripts/base/protocols/tcp/krb-tcp-tso.test

diff --git a/testing/btest/Baseline/scripts.base.protocols.tcp.krb-tcp-tso/kerberos.log b/testing/btest/Baseline/scripts.base.protocols.tcp.krb-tcp-tso/kerberos.log
new file mode 100644
index 0000000000..75ec7ed782
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.tcp.krb-tcp-tso/kerberos.log
@@ -0,0 +1,21 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	kerberos
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	request_type	client	service	success	error_msg	from	till	cipher	forwardable	renewable	client_cert_subject	client_cert_fuid	server_cert_subject	server_cert_fuid
+#types	time	string	addr	port	addr	port	string	string	string	bool	string	time	time	string	bool	bool	string	string	string	string
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	172.16.0.211	49812	172.16.0.100	88	AS	administrator/TEST.LOCAL	krbtgt/TEST.LOCAL	F	KDC_ERR_PREAUTH_REQUIRED	-	XXXXXXXXXX.XXXXXX	-	T	T	-	-	-	-
+XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	172.16.0.211	49813	172.16.0.100	88	AS	administrator/TEST.LOCAL	krbtgt/TEST.LOCAL	T	-	-	XXXXXXXXXX.XXXXXX	aes256-cts-hmac-sha1-96	T	T	-	-	-	-
+XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	172.16.0.211	49814	172.16.0.100	88	TGS	Administrator/TEST.LOCAL	cifs/win7.test.local	T	-	-	XXXXXXXXXX.XXXXXX	aes256-cts-hmac-sha1-96	T	T	-	-	-	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	172.16.0.211	49811	172.16.0.5	445	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	172.16.0.211	49815	172.16.0.100	445	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	CP5puj4I8PtEU4qzYg	172.16.0.211	49822	172.16.0.100	88	TGS	DESKTOP-RBDMVVA$/TEST.LOCAL	cifs/WIN-R5NF6DMLDVH	T	-	-	XXXXXXXXXX.XXXXXX	aes256-cts-hmac-sha1-96	T	T	-	-	-	-
+XXXXXXXXXX.XXXXXX	CmES5u32sYpV7JYN	172.16.0.211	49821	172.16.0.100	445	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+XXXXXXXXXX.XXXXXX	C3eiCBGOLw3VtHfOj	172.16.0.211	49828	172.16.0.100	88	AS	administrator/TEST.LOCAL	krbtgt/TEST.LOCAL	F	KDC_ERR_PREAUTH_REQUIRED	-	XXXXXXXXXX.XXXXXX	-	T	T	-	-	-	-
+XXXXXXXXXX.XXXXXX	CwjjYJ2WqgTbAqiHl6	172.16.0.211	49829	172.16.0.100	88	AS	administrator/TEST.LOCAL	krbtgt/TEST.LOCAL	T	-	-	XXXXXXXXXX.XXXXXX	aes256-cts-hmac-sha1-96	T	T	-	-	-	-
+XXXXXXXXXX.XXXXXX	C0LAHyvtKSQHyJxIl	172.16.0.211	49830	172.16.0.100	88	TGS	Administrator/TEST.LOCAL	cifs/win7.test.local	T	-	-	XXXXXXXXXX.XXXXXX	aes256-cts-hmac-sha1-96	T	T	-	-	-	-
+XXXXXXXXXX.XXXXXX	C37jN32gN3y3AZzyf6	172.16.0.211	49827	172.16.0.5	445	-	-	-	-	-	-	-	-	-	-	-	-	-	-
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/krb/kerberos_tso.pcap b/testing/btest/Traces/krb/kerberos_tso.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a3cc0832676655837fe6d023370611e9c6db12cc
GIT binary patch
literal 85764
zcmeFa2|QIn|37~2b?sygp{x}`*S?jKwU8whvKF$FkfO4bl!~%MkzJeYDT+vnk}NGM
z6<TORq!RI;IrrYWu4{Rg@ALisUjJvj#yNBDIiLA#GoSaFGjk3TD=Skqf*{5#mhof2
zc7m9&hzhdS+uzw!!dy~V+sDsY!opZm*iB7F4zH@JWFV|<x>0zwu)M4yUf*Dku*5Dm
ze^=oR8*~+A<s}gsWHF+wD6`egUwE^dx0BDVox*Z>VF`IWUQtq7cx!;0r<1Up8eUNj
z)Q3al5uE@p-))Y*!V;U^{G4~XI{JA?3M<Ge%Bl%V1fp9Ryv%k5WhG~M1!Wf{XBTHl
za3M(5AVZ$xiCahw3+UPCI0w3IbGBJ;s%IaprzN*WM?q0fMoCXwS4L4)PDw^hS5Z+$
zPen^tPe)HjS4mrEF9LXGLUjFIo&CI>{e|Tbgb`4t19Vyb0a?K5C@=6jCs+XKMH4Ne
zVyzy$2JFL(%(tcC!l3^}84z6rQA|6&8VLoL<gp`dAk*H8!&GYO2(iJFL$SXGtb`B*
zi=!>Y(9keoFgPrMHf0?;HWYP;5^5sUfvbacq|!n9upUh1tvH2_f_b1G_E1h?<m;~K
z>ac`tfCS~Z1nN)*`!G+DLn1APsvPW~9yU{UVQwofcp0Pzc~1u!CP?=wpt~RJ!#suV
zj<nbr=<)%&Ht;e;cVdI_8b7$lx1k<xNC`OfIJz&2VAop+8yO4ZW#!}%EI1wbFCPDA
zch#y@1im1D7SORkg8Vt#sRzr0GRy?a{naf-9CruumolG1w`@SSR;GMd%&xa6p`YWR
z!qw<5{D(n3_fK&SJ6hn131I#FdFPXZg$DJmi{p8e@vD#0qt~*7|AZ`fEiz}vou?T2
z>asF#unk3mz?I9I9Rlg-meFBoX|d^^c=z-bcy&4^P{v`xRj}Aabc|Aw2H`(AF<30R
z8%fw@0!InEG-PKpWl7;B(w7K`d;9p?J2|_!c{@AVyLsE2>uD>>si>~@^>lXJ>1^+|
z-5Ycq1YJU%8j$JqCeWz_D8o!?a}0ml392@?Qs^jTHsurMvZh6a?whPr^ceb&SP??B
z{NEoa_QVld)DF<|6mJ!--zNW=Bh`ywV_$F#2Qn7Rjzws&G#oV0YD-WG7(^KCKaQ=b
zELZ8ZUlSg^Ph~#KGOojXx<@B0gjmfm>g)*(&%w2*ufr`Ct%nA+5rHn`5%yO!;1^nC
z5lVL#;)ZyGo>vy}N1TzJ;J+;5iTEJf5J#|u`lIyCO8Xgo^DgR}+>?E?kXchl*bw+8
zQlW}gJFRcdRgcg&ftLPB-+UbVzwevm{q+iGioTSQ;1PtrRL^~qZ#vzIM=W=|#ef)s
z5c=zV)Agm~b?kAWsDsd7GZO0PABJ@l1p>P{!TuVtycIvflc)sh*%!(=F=5I&T^;28
zbs4B*Qh!Y@hlHL7RXO&7dX!Dsaab#~GbQ!ctBI}v`@?&Ht}rOWjB19AE{0Rja|XJ6
zIIK0Hzkcr?_68r;nL&fa&}M>vOj+~sTzHNQ92Sd&W-{XF@wDkQ7|cX=*bRJGc{)7}
zEwVZcVb9>l^QD8+F&P|qHUU;gCoeZ|x1Iiej{ZJ=nJfZK7P=cOWQ|O;wT!Za@C)IY
z*bE*#w*Z}o-&X(a{^Td*aPYCo;}ul!YH|vAc|}#cl6CIXL+9wQIPvx37UuyKEQS+{
z;l*Mng0YxTEQSy4?Y^)OFMwYFE8@=J#Ift>ZZNbkF_kf2qhq{jla?^l8*H=EWcsUd
zRS#waWta(`MbIK@`_caIP=AH_6t-91@fPa}`abT!0B{w8Jlq%7h!1Ok71Kf`F3LuE
zmzR^ngDj^A@RfBAEtZBUw=oy|yx_tl<y@RiIe9)fFT4ld0Fvg))WWU8uf#8gm2qY)
z5)j<HcD;<b(t15*9b+S%O$J)zR)BT`TEf$%15-`}6N;gDMo0;piNzs=UG~4bY;YGO
zs3WK=avvT8x|+d<y{P#b)^&vE6r(8z4l~(@$?00UQP3rCe-iyaAl;(S$u>B}2yEa6
zv5e0=$S<jFkkj>@neI=N?tZFtxe+7=4Fe>)<oyMQJ4Js%*5(jJJ#Pv<Bp{XxbYG!d
zq8M^cebO<?I>>dR*gt~u?nlOZg4(URtDqh>*e7lIJeNM{2B>2Od-_n7gALSkZEBws
zOV*~k0bO5EhIvY#v{lb{2D-3M%7gaAD7%Ma<niGcS+ZVf8{QFbMDSf*oHkwyZ3CI=
zIMu^q4y>5-&!inR7>+;R!BD#Shi3^*_QKnyS<f-m+xBLOO4Own4?X)SrZk}MuK##`
zsHy&=qSfCx|F8COMr+RglYJbt18ldU@E=GpMo4<82it=(%#?i`omu~{KlUKSH|R^(
z7U;fS3;Q@LJ4lCau}3(a2tJ$+?Z?qxjyY2quZWi?^h(QclK7=_?3J=6b${8DqsXNG
zD<>Rh?ih|+j}OPKBlND5F3p^+=gbPnae`~-5jsn>(+kHTxNw>==WcE$S>~Mg?LW@E
ziMx8YTeP>-YE*<i*}kBvrK$KP|6yb98=M0P-pTTVGz^OqyFV=|{dn2nZQPHmD*QX|
zEDL?;c~du$^PEW0EvKCyH*@7Q#CSbB%Hw83dwQ2&W4B2D*zO~;ViA4LX+1aHI;4I3
z->Ggzl+L*#PsG12UZ0rt>lnk*w`Or2tjBrS^_+AosxCK(8x~yY(Y)iybZ<qqWv!Y7
zqsNoJKrv=aSyTD*Gd4zhy{+Hud&PA4ZPGz*TK^R_x?}o{>GDm*%z?H=0b84_BOX=n
zFA6iOXgX+o(JhmEb8%_sujTp^4v!+j5Zm9n_j=ixR=weTb8qSB#8X?JdydUZHXLL!
z!ql)gtY5M+X<-SQ9q&84Q{!u}Vy>C1-^kzFpJ(j8hQaRHf^$m-&dG5ZY`7cH@>^%@
zxVLwFs@#cg3w@g-@$_$RxZk<b%$FTlZ2WdlwR?KLpodL+M55d!U)GT?Z2aqLE7N%n
z)HmMR_b|K2%i+xC<h2dDM{`8g?lY~DVY<GDHwQ0$GbmR;%JA%OrUiUEydJLQ^Kq!F
zlu#1b8K}+Z@+lT$QvbL;3p<j%CrNz4{x!T?aRt`KcM7sN(yV!(n=uxw&V28wueM@y
zFI_<Obvf>c(-#$X_9g`#d!sbWgv>Li_gk7*eZMQLSn2a&F%88wEu}qGod-YI=ReMV
z$4cW>;s3zH=}XUPxB1r>^E{6`CjUceRE8m~EM8R1+E9|7L99`aGyQ_?NPT%*k+j`b
z(Rv+QiC#Y%m3HOgYf0xn(zAtz#&?-K_G>>gtngA~-GFOQe8H|ACgFzVhT-SCzN%Q6
zTOZ3_)16v%*p01faHqir-Ak7>uF(m+WfSdw{zPDP>T1b7PwHwFYO2naj#uqD&91qN
zNu1~O+S9@^3#C&o@zjYpRSgVZd(mJsZ%MD3Ti)Beljo0&MSgpYJ$-R4XJoPa*wy`v
z6)E)sAvsbRAG1z;-OIcSw|_yMn{mI9*gyg6w`JS(qm62H9~(Ajl&)$C-Lt-h>+Hvo
z&#RfVH-)TtuJ~GK=U#^s4Y-(Bh5jvmHjzOb#w}U&Lr<C_*e$h&ejXU=vwGg8A>qR!
zEShfh0WUd7+a%K&d;z<|xMK^eJyOn)%avq#$@kV4hn4O&{XSAF>|)|>;O8j_vOVN|
zAj#HMtj~1aj@F~_C#z0Rde=z)({NA8V@c=Eo~CzEiv9j!Yivr*O82)H!dqm0Lxe|P
z`X}xY+n(T7Di{9vLy=&7R=(vontNQ?c?|3ZZtScJo@Ix{S3X)S+FNnq2TP}VrTe<8
zze97yZbf$T#o`-Og=E>@r#D0|;;gLhmvepIxQOxS1<Ctq-#ed*G1QEi-g#bguW>>)
z^ZN6)+;Gfh5Lq_-=@l@U;TT<9I7X{b{Il_jen#x@a9pyN$SB{<=d_WB@XvV6v}>It
z1iTst$7_GT!|rA@ZsQ6XmG3+fK-V>TD@t3Y!s|*H_g%JT>p}-L_aCelJA8dQ5;~Xs
zDBzHox2mPD+4;%S+}>`%e6|dWPeyTqmmCC}7a4q3Vm5fL-TpiG(?zoj2Ly_J@14xS
zjBC<PC~sf(wWfoi<yGZfp~L=e`;#3vjEaT^i!^tX4hdfh{3S&bZc{xXd#Fv}yF%A7
z`cs*ft|N=qNi%wXSewu<X#9qLMgAC%Nd<eWlE&7X`fS)l1#gM#fr-1<obd=}yCL=F
z{#b~z#MWOef`jS2w})M#UdAM3++CRAl2wsGduZ*EEf*i%ITGprRH{)*;1u_opM7El
zXDicQEg$l9Thn?t@%8%)t!6f|9cH!H#)p^MpWL<G`|iYPL&<9&Mjt4laR-JOavWw4
z;?E2?W5=KP1IOH)ZlQST^;)%C_q(Rz405``Gt>2(fi4H-Jrz0K4obS@*h`{+4ALzM
zo{YWjcY%1h4&u=OeHbqxJxV=%o0;x!l<pp?bO9bs*i25B9FIEr%!o&KQs^NOu~g|y
zHG<UUjz@966m^j6M6rJy<=u;n_r&X%;k}?9V~9r|u*?OI%78j%@DqQkau|bp_D%JZ
zYf$+hLHuI{=q7+N%#?T(LG%J<pbPLQ5&vxQ45tIV2Hl1~c$6h8oK_tlPOA*E06Yr1
z5n4`MIPE;|a9SpCkd6RZz%TPM;XN}<0FnF`(fk+D{1?&u7t#D15lwd3X?)lz6whRa
z#o)q@KF_zbWQ>Wp>r?k>_4+#_?H!+#vF^J@b1PSNF$Rlko>;3S@rI$<v!Qb+-DJFc
zoyE29v1^|6zQ4G@BJb4WdyPBW{a&rpxhnO7J8Ex!+>)o3`a_(i*raaE_R=wI(u1KY
zTpf1V!(n=QaqmpkqOwi5HwEIP3rh6Xa%L=9QTfH!_{yOztRc74nIayB3E=0W1BvG{
zS#ivGM#AVJ=n1pKG4ue1(U67{5sD#0QM@n|2%E70&ntl2=H{|ffNhtXw~DO4^G<(R
zPoHg$o>WE+(IG;kHL2%0@$BdjAqN~KBn%H;3`@j^#Syg>jSGtsAO2N|IH%L?l2#JB
z!)Q~G)wc9x2OC4za!Xy|F8X!)MV&{hqa~j$7+akh+;7f_tXk@Qb+NBG=Wj!^H#d2`
zJ1j)UqMEJcPbO~}bz2;5bEl#rpp}c};_JP=KZMwmKfOrW@(Ht_juv6k$KLiW={334
zW^LKdB&KW9H6E4Q;Te3nM94}~I4Kfn1I8;Dp2%@XFJ(L=kGT^46KKp0qKLWsR64Wr
zAP(vA1mynUka|cQBp45u_^St>17(<}j0YqSAb;W^X*>YNasu7I;{je?;dE{w9y<RC
za;*Q*eSJT;um1$@&3g#fPrk38gY7{e%>$R8N6kqX6AH(j#)ab&t)0G)F6bLO{o`ny
z^zF=FHOitRtBPy4zUpydYaU4+5A(|S9dahBZT<nXY#$2|$=+rq-=e$kjLY68#0oSl
zxOZGMr8g?$b=z0wg>Iz+inT*2n@X=(A!e#Px^zqFrK&d8$SPv<l3!#x&reTT{I*W~
z>6!L7`6q13;`wt5J~u4<DddxMdHDX#gi=92)w^XpeZ#Mx-Enx?X1>NzllvOeyq6if
zZQFk61>YZda?dgrxyz_?amgijo5$ny^(zyu-L@Ml8Dh$OxmO{TwX(i`NA4lfQGc&<
z9wi$B&Tn6^g)!sXE54WZ<GWSG?y~>V8a4>lXIMkiSd#bgUFO>qhOM@HtRfjRF3nGB
z*5zm!VBvJER2Pc;+^#qOr%>rO$-)j#zWKCH7L6v}DKGs4K6$Y{qg7u_e=a>@9>XK~
zXEp1Ytd95vF=`n!&~Dz(cIW5s;w!SwJPUosXqT_@%$69tVZ&jh{K!D{sj2hHurj6+
zwu9;Ir>YiMBh6n{n-;p{IM`&RCmXhz72d{wyQYxxse}EgVPZYDRGQ7cDrn@;8NuV9
zM$ezUSym8lu}E>O(q)2=VMwi}>5{$qz58~?E#F02cfU^-7XFxiut-|@tt0meCq^5F
zcV?eeGz0^K{I0~SWJfk{lY739eU$w~W98O7I}xY06KXg1)^Cb5rsrmhEPH(}qrd1`
z$4djVecdS@2lLvhZuo9+@>u-s`pVitx65jgCmXDv=?ZFm|5?V;A#^cE-?(Jqm6~PO
z2Z{qPr<nAeV>&rf<X#<&J?SHXQTlH9xsY3{&PdCob8Bv&F!Rz5Mah9*3}V_NC6+sr
z#<4eP%X$UJ_q?26^Ej>PvD}u_H%`%R3vpGwi?^z*mkpb@+PdA6J!mB&as9_RgLNC+
zidN^HDR-3_okz<TP#&Y+SS>BO=#c*d_D=y<?YF*H(~i~Q7~VK<T}{uTHTf6CTW|bY
zWD=ugPP<~&%lWHa_u0hOD%E3!Z*yH&ao)1NM6Euiv;9|t+@(F{7Q4S+I2==FTZ37{
z8*0!LVw<`qP4sQei`dNN*Keg38j5i`KD(E`_Cy(Ds%Gw0-l1`K+J~Wn2hP_ezo}ov
zh}=JWE97+UAz_8pHI1VE2a=eFeu-XplksYfZrY^2nC(%F^VuS)dJ)EO!P67Yrt+<v
zIDh2(3XW9$oCeDm)lDZY{c_i249@>j_~=mKM@*p9BeS0iv;-2jB#6>jbeqJv@>K3R
zr5&@pqPcdt@QHWgLl@6VV?vg#9t$gQUn;fH+ES`uLvW$X_aN7=A$0fL#|4>JY&Kge
ztEp1R9J}<{PJJEY;)60J$Ff-^c1j|<O5OLEo#}eM`l|K2EZGU=s<WNK5x?4-y_R=l
zc}MSTh-=9(J~FWKS8OtlzO{R3#PE#=_rv8?Pk+d74tj0c`jFkPV4GWE>7|BWCj4uH
z5}6J^k3Nh0=3{V6=0?u9iveFYCpTP9x3N9H;k@_3{T*A54|mrtlX&*y3Ei9hzY3OB
zI_|Y!c9~C1=aO4?1xI?vvzj5d2Ah+K5zjs*Mq>K{?8Uc;hBf}OA7`mC*S$8jtSkQq
z{$ivgyUp_^_upX90o*KLlnLP{93un98ziM2ENZmcqctwgGg-QdfB(KM8Y8;W_gHOW
zXs^F!$hF$8=pwK$SXD1QF3_#wVO_njK;|&r{B)0iEkD|mc~wu;hDD6mM%;-}9TUI*
z@T5|}r$t)#{c+)URqDqbGt@d*BV^>3d)5k_qi59Mxi;_UqMNN1Y$7fz;tEvNs}nd+
zT)eu$=}BI9>)A`T#<h)E4@$W!BmF+y8cdTLjF1-*aj&8kR>@>n%DS28wq)5h*#iwc
zw)`gs5=!F+RRa^)&i+_g7IcZZWzbW%Z=$)Tm@e~!me!bUtm~GHT!-CqEIorMPsbmQ
z<2Ih}j2g)l?vmk;SlW)?b1{3L#loomk5PW*f<J_<w2xFij_%=-c2;}Qv48#!?ucOj
z&M)Pkr9D`KWebF`V|#e>BbSybA~1fza77*;?Li!y;eK(~pEyPsS3vK3v+}NEM*FAU
zFOt*UJu}^)8R*V9uJDGE?xc7=fJNhZz~p#7+7IISWf;#pe*y9T#B*|ff6Yvn2Bqsy
zl`a@pz%Y~3Z6r)#L2*JxfO_x+P=*=B3FLF7khGJN^gx^|C2XkBQA7`(8*o}qK)Uok
zgn1$GQ4pN7A%bq<KQKiBO|#7lSpY60Tn(k?CGv+L4&n4%e`e8y(*rC?Pm_+v%T70Y
zhHQS#-?=tSnc;K~aN%?f4&iilWRq<$h<7+$DS$VHf8Y(_9$pym44}t<(aV3)%YV_!
zf6>eTU(gG<S<eONC6k0+k^y>2;Q9G0wafeQ51Y3+EjB0K^wVv-b4TVEhOrYP7XLQZ
zVDx3;&BtT@nUW?#wJZByD*uq6iM<oJeK3f_pYQXnr@IPM*>ii@gYql=8n+FxD>|-|
zT2!K}&gc5MO6$dF6jRp$ts83!w|Q@Rvc%xI{2SSu4Y<S;y|g;3>CO1($%;g?X4@!6
zxgR`d#My2#Qp}LPx^?L~?7W;>xp~DQ3~RjV^jla;h4!4;nr)sFlk0GxqO8|eyYBw3
zSKGF2<xs(h-L8yR9@zDut96mc*5I1HLz>yu$p<QIH<f%>R&LyxX<>45OVK*a^XObz
z33*nd+K}(hZZH4dq;Mq<>%+h23CBj>HEqk~>^S_R8g(3XI(fWgQoB}cd&I`~lrxe`
zh|69&x#Gi-*TTjfdKd0?Jsz>y7-i_#a{H6R<%F^yY8waM2#tES_Fc)`qj5EH!`06A
zMb#tfITMZ#6qoR9*z|hWQ^%Ll%}3K-g;~b67ap#86|txN<B><F1YJ+H$legBSe(3t
zXTi(TiJz<2_^e+WjX9#2D7@c$@Ij!X-AfRkU<{|kN>+gsSc!l=Fz7rd30ysl<*94{
zBaqEWE~3}eSz2WZ#!+;$VW@_f1Jbo2hGRIEuz0t6usSHiOg5H)(#1&Q8X(;iCaQG7
zeB2i|z*PVhP+|l|co-x~j4&S_1oM-co3`9uyK>dSeYcl{7j<#>!SfA}Ye+`e6?|B6
zIt>#B$zUb}0-0f{xUka>VW-GKJQnc@JA@BA@F&2tWd`8`2@Vb>T#X8G+oTq-HR^CS
zFE-T7<u&i${;javb<9(B-{lWnkIoqiGAnFyZxnLb_DJ_yzGad9PE*Zj5&M$|<aO6s
z%JXK(M*PU<jm=hmE)aga>z5<%qy7<z2lEtq5|0eLE8tbvbFJN&_q22LNuyN2yApy<
zp>CU@gdjoP9^9iIoDcS4o`S#9)8e6SDd(y$ty1VHhVybctfJv%h(Eb*;rv!o0#j(w
zM8aPr-I9JMZ3()SMr^>}%yVLGkhO>@qK$}yOQ9T49&|Df*g|<kg4KhMfPI)LeFX`@
z-9vq)e6p_;gZZ%%%5Z+HYA3u5F{PA;BoVnhs58Q|fv->|cHmWb;=u`w5I7a`2zmWR
zJPLVr0lYo}WtgYv{!Ur~HQh@n1Kr!Bx-UXWohIj%8R(t?J^Ys~sC#l=PpnVgYN}hp
zh_kg?_}o_Xm>M`AhvojW5`?rOBnTWACDMZXF!6y*(gn3S)Np3=-}%!}Rwy&tu)!9}
zJO*Tr0Q)dcu}=W*K5Czv6!x(P_IU*D(|8qLhO8yY3}%y8Lzzi!nPdt|nG5?Q)0`Ey
zm>(AWlGmo5?L|6&0_6?z*a_)^1bM6vQ4g*H`!G+jOJQ0fRl7U_cF6;FVYfO1FGCKH
zc!UMQtaG>r_X&xTN8;f>8)z4juKyeaJ82kBv<PofNWTYxbt|N_3-JIm$#)`wU=}$+
zE=s?9zgIoD75oPC6dT;eHKI1~p|C-orjDeIDIaD+F&JKkBvHyo;$^P#Spg!XYfy^Q
z{bQf}LntUh`BI68Ar0uW#3I;`{O&gK5VYyaed@uPpbYaAo5rV|qGnS`8-<P%1JtI_
z*%8E*TxNDM?xBWZn$4z?2!<B6Ay@S5zyGGn0(pm2(clHPP=*d5!)dS&^Ax)s#XUgn
zmOI&QB?iE5_0Vqo@8D&K1EmZk8_ZP(Mi2#|48)}ka1Tw84uKZr8B+5kl7_r{?pF_9
z2g)#0>L0TrEs3iB>w*4Zn_{zG3a&yh?Bu+|6<eeP+X76p>0b`<MbgnT3IC?*o$N=j
zON%hmK=(@r8RCR%?AK6lB*Xy>lGHrm!I{CXoTQ*v`*WY7HRK3q8+GK9U;{^5F9WiS
z-M|4}hXH@o&Q+k@v7@3&Wo^WQD=+#}8kOPoaODWKbEO5ZdU7VM)+N+U(lyjE)HQhw
zG!30G1~#F7a)rWAK>L>J0Ddz5jG&ZBF%asSr0u!tngei^4)Whbih+&9L(ne@0k4-p
z8D>hqKvL6^sriLeheAgw0{y}&3MI9J+%FjZaEknig|qvG>ED0}NY3UL0RMuspx%Xv
zYJsw7hN%aGV2i*!rF{<I9-?|*Jz4Lih^EdmGobh1%!=?b<Tj-&B)ya3`fRdr0DR<+
zk|O-0MOaWDhQ~-gTmaUSup&05YfW`+c6sdF83;lJ^eeb-X}UzsS833zs9gc|0`;Rv
zrk@8uKb)WpGo`IDxU|#MY`x43*c$X-V2*G<T2DK<eqih;r9Uwps2{BW{y+i*q?5oF
z##P>Gjwv<{0>>Rdh6(PY30zOAfflF;Hhu??p_U9lCj3Uw86hfzgTzEC&yHzHt4E=(
zpw66#RYISt3I}tdKpAFApTa2OnxW3lj8gbiy{3+|4DhKj>`%xHhJjLN#0vi4rrCT-
z4p5<{Ghav^B)CmN_Xz(03Pg1Uk3sE(f(+|)0-2BqI{QXq<d5GGjzcZLpMcIMB~p1a
zxC>Yh*3FR;={RNC0<5^*fLM?YgDuo8q+Uuq26b!@p&on^lwqdyOXNV>8ESqhEu+wJ
z1z=KPE-N3DlqI>2>Hc^P0@fK5(rh~BBc3<4?}5BRp4*9MK%SWns0WvUGR%~Ift<&+
zK%P?~C;P>fN5C%*L%&$J6D1Ww$ur3ubLDvjO6H&a2jzisbrK0cxvm|Y5qqalwZ&nD
zjxq~i3(ncFH#4!O*=zy(2!baPFCcDa!`?d)KY+Vu!rr-&Gh**n)NXE*?N(-?sUyPy
z>^3SWiZU`S_MWSJ{|feo@?{Y90o&c|*qiUrjMzJsnoVUmfK3Nbo6ds0S%|#MX4C1g
z_f%PK1B%cu$+34KkYNVw-G<sNox*Mdz;1itnsC-gl*wta_grQ8=diba)Qs5sELHvQ
zRp_`1+Z4xa*c(6zG|i@eO6)yV??ghx&1~4a-bCKem!}QG8Dy=0)4MAQ;+N^LH??!A
z;Ted%shvA_?5%QmM(q6v^^=0hesUGGZ`l**_=YAb{IuA6uDYHZ_AUUt&VaqssQHEL
z3E&s!p<m2~z2_0_IJ;k%PQq!k`2}_Ct#@Qb?EM(kyE=v5&ui)|rvv@!L{<~Z?6lZ>
zuCmMpdoz(?@11^u{~_#s2k2)8?43@{*30P>I<ENwTeHuGz1ikyYZCURv~du)-hoI1
z?xSf|><veg2~nDawTV|Er1D&_w=;SX348lv2s9uTsfbn&HV0*xDKQpC2loW(?998#
zK6T9(_*6IWsd0OhFousDW5N3sVg<-tbw<M88ARboF_#>BpC|qXHze#0k3sFkf(+{<
z$O(3cI-|tiFyg`UXxL#5FcEaiPAL5OPb$wmPEVlq=OVB}lKby5sB2g&ITl}cbVe+m
zLDf&Y6*|g~0zYM&4U3a_pRG^gBQlvm+>&%o;1%)=u`5i_Plf=`Ghp$jXx{_ZmXkgA
zDnF{JgV%(9vJ&_?NYi5Rx$^w)$KvvFGh*>fYPP^@Ds)t^pthK092~|dm}avD>@%kN
z&c9<E+$w%XEZ&aVZQEqKRj>fN-2ry{%?O^Tfix`^pR0WT3Koas;5jH8@C{aT!QwB0
z%$eX!n5W$9#;0XbwdoyTQyBBPt!BaEq<(icn@)$tr^-SNi^n9)h{d0wb~{aBHxTRP
z<e}Y=g;4bA$HC_+!#{_`g%W4P;@Q;nFDI|iaUHfP?%A+77b@E9ZHf|$Pt`k-5OFgb
z7N<5|JslROcJ6dooZ7i_$KoG=u4i}_{2cX@3zPliI%wbWdcaS{sve`lPm9Ips_VI7
z@vWz3#Ns*B{6bz2_=N-T3$EF)IQN|W!gLZApUp3*WAS%D7B~hDGbL_925>J>y(?1a
z-2v$RI@Ei=JId^|SbVOs%ms@Vl40@x+&H*x(u`O<m#VF=D|FnDKy5wCI5<SbFwNEn
zldw3YjUoPafCNB-`)HaKi^H=Bc#+h95-tRz{luNQU~wn(ToM*19|zY;o^c$!1M2Kd
z|74%KA)%?Ga0-sUv`aw3(~pDCRc9nDPN_3rqKt5xMBIlP5*CNYpmst*hFFFmC)k+=
zi<6F%FgYzel`N6U|K4%%W}xGfpca^?V1ol`=cxIm!YPH0N=4w89J66>9wPs<`6VCm
zJW3r?$KJ`OXT;twA<rpry*nB9u2ckmF$Bk3mJ=$O7JJW?=YK!;zIkRw?0uf9Erx(C
zN>N+Pg1vd?Xbad!5Lz|y0^;Uh9|tc;nGt)xLhWWtVYgCE9mQa1x3A_XBhzB<xytvi
zU~f1Meu1bDI4(E)I5<b@jM)1EHJd61D|A$u0-LhWhP_GcX14Y<9rm6o%WWVP?163&
zrG)por-2MJjDx>M?G``TZdInhZapBjPYhO~q^2DQpQ{Z29QNirJ0teKNLBwmK>x5!
zvCoFR7Z9~HoBk=W_f)+T2@yB5VQ*^V)ze{bYUfUey{Vl$ckKNL=z0e1-HG~17KNXH
z_N_Du{A9c+5EXt}>^)aq&kcK<r_G4HFH!RgrBQ{Bn+#~Xj6!*xb`A<Z(T=nG#boR~
zn_p1J-Y<bHGhpv7RPVBr^?s8<Q%4z$^J2!M2*6@m>^)am=7PPM$*}i-ZXDbreMan^
zN6psCzQESaz}9TDje`r!(bh1o!ub@GHVy*E9f&mGKALcU$G?DisLVlu==ER6-p*)c
zB<u~xW?_PTzIMip<KW#;XJ?*K_*Ao|j*1cRso#nzkk0hu;B(a(342rOj2wHzF>g{L
zVQ+X0Y9|(CC=@|Xurm$zCSmUX-Er_Hpz|59_+@H-s$!(jQT-YCDfetxTo8&6(rkSa
zDIQbmoH`Z{%bXF5zd`#RxJHx=i&uXJegei8F~3DMP?n~};&bJB1xn_h{nrjIgdSi?
zBmn*YptZ*2HNfO+R3*~#soLVaLPw1!TvI#wJ@}nubdN=8&NR=wU<SI-#<O62!Z7FT
zHimuC{|v_OJghm>JoC4xKWv`t4>g{eI;wc!4`VMrpsJb{<Ihz-D?o<WnGtnA&4zvQ
z@la5N82>WyFvJqGV|<w-nlp{B7gDpSDqf-E7Q_-<vtj&2L|$fVx6@(#sj^VR_zggY
z88H4k)NaQo+wB&>5UMHAZtpgrOiqjO=PJWLhw;UuHD{V<UPM*@DM0_8Q2(=Ge4#n&
zpAzFw)jN?8ar6Hs#{Ud-Jp;ynkNQa}g`a@-tyT!f<g#HmOR?695wuiNTb-+}=Z5k3
z9o3v^u1hgBzfda#eo+nlf|L6AIxEq72qH|}o2^~Sfw|cTz;mQDn_p1J_yWf?XTtbB
zsNN+g^j@v0qrMo9op>dpwNqex)<1d|CNejhEOWv5EI>u1dFKDK7@vHtNj%Wc3~NnF
zsM%V5u|h{}6tFeb`EJYzX=Wwz=j{@+>4${zDQygKeG*Z}a34)nFg`p7#^q3uG3acO
ze;wlkQh)4BYG>4=KV__gSCZD6v=iY1#6}s%HG|7Q8D`37J=pWOUa0HS6l=+9qcn9i
z)IhA5IG+#cVkcofsB02$BJgLBX45t4-hfiqzJ$xs`ROb~uHhlly#YK14}Sv{!a7Oy
zlC~t>{B5!XB9vutX(-4bkt!i=sUN4A{(J%%A|29N8{$EPRMtXt5My)>yg2$3Xl9cV
zsca7JcD%s%WZ>6jgb^+9+`$X|;tc6zz{jLSDihY%A_!^T8|frcSqIQ_0pF+z0AH!`
z2b6b$6>W}S?lbA$ik5T%aZ4)yUAs&8;cu&&T%OD~;VO6rA!HEFB`<FT95{pecM^a4
zYd^vP^73EXk?25whLp+YA?d_u&UF7(3jLaLU9^UpLdPA5<EEL1#6+s_&$`;#{F;w=
z1*Kn8zyG3(1#J;r0W)P=1Zx65K%P^)C&z_50Jmu*z_!SQM=P7u7U{t11(NPW(Vu5;
zi~s)nFZN}tX1f2nLe&-tz!p*9{%hXk`>%AO6tM4ldG%%RK2U~v%JVMYw6YoK@&USA
zP*OVN^ZRgrR@5Mf82a<<`XcyaIyf8pAl$+P`FnJYf<N;2Dfr?(qV~+8uqW(WUqX9o
zx1)rn@JF)ezs{dXIR$^@_r<<xSE=gnC9n$|OXH@dKkT0sdkDJ1A4&k*2u$cR+Nq5f
znO=X_DfyeMzfY+CvMKZj#;sNWoP-%SUW-;cNq=yDI7xrv=+FNsf0o3npnc^kUe4s#
z*Qn`l1;8nH`Aoqih{=BKL`HWs>vPl^P=*=x>&f4ac{Pcy)2&mO%0#&qGkEgc-_^~K
zLs19$d&U$8bYLAtOM!0D_j`ix51taF-O>T-F^BK!-q8mlCDm^nlIuqs)S(Qxf_aJ@
z5_;&frayf!Ne**R&r5XN#SdNv=~1>TFF+SgWP^DM-5q+JRP{rk3;p&wyzJlo{XufM
zo#Oi^%T2CZi2+?yxAGLaeF=1X2FiUBbp?{#7DRW2{w5_q7$pzNFr#vl(Zz@l=s~)L
zN>u3rxxM{SxqlM+J9HoX``aE!M`qh<AvEZB4Rs=iqZ8%tuTL^&U6-nKejNeZgo4Wn
z`Hg$2tRMKEA&DORt|3hS``?apAk*nZpi@myhMCfrFnGN#s=jnakk;lI=mWW|_dtm-
zxXC(&#|VieJgE;P9jDxqf7ej&AO5bPu=pxBxptuiA}gQROJF;6R+wo_+#QR_Ip`Vw
zB3J6H7euwN4Z$t!0pVI<cC?HG|6%#>cMTQM<AixBGKe{%1lDQlfffw$suB3V39Ory
z1uHTM>oUo|b_gsBNWpr@+XDaQZ!@(8eW>3e{A8cCd6p>Gng!YdSF9sshtw9xzaLfW
z{4>fM)CcpFw%{;e0O=O|ph_3mEe3tifKi-mx4&%x5`}3tyTP`=L4!po+ro16>QL~X
zkdL_zPH782!LR>YZDI0vF)zO14BB$@>tpVRwP~7#-83=*E+KAlyl&NRhrJDdnPZ{f
zKu>|b0tyJ}`%&V=+Z5P09dP>@g#%@nDcceFenL022W4O1nk7hU2i8S`@fkaC6~c0l
z9E-vCKoYzZ)=x;Y*<%4Xm1H|h#E-Nr54;DG#ryAjAX&EJ!&&V9nfE}lNZ`U*!~r#7
zvX?}`_dv3+0g}vrUK2IxJ&={)E!O4WHPlxKKTm#(wG4h4JdDi{$BPo*V9rnRwLV$&
z8;R)4%)whFeE=m7^bJ(-h1QIj;W%6HLTfACYB`?a6W;U&dB0A*6+b@St|b0y3BwUi
zv9}^l2-Zu$rSYI)#-@iZOhZeQC3n5ipg%0Myjr9|RZwoEAoF-@`l#B=B7?D2QrY75
zq6fBZzuCN~<v^k}hfGE5(-RgGdeW@(X~4Il13YuYN*>BS^kMLlZGHRWb$Nq-(yC7b
z*La>NHi{cQ3YFH5lfIrWwOOc2_R8CIF+=r>>iZUaa=&4F>81&7Ykfp5669(#G2mU-
z*1cRO^t|Ew&NtSvY#e?s=cm#cs(om`pT#X@o!a=6d(Vk0l2?oGX_y$u+*qP2p#CnB
zOMo{zwEk+tMt>xJiEvHeu>4Nm#lK@CoR6+Le)M};&i1E<qIur*rjH^+d5+3ONro+6
zoNd9Cz~7yGalT9FgMh8hk>ZlRKN^Zw2QU|Yyv_D{f67@St@zziYv|(J+XuG<mBt)C
zvdr|$!iLxy$)}E-2i+u1JXXFPyCG~ddZlcT=>o?d<<x)@A%jr*%VH@%sx)%iMt3<E
zF`D%iH-FsdeSuT)tKV@Q1<uNM0a?Y@>pfGDL938@*6b5oHOexM46vNL!Xf_L?&{)Q
zF7(e*w$~mSsbCz5Pf#$f|CAzm{pXOlFN^B>)Q$?%vgNA5k7`}l@>}>1)v-Ko*=lvz
z)<{f<Nz5bk@{kT+Les&*T*1p`p})>V#h&|4lQ%BO`TX*b{?fkc9*Zp6jmgeI!GWt+
z6_{srrAF|zTv=l5;G|mqOoKhE>iF@;4KIe*Drzx_+;OXph*dC9s<?Ffql(AvJ^KWl
zKKavq8~G4;DJZ>l0L#9!Ra5$G`XR&TA$LAA@AWJ?Hpn@~7q$H$Z@^BD&@O?4?ymmj
z7K5YR7vG&+ZgWq30nP2JcO3SQyy~QBJ9(W`=Y5ETLg4R9-MgEXxH4%COYH2{yzz`R
z`m}=Gpu@(7S1TT@`ti}lk*!r~F*5Jl;g$zi+Fb;Dvy+_0w!g7y+A_Z6?i*UxU0%v5
z-;O>0-H6}r{y;BvgiBYnb#%XXM&%o|Wj6b*Y`es;)t+qW<4yFPc6Zk`XmSj``S!ZG
z_rThZHLr^zwm&rQz0$pC<$2cVyVW|1tFTd511h!V(d6Z5D4o0zwe{SkZZjwIv<e#R
z=R589bVO}>WL6gDj^<z3r8r-7Ig9o}O|M-a#>TWW8d*$!X;kUrF_GI6@r_Pvs$Bb%
zq&?<&^6flZeC+-H3u1cr-S3Sb-W?supLxKrRm31NK-+0RR?@9;6aV<a*Ds<ok5x4Z
zv3N#Tufdev*!26L-Zh2?-@8q}bY`C|9ZBem$y;2pwd$1i^9^{qn<6y1PIXV#yP101
z@aOL0J?VrQo9{GO<q`UxX8osm4?C)3ecX1wdUC2oB5+`Fo~)($kJ?U|x+hgO_u2iu
zhn0h~*6}rLk^bE1(pM~Xd)FSvbH`cF9~|g0=i;keZdn&7`MUPfFWvoT_l_tEZR+M8
z<~HxzzY^~&ClfZWoCd!{@W}eE;<ld`Ht4o)snx7fYm>Sa(vlrcuK-?~yBzIuGQ;VY
z;KJ!ezg)Sw`KERU%iAY>HalH!oZjr5{&LCv1`C0Y)<U26i|GYrTy$S7dVIpBH8S}N
z_S3UAnqaQ?rg$vo$X?58$&DTC3q1N_3d(P11UQ+ESP9DPX0@%q+YrZ_+#7jF?cPt7
zZATXxn6hxKJl)YQIb1osSu(n$Cq!fk@_85U-doQFVwqR=F&ule=d26oNwA=m{X-ag
zea?pVyy_hv>h>9#$CS7Tc?)?2vvhg)8OcV!e7SekHj@uWg^N$eyv2X8VmS8X>{SH;
zImMqb*>$v!gre6x36UDFF}Uu#iQ&m!E`3?$HOwo-@*R8bZ#<vzp1n8VhO=O~EAJu+
z=8LDemVD$tfNglMVlI~AH?i>5*>CdcpFIj}Pb?Zr{PEQ9d#w}4p%SmS?XqkhCT{UR
zq*Y_q*@x!zWz{Tw(WY#K@%tQf^fRkSUHnVUOMOoszF#yXJ>JqKX6SgXn1B1{C+E75
zT-x*Drykxg+HIz5>`N<uZ^?P<$IB1(1$3^(I<RQwmfn4ItUV=Rpf}67=Z2KV>;1o1
zC*G&^3U|9=w;rSKciVeW#W;`k(q&%;f6Ce=U3c7ES&6^lIPaC?X8pCtn>n4Zt-CKL
zKTs@xvoL9`Q`ZG9jssx{k5t&r*M6wezwjM=43quS;azgibKDDZo`m#seXpwaFgsTA
zrD|l$`0-zoEX@I?eqERRjwW~ojw>!JdT~a^UuyS*#Gh>z3gQm=?~OH;bem#7nD-*5
ztFJiZfB$`q>5Y5Zp~j-0b#EW{f9qSm_kD74ZQ=LFht`Iutl?bLHS|cbly%4P+v+|s
zT(Un_Z?9cwrGJCf=6TgRaSqY`@on0;7a_wDmFf@Lq8NYKu6<NLC?60p!Dk&_Y-YF3
zZ!g|S_SS>^e&*GStoP;7F&BN#_FU?uleSdTQ0(m&OvI|Fa+>g47lsZVtYAsp_q>RP
z=i=DLq1rVai^rdibMIX~A)@x+5$40QtW}u2o&DJgaY377V_Up<d$H?x-?+&>n8Evl
zHmq5{ZsT~dt*2aoVvx}a)5~uqX;<icXWFREtBX;~+HkHQpvgA9P9)igu3Y7ZO!T=1
z*(S5jPHU!$l{;RjHYRd^<#9uVe;etfOC&!R+m{n(<(i^7f8oPe@p&l@94~Xr!mHzN
z+JC<%xV_W<gN1*lyPvO8S)As^B;io(Z{Fx1K1j>No1={q;elJ?G%hmzdV6=54+qWf
zim0pK&nj|A>`{5;%-vqMcum2J)K`i@7RTDhC-jz{t?u2CwBt^$RpTe$*P@C1;UA7%
zGd?6<*Kub-*pQgyp;G_Ro4Iaru2(k)SdSiR+q%q1(C^0aGkaN&+wtsMpK32{Bl|(a
zUvc}{Z6S7xOD|)t+`n0#aQMQ3udg4S%W8YiE*Jk<nQ3f+WLD#H+4VbgTI}jNN1nSl
zipYL)5;R=sE#E)JFW)9rcklyEw?OCvh5GFWYPWjM6K_?v7JK8Kup#F1ir0DHjz9PP
zt+f2DO8kV(YT8%wzfzHc?zHVCH%fK{7&?40P|_F~UTI$5bBZyOG38`$&MpQaSMJ`}
zYE}l8rS{p+&h-k??T!=MJ>hWtwU(ht!*XMh`S~(B_ycQ`qAL^+Jx@-lTF)TXVVCo(
z=ODtq-tK1BiE9gN50+Y|1p3{+cq}&N$T7xe`aL0ew5xvS4!6%AIkih%=!$x^Z0YU=
zE=l)$=p$;H>JPNY<)w0660tq|p4Bv;<3WK4pO+f_>*o3%XI8;#wR5^A-ySRE?{;y^
zbd2I}G0V#p*`@eS@Wsc5MI9@chE8{4L>4Dkg!wb)GS!P&m}XQ|?d)?hKb&pe(uNbg
zYgTk--L{n0z26<oY2SV}m~XkPpsO&2k$1D;d-WCi+pe?*yf%CP_Fd6Og9p4S*OZ)E
z+xBJmF@1<vs{SS7aQun)^7(A;A6KnduJ^_1y$FvgowoVTcb5{mYm1yC^^QvHUGeMv
zzFh&X%&Y^=9UIJ&RSu;yWh7(V%UL~zP7ewQaOJ6#uD;{FQB*zVu4c8StMb#v(%?^{
z)#CS3wJO_QEL%4io1Iu|TN|zBqj=O_m)%6WBRF7lh?e$zd8d(w3y%$Y#lNnw=^hG~
zvg7Irl6vao(6iTXgWHLq*5j=9SG(_ydw+e#+OO(zHvdciO=-c{U0N}g4BfpZ5gbj=
zTgnUty$ijrNmcIl&9Mo6C~V5@IP}d_rK_U5(Oy|`$JU<B-S}jSL+)$hHJS=i-0XRe
ziCP?9`HewTB2v4dIfK!wS^*cAZ^~E9_MS~=seSa5=emYri3hZ=e9fxT@HuynQ)5%x
zXzjUYfx{1__T?f9sn_=4kqf<BtDZfoti$>LwA<#4dF{oCV`#pzwXNxsH7j3h_z|o^
zY|Ce^tpm-0`nL+i1HT9=pFDYu@65%=XI_a{MlQVi!dxiL=hbHJ1A@8lj5=J}hqm8c
z6?a2J^!Cc=jV&&NCfWI-I}UFPNm{vYW52pCyf>n}7hdfCbEbRYweTLP2+r*!8*{Vc
zNR)fM1C9%YTf=)G(!DVG`*n3w$D^pcUl;v0Jw|$99i&?*NtG@b7jiI$bf>;w7u-vs
ziSph{5<z;gtHGD@UWvU7I3dh+-~UGYIgWiXjNt5l^ZRuVUgp_;@Ame)i4&~StO;iF
zDxExU?7~-7*)TD3h#Y!thhKDJqGH1PaP9TYaf&iruM3(?&KemmNp|5{T)gppbnn(!
zy?{0TV=PTei<Z9?_g>O>IU#jpXUtXAoK5R*7agnV*qB&!+f-}uhGggO>;JxA_bn<n
zVGRH3+3~2`pbYbr``R+Schv4{U+)m4wVw~}YdKJpftT5m-`B$T>+%t6AU&@m-Pe+I
z`)w(|m(f+%6#A|Y(#fti90c92LEo?Y&y3Cded{iijnXgeAC1rCmxiccN>BD5`}x2x
zC*T-OXaf|6<d=Cw$>5kk#68?$D)UQFzeGX?j8MOPN|i1cqsiQilA1J!9O{nbm*l#G
z_xvQ?8SHs%bZE2sW1Hcu&*cXhFHHX~-$!J;vfsxYE(T?or`S1L?>$vJPXIf+0Xwr>
zf$?yVg2?R*pMsO@j6;9^`z(pXYu<+=7Cy&{#_Dc#n(GNWT!wQF#xT_1<x3>-cTFFl
zPa5kWyn`6pwVikx)W08)Y0~pV^5+QW^?Inu)EWFora_d{r00oHCRJh$q-Vm=cggjC
zf0L@nx%&r7E@v`aQn|4^1j-bTp+o21!TEQj6a<cw^aA(M1O|LaG7;<x<)QS~k3g<T
z&lSkV!4Zi8V<=aV6op^8CCYV<0)OS)kB-?|66t;;vH<lJ(oKK36_jB{eSnNE?)JcX
zNH^~oRk~mdi=zZefSWYm5$cQNuOwM1^<|4V2Q|HD6WqVa!Y8#<dH~LapymU<kUU6m
zD?uU#_LD${x+3WfdCP18`)tx0s_{@z0IAUIkz-})wK7t>Asqdm`w#hI1ewHFwXOgM
ztc{Yd<iln!G~+GT!*l-=X*Ry3Fc|huEV7Qo*MEX1SO?^b4P=tOrn6&;ONFvyzh53a
z_dk)Q^DpRQdHnYXvzY%Aj8N1uogE=xOzhWwQ=I-EEmE^1sxN@;{-cacstopZlznN|
zRffrZDS3>L&_m~(P>$PojtbH`(LzjWHR%~`HnBF?m+l^CIvftlFjMxWi2r~I>`Mzf
zCikUIv}hj<`qF2F{>^|CPia7-fPJX~u?AA?A+;4!Jf)01fBO{38<bs;cnOKeU*H(b
zQ+WJ5V2bhx-ycJU$DPbbJem@oBUh7nghb$cC=Iv+(sVpN-cUyqIxM)Nbi?NUn8!68
zu)n7kAIbZBQ<Ng<AM_;H=W~MpSi}+(#itxugdVZ^^P~=-+duo0pV|?0Lg^Pbf&C`M
z*vWo@&RwDA7tZq`CY<aS=_oG*Jl)LIcX%Ht!#o9N`RWZrolip-U_z@3l+>g-9XQ|@
zeCT0<h2bt`jJ*{7N-_hHZ~feI>gtJTT~~s8rGqn}+;9sM^a=j${ge44!vKiyfCcIk
zFDCnhGr+=K+VDA6o<2%w3V$RF0BeJZlE2ptbUL3t-H>_P%BGm(Q@eh8{sJlaBe#pM
z-gj#H>(Umab+!fkQPm%OB23aB;Titl=bof?CG}0~lHHfI`KR|XOSqX`4VcWIB|#`u
zfBAv~ll_KVe-Z;5A%8`p6#BCT`iq9xEa*EV1?f@RWozi*Om^9X+6As*BWtV91iHX3
zDFneL*#*i?vdeUGOS_idG}7{J<(7><ev4)J)bw(90sdxaFF&Z-B^uZz2b~KvsULMB
z(<j&NrXy=W8RjYNMNwarf^I6Na*5~i?eOHe&jnhvhoTO0n<)+ipt}7|rrXpyw?*}!
z9#=RQh}Qu0LbJ{VvIccbuOEFes&cr3dK#w2nRF-~NU*(z1G>}C1=1Ivf$o1~E)d7+
z=E-uC>sDeQ5b{@qq0nsu&}|WvTcrxhNoo(|bAgP#TaL^y7ibr1GaOaAK<?`YAYJ4?
zHWw%&!&B@3=3F2HGCWWVbPB#mgTPGL)-e3~i>dljQJtGm9qe1J3C*^TfCo_hPWnfz
zXx2F;<a2?n|KYhntIzej$afx~d27AieU;S4&q@rtE(u52-8(KRrBvE%Yy%MkAqvet
z7l?o%W*%>X`h)byV}R=WmYIA$2=&d0$-XI6x5N{V&iPSlfodc9Jo%g-B<<;u8Rq=#
zhI9+=P^Am(Ll3(j<Ucp(C-v;bDL(%baPWU)&W~H5<_)!^l{$qT7lO5nyEu3B&kI>T
zk;#?OS6K6;;rcS@CxmD>dCm`cY<ivfbf(y}grdEiMJ!*`okDM0=N_B3W>eHb-hV0%
z>_L6$E6L`F<*l>sUwPC)J?t<x*%i(uHXQ_Y%n+NFQk8=p)T1#qHsui-7aE%~0NrR%
zhMBTIK@fe38R){;WC#6~&df8M&KP`Tb}gLlLz@Zyv1EnQ;_>0M(jardqnONaS_WJ=
zEzUcf76H?P#^AGhTKEfL9ulMjW)A6sc}QB|=aqz?C(lC?!Y_n}u^BvgZUH(Ezpeh;
z{RNoNnMXz@+FC~7dRlNT2Au`~Nn<m^X@+p&H2q&!jX&RC>fn6;Il~2^3I1ok>^_PK
z2f4eqgbHLbG_9(qwdFd$$07BmK!55*m-X&+dBe5KKCU%VR=&QdM>KDrs|u5lP+d=f
zmFy+|?KM}Gm9&H`PE_6#JF{)D@Qj?C&0F>3i!V1jM1)E1-oPP!hw<Y;mI!+g!ajN`
zPfgCgxcOI@Vab)djx~!14C?FF1o5fpO_-jylXfrqW*jiF&B1ovn&_iD&4wd>*_k(S
z=YD_V9n`6}W!36chstG7?ah>Bkiz&3HC*5S<-oe-wIXg6ui2$BlA^Q`!bLf`@vXi6
z79V&T=yo2+y=Y&UkhH+(rR9@_8z(R{>CYsM-4fp%vkbh+&{VY~!JtrRHM8}~(S^H1
z%hS8ULO-&MZtUy1q|bkRLc!)%ES)G%b~lspjZNIlhyBVGNBlh&%a?0g2#$7|EsXTQ
z`_Wl<KNZ7?aliWUI`~(mxT*cngz3f2FLwtP-pv&1)rnDBd*fMUPoIBEiAa2cs7%j=
zsAuDAT`g)hrHigMIqy5T-}V3-z4JUqiEG!gY&T2Zn>Q3D-F|JQcVgaBnzFPb1}2}b
z3@_xqW?rA3G_fM})|k!yo3@J<%Jb(-@+eDuwEN{%QtTDCL!tT81(mVU9=GHN+_{}+
z^q5b}HC7}obGg@%Y1j8M@ww;w@;LS%n>=+I#yF+)g}3%6smXOQ4Jholr+c{d%}T69
zbszt+e(yU1oceC^sUtW&zSa}6`)rmKa>x2CE)?2+b%`eH;`kC7<zCJjneXCX<E8HM
zr{*2I`>5u4gpulsLuG-c37Vy@`symLF9_{gnvV2vbbb<cd6{zeX3h@N@_WPAKE~l+
zCow$ObXqr+?ap&erEj6)`qz2Y^4@S)8XBpq&G+?qlUotX-V?mvt#|9r2REy_degh!
zH4X@Qh<~=aBSXtPc8xZ2RiB#8eY2QrU*Zc8<(T13Y9(65#ln{F1s(=HU}f7Fwmbjh
z&Xq<5HyQ2B@7$L>$opuY%OewuhIwlaIqP@PGOcRi!83fc5c@Fy&B2_L?|Z&o{rPNt
zyXlLQ<!6eY&eJ$Lj&mOD%RS_`&Bf5cUSA?rOvLSMUD>N&j4_qRT;#4A9Lc`WrxSAj
z<(S0q2**IhsS|RF=a=nV7czG6ou&RzI4<?IS-Jfp)^$C%_5^RtS#afuSl`O?PT%jB
zUET1(>8y|<n5ee)qRNe&x+Z5evr{9b)*DzGRm%pX!{T0fj&3u|OfD}z9euhb<elJa
zFWyL#_mAf}dbb`PsaE){Ewb`sgz3-6g<YpjKkOOa8!6KE1`}?7dXV2!<I#$-+Cdkl
z6rN++LO0)Ui?`UYSfIaS|Al+~564+5JD<2-U07~j|AQtbJ1i9+b{g#lGQ&>d!eT~g
zA9_e#W&99yU*`jZ?X#fboziDdZKBKn{>3Pj^S7b?HT_n$vv(5~H}5jt(=?`A%1~6q
z!5fmgvnIHao6AJ%bno?RdpSgZX&(8Ub4109-z_F+WlW<ZhrmF-{ORkW$tC%mK_Z^#
zliD29166-)XDU${mhtO5=_Jr`b}xs&-r}W#>(nJTgtZllTu9VVwqwN4&%j}^$hk~b
z95bFVot}mkSq=I>@Nru3^>5H{(F0-N1-g^^zbsL_FroijfafL7!(^kFhnd5{$0m<g
zP{FIoDd6Q5Rq;yJ=jgDw)pp!U=Q;7<3#gn}3<nm&i^cF^u@k#5h9%;|;)sfh#)U<l
z=#qGH>F1tp8yUBp>CXM#{V;9o;CROd+H=ljOWIRJ-q)ANVCx^oNxyJ!O=LbY%5cd3
z#QMWM;qC8!=d=YW?^(Unbkq3Jv}2radAPo@;(qR9Dj2&GA5t1sAo_(x<Ny=j#$^>@
zV)NckbS@lLG#xcQ_R+Ax=PUQAL5>$~t!EeZ1gLo|r&SpjUWC9H1w#@!W{b|Dh=JsB
zR$?F+jk9AEaaQ9+U8*yTfxGzuxxbhV5(f$1pUIwodc+HqVMb#h8C^R2fsj8j5WR0F
z#%}`MzcEn3E1YgQh=J%-Sv0V*W=%3*_CmY>)HEi88_y}guA{rb(89!2#(a&A@up2$
z;yK~CVi5fDK>)i5PovG4bamz&j6eO%+iw;MYj1j7`taE4=#|T@x4E{Qjyt?#S(N#?
zgd7KCd2e{P$W{lT%ypfZw1bA*FPS7I40mJWD|CNn2E>k?*9;iYJamTX{=-cY9}8~%
z?mXY+B^b6y%PYj7GaHxP&c3;&glWwQTK(LGG^<AMz7M{3_*oglT@3}t>QH7?%!_4f
zZ*6ff$Wc5puV(2!mz468N4d7o6EU(ey3<}fu)g(tk;#{hs^`7sx|o%Yd?=4w;NHW<
zV0MS2?Ud-S&1SZpgH>+%&LaDQABb|j!lo|i-4q@zv90O0E|0cnuKJfx_J!-OEPMP?
zUduc|rYv>d1+n^CorqV@o_^o)#&1)^-W{v*!|WB+o%Ct!tliIawnj5!>k>p=YzjC&
zKiM5+w!XcW<ILF(mGaLk-am^pFA(T(A9yHS_>D7LuQTZ!?b4$h8UC7AXaq+hu&Xu7
zb4Tv*rmby0c4LdRx*`7ixKs3!op&?)qqpb1s_ZMMD-zFa>NxqZNkekGx#Li-YwxA9
zZ@e0k$%4vFqut#FgAyX*eKcZ+>hG@gjJu}OUu$_mvE`0InMfedg;l~&MZYD!D>-#a
z@UHEcuBOT3<rxBx3@+Jqx8cs5etd}k#(hEcL8+m9Q>pykb*p99v1)4U{f>MWy2#|5
zD|Ed1;3=_BgKLslwEG25Zt}Qo@3oy?a>-u543%{$=YzY2em``7X7T!9TV}#yoJYeM
zo0cmAr7L`nFbv)|F!+_beJF(gDDR<^QDp%h^*xG<mS=AiuTomo$GC_2%f_Rd-zy(B
zFRooHy}Rxz+x>C<bE(`iMiZ=TTUTf<?um_S>eL>_4(@p8QJOa#>si6S?Z{A)RqKhO
zjx^Q53vs=f(z|W1pGux^QQEwbc40{Wy584?ZrO(yYVNHLejioCc~S7i!N9E-8s%&v
zF8(~EHXQOT*w5-zbDy4vXvn!e=`uqjhl*DlS>%}DA~7<hA1dv@H?$YW?>myZwxZ@o
z%e#Uvj?!NPQkh2#BXkyiy!+<3n0!Ip{A6pNP($Y8GbL@G-t*^irAT0e6i0l!kIB${
zx?C3fR!aTZH_=Nc9qL}#)n{fsY@RP>_v}jB0neXq4GfWqPrrU$$(v~BuHskrCbxt>
zV^6h~(y9`Nwj&S97UbC{bVVJG>#U65QogQZRjPN*13TABHOozXkNbxFH@*ISrhYW)
zGwWcK;XETlU3YK)AR}pMT@&*x$4<Ju1Ey>q2H6{w>ifUilxki-TDAeJ?XYW^W+2_|
zG#uxE-bIFCdHitUx!trYzSW$qD{qY`31fBGlKTd`-5|)!c+;6PXSecSFw3&BHq%sO
zun+#U=+ntsk8hmA{pnAw$|E>8Uv*3mJ@+6~Z^=E}@#~lCVq6XmD*3&_cf2SYvhAP$
zD)UGb2B&{uFpYIU)ia^AR*54dLpgUZz3Kjl4W=g)>YT-5SJU6Vs$p+?W!bfklecKQ
z(|@lOVpJ_VF|ydR<=Aa0j;~?easKzS1|t2R85#9#S|C>4mK%;y2O&$D5JJK+GT?ja
zlBrQQ`Wnye4vAW)T;ZL6mX7;`l4LB~odEgm>Rt>I+npmL8x2zDX{3dheEQV#{J@jm
zr^ukTile<Szjv*_HqO^;p{3`${Ak%IpWXUnBE2FCVgB@yk6$HEaF*aQR?_g|me%UV
zA`W35_sp(EH@uJBcwJulV*Rm%=<A2%ucX?l=I)N!lXCICfuvO__z-ZO+EIbaV;Af9
zg?sG1*WTSedc|*Rhht#Wef@Hs=kA$Sho47^#$v*|AFg=zLZXMC?auga-xJth2gfb+
zBLY;$9TxaMHcN~&bTV0c)TTCOOhn^*gl)<l&Fg!4%IGE5*`7G$bo8)+o=BJH5BWZw
zs2!Su7Fo_>g&Tv6PMo{fzLw+UXq9X5`E5H~Fjvl8es>t7v3vKAMLjnXue>g^0^ueW
z#2grQ$m5(gh(|Nr>q-5IM{O|H-9qnKQ=Q$v3i?gG*CVIvJTu*8GtlLre2zv=_dO+D
zviJ$+I_yK^^2p@4Ea(T~vJ2$buN#Q}Coca3boZlle^RB(4c;(3NKO}B^8*gRcz@=?
z(<5)dx*M3O-1ACP=m8zC#%I;J3IB%APl)S)E|5P{``6b2nL%FA1Xk`CldS^+cf%|z
z|EYCA^k5wjjYBx|1jRZa=01El^G5>406=5XI-vhTkpDuE|3Z-eLXiK5AP89evk)x)
zSwMs!^z2~q4~yxxOV=gnlsPOfY^pg^9O<gS&(<TUz0K*UVW+BCNaNUdFH0UfT+~>I
z+{buj9(?bM<Cvsj%r3vc1EJOQ=U(^AZ;(?`QsQjeB`KZXFz?F_hW*9YeG%?)PKU3%
zEvl{8869fkYq?%k$QnMv|JzDw%bvZ=p_}vX)s?Q@^@X?UcAKZ$yi=c($KF~r&2tG^
z;1*&lekw5cXOKibi{)$ivf;W@ERPzV9;(Q1p7#@Xlr6LKO!SN4?cDCh!sjJ~`c$N~
z9&p+FypioZ86)A!`NKHNqy6*28$F9o=si?3-%`wG9-y}1(3+FWlF#rAZ5ck6E_E?4
zy0-MQ*(NsQ*E_6Miq}g^^jqKRm6ToUWxL5lu}r5#Df@VX^u5ot%fDywOC-6x|Giw<
zu<3Ge$?wty$c2|o8hz;;4rTZ4_my|`pS<b3$g2}ivn_tXk`~OGcIj1~6>J-p9OD+P
z<2`Zk!sSx#TZu;uMpTfS(w6HRv00lrRU1_HI=^NAeru!4@po9qUCCl!64b&Kjejk#
z=;_$8$#=}<6#ICM_NRcjR}brilT2FZggJl2zKVKbcQ$-Gerb!7b^*)sb(>}HSuJU`
zPjdQt;dX**biqeI^%s_A;bWLH%g@Qkg&j(@U#cu}>wC|pO&pJcOO4_zxunHKbRMgm
zTE_Wx;R?aS|6hAw0uR;K|371GQPx5sR3ge`r-T+th0<cHh>A!;q$spWC{k%9`x+%}
zN))A1L`l0=?UbZa{LkmkT-~{I&3L}g_xC)%|Ns9zFK6bSJNJI>XFKP-&vDM@CfVQa
zs=Rigc_(ey7ZKl<m$cWZE}N&mx?k)5SbkrdR-MdKyV`Nnbe*d*GW!@9wX}CsglQdD
zIy+?R!cff(7qbV>ZrbE^f4Q@|?6&BOKN~g-uxJvSb#Lzgkvm6?8#i`X#_ezr+G`@x
zIP2>1Uqi=Uv<#7$zd*;zp(eU!s-s=*r>Alf3RmB@cKjNB{C>QKL=ru3!naWAo9U9y
zwH4WBM)e{gLD}`1Sz`Kv41VKb`qq7Ksa#cAzJ6tm#B3pjSJNLh{W^aAzQa<6=x@HY
zj;r5I*y)n6-A*+4@zW)l5sxNpw7#S>p^XupF!0URy4q-u9a*PcrPP|k9(=o3C->~D
zxOvHrk6%K!I$M5fbDg7Vdxz#u4?U;szt7{D^zn*BOHUh>q_xfbN-D)qGg{k!ZBFkx
z@UnTdj;ckSwr-vKn|*WSHSdIGf9R5^wyV%jQhu#5*4BvT?{xcuj&N~girBcP&#Ky+
z)a&G*_*b8a3K@I<^P>$BzeR0V9uqg(FtV?9lv2mqrg1te%0w2fSaT)5bJ-q=xYa8z
z8YFL0?@&G0vdE$HerE6$n*9Yv^3aX>vpUv{_SRh}vzh<q;@Ml0ZcRFP{DH~TPSbf_
zk9QSE?ut40W<{xY_`H6GYi``0aN*I){JN6D2g9e^`JK)Vh^-p@y1CB$qL|%I{_hcI
zr4#x_&<z*szI&WBMfY&$wsC%`O9J*DJAk%>P5iFgoVVvnq)n)U>BP1l1tu;(mQ0_%
zI468;xVl5T_m#`0qbAN&5nh}-erMu&vzcC&@iqxf5$@|_5?4iNhe()K-p(2tb1){O
zOMX-RUYl&ShhHlv#VsGX*yWUo?#Rbc$%`}YP2sD`Yk!)uvE`+%?(ruF^s`H<ihrLK
znZMb4X<=YAV-e$_=^T2=kG@JyN;iUJWYS#6M97&4wzUhqDvQyb+v#W((y9C6w#wW4
zS6dzIw|PAEEi6cT{wy{+Ds;r>_vu4)`^7!7sJoM6I;27WVOY&+xvbagj^vDvKdSs&
zz(exV(pwq@X@<Mf`WPr2AE>uBUTL_HMBX=#J>R13z3x0}S{Cl<k+fbn`-;YccZxB$
zY?ty0z38{$$HKDn&Vtn%ve#o8Eb?q`XC|90yPdV;P06X@zjv$KmU_u7NUFQKX<vZd
zkSz0lg&&T@hJT=Ej7VuYJ<@a9)z~$@-(KAR*d_g1-KNiuPGg&T;aSc@O4bbO-)7M0
zHogAHHp|avYO1rM#=U(L_&P2#M<wo)%>lQleRBkdF7sS|;$~mJx$W^EO<Kxq*WLP@
zYPqKT?1yRP**oabRi=CU+;-mG8W3>kh~j(+`r>1YHfhe^aO#cy08v+IX{lrG{DuQZ
zyB`=3zOTY(QOPTl8i7EE9~~;o%9mR!q_32`zSCPd=4f<j_G3x+Gj0AQ2l!pYJ53rs
ztf-zd<Fe}ZrfG-Yp1JfnC{R#-iTSKk;W-Bec%Xf*r}y&BHK|(MfBWIaSdsd^ZO%qB
zW!m)z=c!(w(6X%0`?MdUJ?2K|B-dGw7c}TA>M}Jn!R*!XkCzwKetwo9R=m)9+8NKa
zGd5k{^6f~c^oN`i!dp#gMYEqjHd{C9N^Y&(&XLm>x+%s)DQKSF?R@`4#-yuj2Mk~C
zd~8*n@59q^M;$XPKNg-9bn{+xY|>m+FByh_d#l622B{@SK4?_E^^>k!e=mQ>RmY9q
zfeVGtMBfl@Zb~UERn@#I_qo=y{CUT>XEL9zjd-0lX|vOgfzy|{jI9hmK2y=Em~piv
z=aWu_S@~GOf$1|wW#stAVet;gW6Zd0(ioF{%od7`t%$KH(0Urh-zr|lHZW!z^&W;Q
zFjfP)#C<--^^YUD?DGi&y7^!5F&m26^M@{)OEsGdbbG(gXC!N%&&At@6%u2Aw$U^m
zcEs;-N{2O-fAc<{U3H!-9|f9>pRS_(GWl)PCW|e8!NPAozL!+6YSS^kQ~ag+?EWFf
z!)mT>QEgL+Nj$g8^>TmbX{Pkyd8xDv_rs#bRu{{vZ<h=D#<-sh-p?PnC$mv{<g9I-
zr&cYy5^<(_)v6hzbSqtVW#nAB9Y62SKA##;2ud(+y?XC)<S}#%nPc3VWT8nlZZ)>4
z@KC0sajUrfJGhPJPaL;$+vkJp_FZYk;Ae+7{}74JnNs(0$$F-4HF~kn=g*EF8V%$i
z`(RSYQ}%fdb{`DKe6Wq(SCr|<2P?q`RaSvGxDVz+0VU8=me9*cE_-@5VRYd=+W0y=
z<by1_$On%ZVT5|Urw7;5(0t>y6TihOwkX~Ca^hUl+1~Bx2@`%9c>+BUGKWo5Ef|zG
ztwj9JLpJ@F_w?YrG6pM`6zc9e{>Ibg(#(}NJPgspsrGZM1+G}>&oR}Wo<`PHp#LF#
zUPi*AFvuJ-6<Ca;l4;_UZkc{!q&5@%R1mcZ2H5F8YnJi#sklt#<BX=|jvGESRBc#d
z$F<3eK_))dJ;X0w?-lYw5gsAVqz}y%-PVXQ*>4Xc`Pk;?*!^}h=3lKO|C*=bHL(i$
zt>j1<;Kq(cm$<j5T&^jS%if+XKsR?jC0(?3NPaTV?fu>!TyM*B0!A2%D8Kn4r*ZO?
z!eZTj_V$1t|L0NyA`NXQT9k$*@}8rA_V%z8!}<b!@uQ6E3*U1Db^D*aJuD@WzW#Ub
z?fJ^$7W#@fdDP~iGGwf;AhxCDEeKMhJvj5&+dP%eSX+wPybR`2Keqjh&{sg)4@r>u
z)xDPiZ}U#8+v!;UQ1I|~Y7WsFv0W4X6VvTqta~WG#MsY<vWl;V(y%ySK!g1fkd@qj
z<RO{a`VZp%2vrL$%Kovc!edl4;2!pUE9EQ>K$pJ}-DFgT%+c@0TWE8k3+ou3V5HoM
z{jM0&iUD?-DFqyo``vcI?{_~g^y|ZaP^e<Q=}(8A-V4F0BjBB^8^*Oa?7AWPgKEn*
z%pY3V{b5wJikFE2(v8HhHNYX>x1NUrN}!vsdha3+pkv4!eiqddfzjPTNf-UkC(j&i
z<9wep?q?tcB(iQM^L?_Nx8>89sQs;B_FoE4|F!o`Y}0=i$rfv#;4kzE7CKaRH8DW`
z@)==7DTl4V8C{HMS9k{kZdYOW86`6BwPMC8X<K&hN>INTRBb1uNPgc0r#+c;@K0Xv
zn^?O*M?y#9W==DWK78u(?KyB?Pw$kYy0)ix%28d*{he~)FOa}bqF%h`=6~BUKlw!R
z6Vx7=&P4tvF5d}saQ`EYNj!#r<TfUW#OUs)q>ILGhnY<#+n5Awi2GkpHndLA9#_H7
z@Ch(lI%N8naYMurcS*ovcLE;4d#hMyKnEWYuV4<$B!d?6OA`EzcGyCf%HK?9R(PmR
zMgAsf--MAOy{m3Ox4-paJ&EjZKYlh?sDILMj?3pS`6%%qll&eFUjFvyJr+cJdSCd&
z&7M0jy?<cWyXsVA&oa!Oy1*=MPeoQ20XllF-VzDM#taTRBDPa4Em0WV;gocdJ$IU6
zN+>7R$v)^U7Pvio(viubNn+b+UxQu@7n$|iHgR-s-j7i=14XT*Ir(__EOqkobMf<|
z&B+5i1$!%cN>p`=A46eOcYt2NhwKRYNz`bG)I(*+<i3cmYN1EzLuC~nY6HNB9DK3o
z{37b7FWR|kz<NC3XGmlpidbHpu)tk-b;IVA6DfznRiVv_VqS`U^70{s7x<z7hI>Fe
z{wULF8mtnzZ~s%~zW)T>{x2q`B0-;+URig8-<@|ydPQZ(9Q~MTOEl(p@7VoLZGeiG
z8Thl<P;a;m_vc(FpoICec`LW}DF&mvhmtOuhe+?j2$9;S{@woElf6vp_j`_vjrwV@
z=<%s7*HRWh`vkiGlYmEZ`?STPm0SCyPvu)?;9D-pw<M_Br+(eO)sOXXvTxmP5V)Xn
zNq4YS+_}_-c6#F9(>{$4Z{=psotWO=ko4}N;x$PR*;8~#Ixvgd^AU@4u;)tWZ;|Iv
z88U~T<hJa>=o0shqd71&CSCMyiDl*(sZe75>x16YfVWRQ=_o|h<ekx&_C$WWB}Ofu
zQx-z|#K1@~Kk#>=z&WU2GAJ{B9lZfKW&0Di`O((<HW)VA*LcJ-?*N&={`h4e+iI6@
zkpNa9liL<rjfDY~{U_-m`Cftj9frVdv{a&OebI;<Z(I6fKXbM%r#eb>or-1R&Ww5O
zI!yfM9cWv0Sl7Z=Z`&5Q2ijjbl<BC=heRoR2=)_28(`P(J2#(+#ccbU<TJ03&pbgs
zGf;Lt(8Ya**apN0{ovLH#9?$}De0njRgB5U_$9RgeY<_8C%vAFxp#G!@SY{(Yiw>P
z4$*xNZ2(cPXq1o6klTP+>wa)+0}LsB;7NtYX!K4XG#5^ZQTlZIfCwfEg%4~@DQWJi
z3Me}7Bocga@uI({4LCERgPT2fV|stduJ_S~DqfRqkv*kkFcaeTY-Di`_2h8uFZOv@
zB1S1_iO1+VQqo1^2G2^26x%#(AN1}Fybb6{N5A@~8L7uzD=4~ol;QtzcmlKmM0?_G
z0DC>ao)yYsp6v@&S9HD+odX~Ejxr>WZ%W*+$a-`PnWG)3v=~q21Cwo$50rrqI7q;4
zv_tIefN-}DFl#2K540^ZxoB1QB-`WYF|%_ys*cbOXket6AH8h{;2r^#rBLp<4Fq{X
zZm=&Tko#lTZ*Kmw2ea#Ql3mM?zqBHMk(Ay7bZ~#coQFmCac&p4`o9;WON=dr`i#*`
zx(Kt~QvkX&QvDb1_LrXY>AgApk+H_n#lgq7sp`)D_yX!bQJ>WHe_LJ`xB5SU()O(t
z9_kSDPK>(#3w7ImASMc@?bY9gz0~a3HQphAoaw;b6W9Me^<UvC-wwcYkU9El)s}sj
z-W%ENsXj=>Yl=JAb1*i|f!mXa0e~*_|ByN8=C&kYbV>D}MHkuAhiL>71`z7DXHPmx
z-QV=g?z=<GScPDvj!PHMbHf1O|1v1!{tt|DCL9BtWc>tnK(dl=M;t0c=BWFdEsUw`
zKLy2VP~VT){}x8dj#&4F&}^XrcA6RE3J%E_aHD9ZhOK#O{wSLOhx!x!zXR`(IO{y{
zO0Ku!M+Ldrc|T^4CnP)XM|MUbj};{cVW!3H+<-lo*&gsW3hp?C%8)tioY`^!qq~rj
zF4)-sBgGa&4|IXI^DvhTiL8qbr`D~9)hj1Ey)vo@n)@?m0`s!J_zCim^;L0Ph+SXA
zc?eaDiIg@jukg^2MfwtDpC?UX@ddu4KlA2}4X6y6!*_fvW^kbk?_I;H6Kx97cLb2W
zWLQst@gpR%z9uy-d}Nn=_N=E$n!-Dij%DEc%-I;S+)_C=+2tno+o~<8m_4zz|H!6w
z%rz7mvMOFvMUdPQg9ZUzJCuQL63UQ3?v=^6*ySeD^=V1N=ti>p35za_o8DuDIOLYa
zPX8GTljWxI{rELjs{f~&6|Xj|s9q<}E_V{^Zs6}FnLnbveJo~D*=4E-vNw$DDD49A
z0dTuOzXA#PgEW%0c0_qvO-R|b$qzRc=4JUDvA@jDALtPh@b~j_4L7@_WBR*I(w_^m
z%UrOF6kETWgi&SE9ew6DH@jqDbR#I~BD+|?V1mZ(k03X0m!9NqT%R>VtxC4Gs>W_b
zWXZCcp5;zO{IT^<M7yY3%mV&UFO7T=c)Wz|mzX*i*(Hm6+#qFIVB93cI%KRK65s8n
zlX#YmuHdB<`i0V_aV>B$7Mo!h8beaX^l^hrPy(B!(n-%?`aHc4dOHwJM-baXa%d*v
z8-HJXN?~>4CG?!np%RL;_v3qd2GK8GqGzz_hbV_?;yFq=KBMPcMt(thcY6}XIg@u$
zzQ8!PxIsj^s}qa4(1ri!IANrwcG=FF<O_!~woF9NdIE}Z%B%^>G(M}jiZf>^GRBV6
zqVb{26}84P7~O{^CMJK{DPnw|iTr_a6!Cp9-O@)0h5~;F0bdYxd%3hp%Lv}hyvG@1
z<Zp=YL&x6rb!=ef{`JGYm=}*=4Ax_qMhRo&p*3damiaHEA-<1R>8VrR=o{YkMW@}}
z_1}thLZg8$p^YZS_X$8cWsC1ausMB5;(02YYZ(<*CtXBsprnH!CiLGL-^cl1j_)IJ
z(@OTjH-YU^#VO6-9{W65CPG(G7Ca!%I3eR|{b;lZ%>97e@XhO8UkccDf!G^m_0e0s
z;4QO$=#v;95RdOe^i4GZuD%(D`KANAZzf$VZPM0&_g7D0f}b9J6UVD~UxG17@nMEM
zObktQ{Waf|xcT4rO=4SWB}{5diT!|%#UeJ}bi0&FvwQvcoEE61_px-+`jDPM#3(u~
zr{Ng|C!wD~xeo2cPjy`+OGnSqhFChfy=t%P(KFcEYoZ*g7K<t6&_>VU!`f@CF@^RY
zeAtxb3eeXyA-amF44I58=@J&sT<F68X_@Wy>lI-y7-5YNz6Oh=(=TNZLy{qm1&jzy
z?kgb75KQ8y)4Ni`&NIT!;-MnMjt*hSzz!JtQE`Uo&;c%PD?PkD{QP}g{8#ys!btE6
zqeBrxBAq&{gvj9M!!l7Y9xSYcGzuuOo{t{N3N4X^!W}TMO*v9WB?QRf4irIepg#?Q
z{(?jT<NBg9WR7u6N6Q(|Uw-%h>R7htd;Pdr9<_Z^R?E>{G+OnBuqsB_weIbW3aJ?H
zTI0qsP)56Yw6z`51o`-B1=8tAU$R+jVHUD^DJOT8z)FTEV;a~;GTBVPgkj7WiETYP
zsxVZJ6ph1-Xa%qvioC%PN<y(ey4Ev`p^U!FKt+54H0GgLa`&Mq9HIm|0$mX?M?TUO
z7aw+^^0i`l<imGu#L2NwiFMpz0IB{F>xPcS5)$1sWQAegRlp_pI!@$$H+lve@5DN;
z+JfP}f)Y|4zl-dw0QGO~1b7-=|A@S&ka;K4)oD2gycZlN&`sMIoYsu^zX@%}ui3r9
zde_Lj6ZNBN;Yz8Wo9H<$Hev#N>|;`5+_<}lt`D*^WRA9DiG>>%x-tTM4!NKcy55R#
zx)$1wKbFvXxH4QAGnqa%RbVp14D;1wBLRa;^V%2_ZcLmkB3i3S8`J2&-alx|Vb}co
z45^gb9TD5cO;-JRYJ$tAm--PF(qA7xy_);}e!Th9X*K_Q+aj62*cO2u$n~p@Y-ge`
zskUI)yWl**m!KbF`Y4*v^`8m$z<o3nh@%93M4o71++tLQOm5?ZX1DyocX<B>KH73=
zn2#{DajbZ2BR#`~lu)c0EF2mZYo>p)9z%zr#cY+-1=JX$df6(GV$`trB5ds!3Q#i#
z1*ow?0ctFntt(s0nar!@MA2y^(7gkhjU{RdQFJx|8j8;L>({VCoxL>yqYsHiITX@<
z1^=qr@XjS6eSC5IpmfcPGdgr_PFf~-rOL~RwWpacaanNty2sWVmImz~w~AXVey$k%
z@#CTspXBKqXVkCLUVX%J{4%<igy#F~TX6|19y@)vEjuEbe``s=jPjobBT`QW_}mpV
zza^K|aL#|b=8;*hhA#|_9+zvJHLnjexnH1n*z0FR(7o)dm-3I_7hIP(R5kRtn)vkv
z?=OcrUR+)}V^%*kt3aWUkdY&-1)W0H1qUbJiE&-uCcVV^&Vvs1C+VLjiNqdUo%`!_
zi^*IGi_8x9){RStm&RJp_A8Z(GZ__Xwb}lJ=CS@E&*sIrNiA(zlX>rRrE6`A#Dr}n
zl`974c9mIu6mac&cP;e$ydYtd<^`S`?=7#^ZNB>armK8b#8UV5z8lW0nfh$YmQ0&v
z#UCRZOEXuvpBh$V@ZLF1;)%)i1sdo2Zg}!dZM5~b0g(<1l~qP+&YkSJ(JNfqQ{j+R
zdSc_7Nd?W<`CjW9jBQKKa#(Yy=!Wc)FRzB2n4SD#R>Y`l_oD86F<IgEEwF2f%&HA<
zB;UpTva3tod{;BTz{s+1#lst8^_1JDAC{9%7%?q-r{#}%x`}?TkBlwMlgU$2WH?+h
zs?)pC+VDZ^nYo#yZ;iLd)=AqI4|uguyUqJ?_TJ&ot#g0Mre%Gc>{9Sx`X!aU<q-wZ
zuHi4A#%?jW^W>V;`*zvlnN_E!@-LgU@s*aG>WU{*wU?LI2Njw=8CLnTC^BGEdUI^n
zK%dJOHsvZu2h*kx-@%`5($>GN>X49ri{&J>V{*a6zK(WP2;OnR(4|-<Yw`rOuq7Qs
z?#SpVX%0K=u&88!>RnZf(7qnSPvyUemr`{~nY--ZazUwRyGvS*mJ0_K9a)jKe~<d3
zM>PLF*R)>W@apvFAHx6I;z+|ajfS6&k&?P9nVqh-<%=iO=bDO{PI`aC+8}z9_0i#b
z7A&}NV!lwx0MWiq`o8Zbw#UxBTQ6p_VP5&QhrTnFF35Ct#QsirFz>cgrdq!NMc;Sb
z*Z84s9r5ve{e`xLL8g<+mygg_R!-X<m-wih=3*)};bMSv^gJ1ZSnU~0@7m@SxOE(s
zavV@9%lNS~@4IWhU*^UVIlVU%q_)nn>}PQ=<g}8$>~918gkb%9E^hXTdnNhA>^qu{
zC3O`Ad>o(uwUuGyXiD2P_E=TblY@3fQvxErrzl<jwt0q<>%^-KjRLljEzyPQh0i-{
zwDkg8UE150&bvNFa!s6ZSmTDc8}7;qm%Xdvt_yD5qWCt;;dapTr3@77EwP`@i;9=_
ziCN9T3-VT}Wxc=ZShvPyky+S?Fdy;uWbF=<iSP7xj7uAwc3|k(yHC!o$ow5UNGacL
zTuztVi!oatbyPbqn3(*q2?dZ@fO;(3?p6T>ilk3PQDn@du87RIbw;*vhfQH;v)P-v
zb!Qn>4W^Y@xA&Usec}^v|MFe<^R4$6uB9GdSTaBR>bEnNMPDDssy+M}ynBCvGM`BV
zW09WW<maZd0xx^cJAc_Ly-MQp^z&1<Jx%^#Z96LCmf651H>LN~%SU_?O*p>MS9?*k
z)YW^B=2+_Ldxxng9<gqHe=RwrcDojTppI{GKj~m8r^YFhwHK+GdRJFp(=I-#{=u>~
zCHeQDyZ%Qz-`yOx*+coP*;}m*j{Wy#wtZf6(D>@YaU-|N><u2FTeoYuR?Nc4vK>#p
zH8`$$GhyHvkvx^UpRcZLJQm|2GIM=c`Fg!zfgj3Vwc*2Qj^QTR{@+6_59(`$iRtOM
zWfsqM8hLBy>gRi=9Gx9IaMKb8*+F?3F`;i)Tk<u?Jl5z+`5b>`C*z*P`0<w?G?WMJ
zd+DkBc<$9y`)vsAaQ168sQ+QZUhMc~DHYD}5#AV_i{{kH_=Sk+8oAS5#)YmpH@b#m
zB!1cZ;S!)*aF);yqy92i7WJ2X04om4gMJt9hl%|1pnDOcdxnxO>fd!Q5a|*z=yk*|
z%x6L-<2ag*#d4A!(rI?e!8ZfoV($2v_>2YOq-PLyqSI1}@t#BAJ$;jykp+5AAmH4z
zMZLkf8_+Yj_=!8E9D(RL(>VR)3<3W{Bf5J~88U}{Xcit^=pvlU!at5E-YjZ0glxNU
zF2tKffv5!aP#y|rA>OP6iZ?qD#hdMiP6{z03;KmE-t0e!<{w1!52E=8(fo~wCN=B;
zBWxdrXOhEq3WP-kIfQt9y8U%^mf0b(LaD-=oexz*t11Q`UY1pyuthUsty^mCROtgF
z)Ki<xqb;-YRn;;!sGPPxBs;}@q@4RmqoDUeMh`q!)%u#$x}4fNd+_kV;(Mk|SMxYE
z@JM=ge#g>KIj62c&%?I#Gjaahe)H?IIhDg5;}xw(C@m3HzMp^h{`aO4FUwahEPH!-
zpy`~yG4gDnhqwM%|D}HZW4%_nx_D8{8bah*G({-btH`qgc?GYB?Crb!OuJxIc;mWP
zee47~zRAWkHcuK5t2}dOP2K9r=G$!(B?BL7o))Yq-RpL(@3uFta_0IsqlMQOOiS*k
z{W)Vx&?~Ln155gwjaoHveV_KoX2X8BbT^OBFPt#oq0&6*dl!y28{F|6DX3&#;gj|5
z?TwHKGle5<5>1kNanoyGtKUzK5Zr>gCFrl9dm`e67IJ?`>~mFH%CJ876sgahrW{;X
z4>;sv2_n~xLn?tdN-!T_E)^J;fy$6M<^%S(T<Y!*@%aGg%b9fl%m=JQv1dI{f4H=}
zlOxBT<vy-&M&tVTXl&lZyq|qsPZfBUWP3EU&qcRqVouMTYYG=QAP_FFcUtAK@VgDi
zW@XyX>3fw?(Keso@%hbb9*XOtvbw$u%hi`P+wLHzHTuH>r_+y()g8wc%6@wA@%F`x
zgJ1dz#Y|diHF#~un=OMk#XP&yST=LR^p&60zNpHtG*zz?%Ip+0JSn%OYxwUD+L!sO
zmVMZKt4!gv%8O$|FZim-w0^qi6+3FslXe^Dgv_i>n}gq;+xqMGe9f~~u_K)N{n#lu
zXzg9Um<3Lj_g;*$tgmYRBw$n~zb)}%=jO8b%$CRNmnl4}7xVMoMJtFo_$Iiqyhi@)
zc~ONu?i+Rd?yp-S9$H=eY4VghZxbn<lKI|_@{>ysGlHhuj2|bl+tsz^((-)A)b-J~
z=+oUi=zXK#e$uxYdP<%V{OHJM$3)4O+CI`MlJ()^cbC;#Gky+tiJJ7IbNkUR0>`|b
zy0jIEq)pZ?J#}Nsl*j9;``&FG_jI&@hwG2CR-N;VTpfQHHO()4XMbt!75RbXNte~m
zz8n;;mzCzKxn!@(=lS9~Qq!U>mUW~!W#`D3ss`ToUhyi}wP4RVi-4CC?qB*MH214y
z#EekG5hHE{>d4r9FWCKBOv7AS>*&epPxbcP{xb7|@ujlc8<%`lc@aC#GsX19;M%~W
zKdhn-4D)DiN^Ng(5!O~&*XLMvqP|x4lh4*3I+~&)4GXe8w4U6*XetyUKQ*UfvOZt`
z=8~L~H8vunqo-VrcAYN#`kcq1NVhAkYtw&RA2aG^k@>A~^H)hyDWY`8ZxcU_x%TGg
z?8`?l$lopeRHZVyKE31XwDz6DohLT8+AN~CT7Q54(sx*_^RksQJ(QMLZ86x||5^Ti
z)10w_!W;N68eg00xiDGopjwc*(U4}rw%gBQU#KbZFO*Q-w%uaC*+`w;4;N{TI^gg7
zP3DYZ$*zW(W?#SYS>B%2sG+B7bVp#QyQ$v&4*txkBNy@M3PdlEUbpq#9uYUEu?w%C
z)EQ&9^6uR&&U^j)PQT$(YsnYq5xO%l#y{cI<ma6?)tn^+4HK3KIjUr?`En}Zvj3T~
z_v5!2*rf=ypFQ$HT)QKy^PrE*o~V+`suCyWl>2P+GVm0))y}FPaU#U*sLVs_p`kB?
zau@Qyzg_%&N_bd&rdmLpbISJFPi6a_Uov2~*5r>1(!Z6-E(^+8x3-@WWBA)EgUzza
z#lBZ;U2QUPXPR@2w0Zo~imF82!TaaPwzh9dI_6)rGtO~Fg_Zfj5Unb{#&<eD6gDnS
z58Hk^t94zD(%DaZG4}+g#JT>s7%HS5YE)UIpd|NAeV$8LrOf=|SGR0DmhVYX`52p6
z6);!Uscf#}NhcqP0fpX5uj+=-N>e5L#?4)O;!yaM9G|Xp18@5kJ$E}0LVMZ}b13(T
zdCrN*WihIEKW9V@m{b&Ir#<rMkHCF0jkNkFA;S%AvR_{I4$dA_<Gna4>)oKidK-St
z)6aNwO?Kpo0!`!9JIfmFRO=2)C2cA5_wwFyIU{+d*S-DwjkARUtw!hFQ;gWW$01(X
zz0z`*r(1}`!}V3e*TnVzJ<XNRG3%1u!zaf)H21|lIbo@}KRD}||BK9!(O-ie^jBL&
z+iQ8eZAns+S<<zNdaWhn7p}XU=0!i4wsu=lOXtD(Xv(Oys;cp`Ljuk7(pqO#eJhz7
zmz1X79%nkH<jfk!b*C1o%#lk>KjN-l)7RDK>%iN#kGJj~HE8MH*Hc6c==+9DTp8bI
z*_oxa8fu~HldFE7GkOuAnxX$}oBXe`Szix+Gv+@NIcWB>Cbj41-vwV-C2+rZ;ZAz>
zTS5DyO?(};8hc~YBk4lBZ;gr+ThXNww7%Sa<_N3r-uw&8g6bI+VduB!8n*2cU$=2m
zal4mp?e(IULuQ6Qnmt-bE1Tx6UNA_j-avI!nM3aLOQu6A&)-t28Z^jx_#l}l3xWn6
z{hs+Wc%zt;;qDJwUp6{AEWcu6v{OVn%Kmku<*r-Jt3&%<5L|V6WOLsk7cNx%);f6Y
z@r~C8igQNrjoE+4&vE|!L8g7KrDR@`IClP1u)LFfV3a}VB{drKU(j6<`^ROdALBA!
z^z81(m}`Wvac^DyCNa~qoa03z-L>55dU2u4bzY%{OqabsFUR`xLiYaL^epPn??Hcl
zmTi8Y$nRtBbSp5rCn)Knd4>Df|A2uW=(mcwgayM1DuV*!vQQZ^h7$<uLTI$a3v7B|
zt(DT&D6BqOjQ(#RVb_K3q6x1eu33bbwRqxV9q?MuAdCLV1plCdWJi-`@rO1>hYL&o
ziCHU*-eMrk|5swx3f&Y47rN#gE>uB^Su1oB!JC3^c*7R6_8;`}4|@3rz5Ih-{(nI)
z=ru9v=wBwu*k}v=w`4#1Z^@p@;8_Kt^+^R&cW9+XH(XuqVQg~I$7}us12-+L7V&mH
z3loiz4^4_Ri<G|H>-W57v?pK9>jk$jp8q9%Lq_RJu9?x1oAr5q+Gn3lbAJ+gb@5z_
z!B&Np`hDi^mX<|8_E-DmSU306k~@v=jpUafeB*2U4(ob;(bJ7z4HG}7zgSQ(tRcQA
z)u(yhhxo(ci+x|ZnSP!)M)vRneXY}3qULV5CbpXSKdycnr#5%%?A9Cpvbxu`i?7p*
zN<<F0jyk4e<+I+TSh0eUkg`L;#xvZ%!SLKQ^wJ&iU1~3OURN;B+wFLGl<`Ba#Vv-y
zTY?W>n62bGc%FBo_|}(hbE6d&=m+N9qYwM)WL+btsBpIall~h+)uTywn)W?yh@XC_
z_>PvT=L7dKPvgf`^rL^8wDhTqwQ2t^3Qf-&`s8NJ-e;?!Tdq^JZSI*Fvs*V@`e3z5
zLo;X3u3E{|#li(MU(~LY8zL%18?}=Erh8V=omo*MhldoUl&hZEV&h<Z#^v{`SXaa4
zUsHu_VoYKgi#1w8hwXXYkS{R6B~4tj>*Q+GOF|z`#!BjgNmz-AJ(z2fRRzPLFFyn^
zZwTvVj~16U8711FH~5&iGkaeqU1IFTWzvCh6tNeX>v1&%Hv!#)Hk5SHdfduvpvxJ1
z5#PH_#s~-tU>n$qjzq2xnKr6!vp4@nWzR<;aQ)vLd(k0qR@JTSXrp&e6k6wBiCBN{
zbXMm9{b7Z(H>3tD{VKHkR<Pl{^um#g^n~}^SP_|ZLt_9fb4lyAP+f0JgJA1*cO@5D
zsekZoIvOi&Grnk2)2F<Ady(XnV|&LxwA>!!vZmG6b!BYu99!@8UX%RVsADfKl?jYH
zh9rZ`fxnUxvHur!uYqUbFQdf5>SS1#D{j97ZsUx-h@C|r%q9GP_9o!E#ec`YnYv}h
zUgW+emMZolwnzw(f_Wz)*}%9+bPSm=@5J=MV8P9pufY2+2|k#N*2j*QhV`*yQ{guD
zy?zi&632!_dEi`6^7I@d@hkQKCa(sF*E^^TnM3zi60!exk##>_y0AJ$64U*0jMM=l
z_J#Mf<1sb_u%G|z*TH!mz2(Kl{29hi%)~<aWem^VWr(g5;FF@Eb@Oa#Ejq8vq5;Q{
zWKhO+u@N1U*HF{Zejz?Sv@)2Vk6)Z0WQ8_@sZ^%SB}nE?=p1AY`>YY%g0&G~8-jgO
zB$0iJz&?An!fmwaxXfrpc`3+@*X5pM)(SA9-_u_$GkK>^%QA=84fyq47;nI1BhW<&
ze8^!)U>r<rVw0N?1BEyyDM%~>9y#n%gzVys>>_4=5F^C4zZhb7;fcAFozpJ(@Ax;^
z<<DLCSu`f1OJD^Uq~O1=MUhbO6iD+#E6M$60c>#|iGC+HG%&6fT@IPU2IYcVu{u&j
zvVn7H(*$E18G6@X6YNPGvB_{=dMlqjB7@(9QS9jhwmA?|C^`oDnC{P{0gn6U65Q{~
zS*O6JE0N5}s0^8-uEi%_qO$1(V`S4`m`%aiX*7-)V%S;q0UiVi#+e|KEEI5Ogkx6f
zDTWxQEWkTZJ<qxmWcY++IDpEKIqViCxDB%#tRp7YonOdqSztG@ER2*hUU#4banNuZ
z^j3zy7VB%iTwokqtS>^HqEAS?OsW5@!s=A0Q=$%|fLqR3UvL%@)CEYq^bdR5ldvn9
zADnt8{D=;D#rjI9>GG5~DyEm9ZGQRt1|0{`WlyobsIH}oM+7@ZsIKK6>x<Y2^2u}U
z10yg$>0tMhR8+r>FCahZtaib4K-%yA$4`2zYjH#-2_uDn0FU5hRjd<OTZ?$jL1oAs
z_406HIh9`+UqF6w68yqG0wYC=$%T6~t-CMe?H4v|^_7=j{E5k>$a)yaau3OZ8US+a
zEGG775!{aHeJe@tCrg_qY9YP<{??AkQckR&eF*gv@7H<B0{hbaF;dJAL7E5_`w7nR
zp?pT{jM!Nev|s?u$!5CERHr~sKfeH1CRY3VV`u3Q^kb+H7$<?skjb{D3nW%h*?OW@
zVRc$CvbB_bGbT?1Q9sc4<Egt(=g|g3zbaiS&e4AW#&Kp5!|@Icwc+>^P``%h5v~C}
zPD7db8<db#*yo=QyzGP`igU-bG@2WB8|Vt^ha2mW;8SYD(3&VzhD>hr={kaum`|Cp
z`&3$RX_Lu7<Ws+176V~=AF|F^59r2CynJdLqC%xJA0Uqsd?#Q>%nv*k3Y-J&grW@3
zWXg#Su(LGUSDX=689xtNfS-`g*%Dr6#wFA5{tZ8mpTNs=(Qa5<+FblJ`Uc$s^^>e~
zpyS<0$8o3(ne3Oe&52j2{L*A#VRd>0@=HnkRTwEdqK<{Sy@rOOOED8K9m}w;<7|6?
zSKzsUbp`M|Mlmq%6e>d|`vomia0liWRqTF|9)bK~1^9(2Q+1@+2!Go6-tvrXSz&SY
zuYZ9&AXg*nR**|mi7WQLN@<G~h1D5-kS!#5VekH|C-Jfcv=Pi&&ANg0#S44;q4??n
zT(S2%BwsC}2ARWd<$_U|-SXM(meB{<?F+J7$M07dBRyj8-pXf>$aGgdjARcV6xbW&
zD`H&^^^7<6R#oPTy(=kg`UTlE6|*T1?2V6nc-gck?9C}lIg$$el8C)?kPKX~cQj@<
zh)qVo-WjQ-O{R;`xRuUti7Bi{?A==#{u=iFig@ROy{}Q}-*i!7btcp)abDP)9RH}N
zu@4!0bLt(_QTGQg>|JTCHN$6c9bICrgT+PfXA%79&YrM0)wMlgZ>np1kG(5~bH&~<
zn4h$<`$;CM-)6orzj2A#==6xad#mf-VQ-lcT(S3cD!(xEMSkG~e!&ZS4`f-ASG^?1
zn&Rab)Yv-!$-)JD@5J;TO47R%(t8tXSG)FLT|ccy?A=>gdV{?O60o<QZ@_;Dd)FZS
zaKYX;C~e(TSe-Qj*;<Sj_7?4>t#Ry4w((kYzcY&l9Ain~PalQ)84Bz@2wnE?WACNd
z!*J~F&*~NdiyRyo7&ix%A(Q)R`V_%km`|y*`&8D5(xyq5kxzA+sR3cS3=tQ?cm?lw
zd#f`Xdy{oW#NL^h49pK4d&4=<&MuVUnM^s+0ZV6O><v90T*og4y*ebOZb=ZJ`#k`>
z#x%H`Oj>_ziI>s84bUa<R3aAtfpiX)5v!2ox!28!RaAaD>2hIpwkh&cQC?UamxWiG
zB*S8otaB!>z%yW1NZ=<sRJdYsEN<z+E9`!fZCctic^LSKRwYKLM=ai3p8tL<E~>#5
zi{GTO#pGeg7NwXic+7)C9|eh*EuhUH`x4y83ybrf2fvEst3{L`lj}FFTrdu+-&rKP
zl_I-kAiMp39{{(}dc@+rmG9rd;xG?>7Gs0??j7D(yw4b}So{{HO*0CsbD+<cvgd)t
zC0M-hvT09PoKqGmEFO(y;DW_>V|IhMk_0TCgZla@=>KN)-))T;lRaYb-pcUTuy`Hf
zoeLJPrqcfuNu+<MQ&POJxMVN&PsZY$dS?-0eeuHLRP)t6VR5Q!d&1&W*Y+NZdynOc
z#p5wQX(sszs^3#bAwT(baz7?~k6667x`uWjiKR#8S1$U3KBS6u7W$A2h}RrchK#jE
zg#VAw4ky-7`Nh;xh1I!I$S)*$VR0$elX%rjG8X6M7t~l>Pm?Pa$Kv=NT*t2WTq&gY
zL!kGEV=-oX#Nxe`r8ijo907~}=jOqWApLN`;<qVneF)k55oYUVOg{}|T*)#q4Nx&8
zUbZ$w*T9@E*~Whji^CKDeJt(<WN0`RC(eU=GPurz@5Sn}F3G1Jl{T5Lh547WAAoMp
z^WeSJ**HXnN@qSm9wqorz>b(7I2MO<pq)^Z0n0GuL<c=!ar``v$#FyucR<3+fA2ha
z0n%|Cq7Ip(4ceSoOXZj5YYVIM-XOme=Y_oo167oG`K1i=G7i6_#@^G$amC*IFuy2e
z_lvwY$S>}|e9K4=>|s4(@80tK_hWBOEw0$Rj?xx)3agK~W47Rdy`@<?=4A_LBbc?C
zbpz{*7xv~o5ALhY6?-ROc1vNm+cEdjCJTf^`Dk@a!}N%~dn=zkl80(+!7eQ-iLsvv
zMMang$HFC`W7LiGVjjG|4p;1bhsvfFPKDL^0?4Lfys$T3Z+O|XC+y8B3l;X>ie%t|
zz4v2wd%$kDd;w&)O4PS^y$M5#LQ_4&zKgg9rMEKtHSB#K@y-Q%-=)-lCDK3CDKTEy
zTNV?Icl$=h-kf@85n_Gu!roN#)jeTvs%v|~-c;B29(%{@a>d>UFh6-q@)K0Qry-0(
z@60g5gzpi1_g2@v!`^QZuUxQqJ(XWfdxZSrJXS9wFkX9HgEE9=M_%=kjJ<jJ1vU0|
z)8mT04`O=vC+YosY18!Cp!c9_7_&WM@7~JN8|*Dgz~2A4dGPZ{KU}c)Jt|vIpIum8
zuo>A}l-E4?&|ccw5M2j2l5FF(=)5zF1{`Ba;7=cgaNmDn9(=Vv*Lm<mm`@F3_o;%-
zrA?M&kWc*{><m)$JP+Pmo#EJ<tTQ6^{(om4ycX%43l?vn@>9z(h1JKCke^EN!s2q6
zWAW~*@cx*rb80NU+<+?<KaBawId(reo`n2lJNSuo7sgbNSiHA9|2<gTj-?@(n{j+i
z+Sfvyn^8@?Pic$oh1Dk%VNb0+Hc<rhU^LfApj-Dfh}$~z2VCfajSpg^HWRTFah<t5
z>q)%&9cYXGXE1(yTM)PT^&^-+9A@{26N;rxGsKZU{JM~b3D6_P@2!0Hh|Ir(@yl3x
z1T4XOe%<z45Vv*a52<WALmc@EU<pZH7+-<K3oo1Ygz-6Lp~CphNQMLGNsu}IFA^n~
zh}rE9$!-Wk%m@LyJ!B5Pdc^p>mEo^p{2A>*+%WzlO8tivRu?LQ{&`{iVZGEp8RK*6
zokfWC^?xVE=ldSSZLd`l<|i-M{iG1p@0qbMC%6APCVY<=zqh*X9mZdTc;$leA5;0o
z%vj_X{>U#Rc+IaXvh2vKUXn3BFTbG1__vTOo#=^>IqGMN;89HP-Xy*Imp083g1Hk<
z2aMSsF}@=9GjD9r8;mdZAH(=wbSB%-UyuF4wGDVeW$Rf&h1Dk~AX`(ecO$MdSL&sH
zaEwp3@mh3$0*eM5V~GOe!!>{AjA6A1vzL}&-qHPumwU6$9ByJMs{0$K+f9&lz~0xv
zNzgI2_JIW#K-WK!u1}#dWU?>vWeO&PuJ@DnlAWAT+GI5Z^%Y(5zUVF*9~<T)u94}j
zuJN$}S=Yp|fe4Fhcp^S859i=Ctc5{;-8z9|W@6ri%)_;eehg(^fIkHPraq6>D)w|e
zlMKt&_+A^<$?knlX0$1^S+waiE7}O`CzyXECcHcct@>F>TZO${Mv-QQ{_n67d*cj#
zE#iYM;pNFJy7;;`{35(O1<_qbbD^!Fc_G@0XeQJhm3+I`7~%h)!0*G$)6w1(oHqQ{
zAHRV0jhET^X5IytfcFs-UY>_ISc;zS$NKS){g@|+WdR}q?6?6L3n-mr{Q`cy_-7Ee
z@z+zTHpFU3Vf87%aXi-{DYKr$tG|$8U025X{)0h*SFA3wegU4pA)Zg6GGuaHM0)~K
zfainojv2zbh*Jo+Sp`5{?DG{P#a0(#9|Nwt-tzqSkH5Z_tz(bD#6JFNq_jmqVfE<=
zX#6#hef*V#3CUcyB_BFu_XbpkjOmL=*C+8A7rN-Z(DsfPsVT(qmq53+Xtd$j&%FCl
zrava3tHGY|4GHWyHH^d`F`j~tU@B(M_w4pO4Q*=)*wgF~Mu>wy+@AkFf1AksvFq<S
zrT$8gU0^Ovib{XXw`O5{vsxgg{@{!(d~jA?)~O`)BUyhx$^5bFFAdY*JCgp;yp=V=
zN%YRi%tn+=f50EEKW5AOukvRHQlJF(ofkf2w;no%%;A5ki7%-1XN_>m=_>5~gWdBA
z(7Jj74U~ZH1V8meI(iTL<W+0D{g?XsDf;-X3h;1S>ZZ6PNYQQ0N*`AjA3n4<60Qxa
aDqhFWI)?iM(6KkG8xZW?KgpyG&-gzpOFu#Y

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/tcp/krb-tcp-tso.test b/testing/btest/scripts/base/protocols/tcp/krb-tcp-tso.test
new file mode 100644
index 0000000000..57c46989f4
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/tcp/krb-tcp-tso.test
@@ -0,0 +1,6 @@
+# This test checks that packets get forwarded to a protocol analyzer,
+# even when TCP segment offloading is enabled, and the IP length field is
+# not correctly filled out. This requires -C to be passed.
+#
+# @TEST-EXEC: zeek -C -r $TRACES/krb/kerberos_tso.pcap
+# @TEST-EXEC: btest-diff kerberos.log

From 4f9f46a0c44c35db78e189be60f266cb709c9137 Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Wed, 24 Nov 2021 00:42:06 +0000
Subject: [PATCH 084/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 43e7a5d288..78252acaee 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 43e7a5d288e0dd60d4113a8ef8f42ec8df4e080e
+Subproject commit 78252acaeed8e2dee433c34ee8e2facb6d9cf845

From 331161138a28b633239dbc2eb98ab6ccafe47076 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 16 Sep 2021 12:39:46 -0700
Subject: [PATCH 085/210] Unify all of the Tag types into one type

- Remove tag types for each component type (analyzer, etc)
- Add deprecated versions of the old types
- Remove unnecessary tag element from templates for TaggedComponent and ComponentManager
- Enable TaggedComponent to pass an EnumType when initializing Tag objects
- Update some tests that are affected by the tag enum values changing order
---
 src/CMakeLists.txt                            |   2 +-
 src/Tag.cc                                    |  13 +-
 src/Tag.h                                     |  84 ++++---
 src/analyzer/CMakeLists.txt                   |   2 -
 src/analyzer/Component.cc                     |   2 +-
 src/analyzer/Component.h                      |   2 +-
 src/analyzer/Manager.cc                       |   4 +-
 src/analyzer/Manager.h                        |   2 +-
 src/analyzer/Tag.cc                           |  27 --
 src/analyzer/Tag.h                            | 107 +-------
 src/file_analysis/CMakeLists.txt              |   1 -
 src/file_analysis/Component.cc                |   5 +-
 src/file_analysis/Component.h                 |   2 +-
 src/file_analysis/File.h                      |   1 -
 src/file_analysis/Manager.cc                  |   4 +-
 src/file_analysis/Manager.h                   |   4 +-
 src/file_analysis/Tag.cc                      |  27 --
 src/file_analysis/Tag.h                       | 102 +-------
 src/file_analysis/analyzer/x509/X509Common.h  |   1 -
 src/input/CMakeLists.txt                      |   2 -
 src/input/Component.cc                        |   3 +-
 src/input/Component.h                         |   2 +-
 src/input/Manager.cc                          |   2 +-
 src/input/Manager.h                           |   2 +-
 src/input/Tag.cc                              |  27 --
 src/input/Tag.h                               | 105 +-------
 src/logging/CMakeLists.txt                    |   2 -
 src/logging/Component.cc                      |   3 +-
 src/logging/Component.h                       |   2 +-
 src/logging/Manager.cc                        |   2 +-
 src/logging/Manager.h                         |   2 +-
 src/logging/Tag.cc                            |  33 ---
 src/logging/Tag.h                             | 110 +--------
 src/packet_analysis/CMakeLists.txt            |   1 -
 src/packet_analysis/Component.cc              |   5 +-
 src/packet_analysis/Component.h               |   2 +-
 src/packet_analysis/Manager.cc                |   4 +-
 src/packet_analysis/Manager.h                 |   2 +-
 src/packet_analysis/Tag.cc                    |  27 --
 src/packet_analysis/Tag.h                     |  94 +------
 src/plugin/ComponentManager.h                 |  53 ++--
 src/plugin/TaggedComponent.cc                 |  36 +++
 src/plugin/TaggedComponent.h                  |  40 +--
 .../scripts.base.files.x509.files/files.log   |  12 +-
 .../all-events.log                            | 112 ++++-----
 .../really-all-events.log                     | 230 +++++++++---------
 46 files changed, 352 insertions(+), 955 deletions(-)
 delete mode 100644 src/analyzer/Tag.cc
 delete mode 100644 src/file_analysis/Tag.cc
 delete mode 100644 src/input/Tag.cc
 delete mode 100644 src/logging/Tag.cc
 delete mode 100644 src/packet_analysis/Tag.cc
 create mode 100644 src/plugin/TaggedComponent.cc

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index ebc5385094..d2ec1359d0 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -379,7 +379,7 @@ set(MAIN_SRCS
 
     plugin/Component.cc
     plugin/ComponentManager.h
-    plugin/TaggedComponent.h
+    plugin/TaggedComponent.cc
     plugin/Manager.cc
     plugin/Plugin.cc
 
diff --git a/src/Tag.cc b/src/Tag.cc
index 4b800f29a5..080d040a26 100644
--- a/src/Tag.cc
+++ b/src/Tag.cc
@@ -7,12 +7,15 @@
 namespace zeek
 	{
 
+const Tag Tag::Error;
+
+Tag::Tag(type_t arg_type, subtype_t arg_subtype) : Tag(nullptr, arg_type, arg_subtype) { }
+
 Tag::Tag(const EnumTypePtr& etype, type_t arg_type, subtype_t arg_subtype)
+	: type(arg_type), subtype(arg_subtype), etype(etype)
 	{
 	assert(arg_type > 0);
 
-	type = arg_type;
-	subtype = arg_subtype;
 	int64_t i = (int64_t)(type) | ((int64_t)subtype << 31);
 	val = etype->GetEnumVal(i);
 	}
@@ -68,11 +71,13 @@ Tag& Tag::operator=(const Tag&& other) noexcept
 	return *this;
 	}
 
-const EnumValPtr& Tag::AsVal(const EnumTypePtr& etype) const
+const EnumValPtr& Tag::AsVal() const
 	{
+	// TODO: this probably isn't valid, and we should just return the null val
+	// if it's null.
 	if ( ! val )
 		{
-		assert(type == 0 && subtype == 0);
+		assert(type == 0 && subtype == 0 && etype != nullptr);
 		val = etype->GetEnumVal(0);
 		}
 
diff --git a/src/Tag.h b/src/Tag.h
index 50ea167c48..5c8b554091 100644
--- a/src/Tag.h
+++ b/src/Tag.h
@@ -4,7 +4,7 @@
 
 #include "zeek/zeek-config.h"
 
-#include <stdint.h>
+#include <cstdint>
 #include <string>
 
 #include "zeek/IntrusivePtr.h"
@@ -14,9 +14,9 @@ namespace zeek
 	{
 
 class EnumVal;
+using EnumValPtr = IntrusivePtr<EnumVal>;
 class EnumType;
 using EnumTypePtr = IntrusivePtr<EnumType>;
-using EnumValPtr = IntrusivePtr<EnumVal>;
 
 /**
  * Class to identify an analyzer type.
@@ -59,28 +59,53 @@ public:
 	 */
 	subtype_t Subtype() const { return subtype; }
 
-	/**
-	 * Returns the numerical values for main and subtype inside a string
-	 * suitable for printing. This is primarily for debugging.
-	 */
-	std::string AsString() const;
-
-protected:
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other);
-
 	/**
 	 * Default constructor. This initializes the tag with an error value
 	 * that will make \c operator \c bool return false.
 	 */
 	Tag();
 
+	/**
+	 * Constructor.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 *
+	 * @param type The main type. Note that the manager class manages the
+	 * the value space internally, so noone else should assign main types.
+	 *
+	 * @param subtype The sub type, which is left to an analyzer for
+	 * interpretation. By default it's set to zero.
+	 */
+	Tag(const EnumTypePtr& etype, type_t type, subtype_t subtype = 0);
+
+	/**
+	 * Constructor.
+	 *
+	 * @param type The main type. Note that the \a analyzer::Manager
+	 * manages the value space internally, so noone else should assign
+	 * any main types.
+	 *
+	 * @param subtype The sub type, which is left to an analyzer for
+	 * interpretation. By default it's set to zero.
+	 */
+	explicit Tag(type_t type, subtype_t subtype = 0);
+
+	/**
+	 * Constructor.
+	 *
+	 * @param val An enum value of script type \c Analyzer::Tag.
+	 */
+	explicit Tag(EnumValPtr val);
+
+	/*
+	 * Copy constructor.
+	 */
+	Tag(const Tag& other);
+
 	/**
 	 * Destructor.
 	 */
-	~Tag();
+	virtual ~Tag();
 
 	/**
 	 * Assignment operator.
@@ -116,38 +141,33 @@ protected:
 		return type != other.type ? type < other.type : (subtype < other.subtype);
 		}
 
+	/**
+	 * Returns the numerical values for main and subtype inside a string
+	 * suitable for printing. This is primarily for debugging.
+	 */
+	std::string AsString() const;
+
 	/**
 	 * Returns the script-layer enum that corresponds to this tag.
 	 * The returned value does not have its ref-count increased.
 	 *
 	 * @param etype the script-layer enum type associated with the tag.
 	 */
-	const EnumValPtr& AsVal(const EnumTypePtr& etype) const;
+	const EnumValPtr& AsVal() const;
 
 	/**
-	 * Constructor.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 *
-	 * @param type The main type. Note that the manager class manages the
-	 * the value space internally, so noone else should assign main types.
-	 *
-	 * @param subtype The sub type, which is left to an analyzer for
-	 * interpretation. By default it's set to zero.
+	 * Returns false if the tag represents an error value rather than a
+	 * legal analyzer type.
 	 */
-	Tag(const EnumTypePtr& etype, type_t type, subtype_t subtype = 0);
+	explicit operator bool() const { return *this != Error; }
 
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Analyzer::Tag.
-	 */
-	explicit Tag(EnumValPtr val);
+	static const Tag Error;
 
 private:
 	type_t type; // Main type.
 	subtype_t subtype; // Subtype.
 	mutable EnumValPtr val; // Script-layer value.
+	mutable EnumTypePtr etype;
 	};
 
 	} // namespace zeek
diff --git a/src/analyzer/CMakeLists.txt b/src/analyzer/CMakeLists.txt
index e0d2351c93..559a43849b 100644
--- a/src/analyzer/CMakeLists.txt
+++ b/src/analyzer/CMakeLists.txt
@@ -12,11 +12,9 @@ set(analyzer_SRCS
     Analyzer.cc
     Manager.cc
     Component.cc
-    Tag.cc
 )
 
 bif_target(analyzer.bif)
 
 bro_add_subdir_library(analyzer ${analyzer_SRCS})
 add_dependencies(bro_analyzer generate_outputs)
-
diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc
index 607ef0d37b..f8dfa32f72 100644
--- a/src/analyzer/Component.cc
+++ b/src/analyzer/Component.cc
@@ -14,7 +14,7 @@ Component::Component(const std::string& name, factory_callback arg_factory,
                      bool arg_adapter)
 	: plugin::Component(
 		  arg_adapter ? plugin::component::SESSION_ADAPTER : plugin::component::ANALYZER, name),
-	  plugin::TaggedComponent<analyzer::Tag>(arg_subtype)
+	  plugin::TaggedComponent(arg_subtype, analyzer_mgr->GetTagType())
 	{
 	factory = arg_factory;
 	enabled = arg_enabled;
diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h
index 851238f587..adf8dceea4 100644
--- a/src/analyzer/Component.h
+++ b/src/analyzer/Component.h
@@ -25,7 +25,7 @@ class Analyzer;
  * A plugin can provide a specific protocol analyzer by registering this
  * analyzer component, describing the analyzer.
  */
-class Component : public plugin::Component, public plugin::TaggedComponent<analyzer::Tag>
+class Component : public plugin::Component, public plugin::TaggedComponent
 	{
 public:
 	using factory_callback = Analyzer* (*)(Connection* conn);
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 7339ee3c57..4416fa4fe5 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -56,9 +56,7 @@ bool Manager::ConnIndex::operator<(const ConnIndex& other) const
 	return false;
 	}
 
-Manager::Manager() : plugin::ComponentManager<analyzer::Tag, analyzer::Component>("Analyzer", "Tag")
-	{
-	}
+Manager::Manager() : plugin::ComponentManager<analyzer::Component>("Analyzer", "Tag") { }
 
 Manager::~Manager()
 	{
diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h
index e10341f246..8211824e3d 100644
--- a/src/analyzer/Manager.h
+++ b/src/analyzer/Manager.h
@@ -56,7 +56,7 @@ namespace analyzer
  * respecting well-known ports, and tracking any analyzers specifically
  * scheduled for individidual connections.
  */
-class Manager : public plugin::ComponentManager<Tag, Component>
+class Manager : public plugin::ComponentManager<Component>
 	{
 public:
 	/**
diff --git a/src/analyzer/Tag.cc b/src/analyzer/Tag.cc
deleted file mode 100644
index ca490a5735..0000000000
--- a/src/analyzer/Tag.cc
+++ /dev/null
@@ -1,27 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek/analyzer/Tag.h"
-
-#include "zeek/analyzer/Manager.h"
-
-namespace zeek::analyzer
-	{
-
-const Tag Tag::Error;
-
-Tag::Tag(type_t type, subtype_t subtype) : zeek::Tag(analyzer_mgr->GetTagType(), type, subtype) { }
-
-Tag& Tag::operator=(const Tag& other)
-	{
-	zeek::Tag::operator=(other);
-	return *this;
-	}
-
-const EnumValPtr& Tag::AsVal() const
-	{
-	return zeek::Tag::AsVal(analyzer_mgr->GetTagType());
-	}
-
-Tag::Tag(EnumValPtr val) : zeek::Tag(std::move(val)) { }
-
-	} // namespace zeek::analyzer
diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h
index f5f291d66e..56b5d58b19 100644
--- a/src/analyzer/Tag.h
+++ b/src/analyzer/Tag.h
@@ -1,4 +1,3 @@
-
 // See the file "COPYING" in the main distribution directory for copyright.
 
 #pragma once
@@ -7,109 +6,9 @@
 
 #include "zeek/Tag.h"
 
-namespace zeek
+namespace zeek::analyzer
 	{
 
-class EnumVal;
+using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
 
-namespace plugin
-	{
-
-template <class T> class TaggedComponent;
-template <class T, class C> class ComponentManager;
-
-	} // namespace plugin
-
-namespace analyzer
-	{
-
-class Manager;
-class Component;
-
-/**
- * Class to identify a protocol analyzer type.
- *
- * The script-layer analogue is Analyzer::Tag.
- */
-class Tag : public zeek::Tag
-	{
-public:
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : zeek::Tag(other) { }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : zeek::Tag() { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() { }
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal analyzer type.
-	 */
-	explicit operator bool() const { return *this != Error; }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other);
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return zeek::Tag::operator==(other); }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return zeek::Tag::operator!=(other); }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return zeek::Tag::operator<(other); }
-
-	/**
-	 * Returns the \c Analyzer::Tag enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const EnumValPtr& AsVal() const;
-
-	static const Tag Error;
-
-protected:
-	friend class analyzer::Manager;
-	friend class plugin::ComponentManager<Tag, Component>;
-	friend class plugin::TaggedComponent<Tag>;
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the \a analyzer::Manager
-	 * manages the value space internally, so noone else should assign
-	 * any main types.
-	 *
-	 * @param subtype The sub type, which is left to an analyzer for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(type_t type, subtype_t subtype = 0);
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Analyzer::Tag.
-	 */
-	explicit Tag(EnumValPtr val);
-	};
-
-	} // namespace analyzer
-	} // namespace zeek
+	} // namespace zeek::analyzer
diff --git a/src/file_analysis/CMakeLists.txt b/src/file_analysis/CMakeLists.txt
index 8facf86c32..8e8b18f430 100644
--- a/src/file_analysis/CMakeLists.txt
+++ b/src/file_analysis/CMakeLists.txt
@@ -15,7 +15,6 @@ set(file_analysis_SRCS
     Analyzer.cc
     AnalyzerSet.cc
     Component.cc
-    Tag.cc
 )
 
 bif_target(file_analysis.bif)
diff --git a/src/file_analysis/Component.cc b/src/file_analysis/Component.cc
index 5ed56cd6c5..82204fe74a 100644
--- a/src/file_analysis/Component.cc
+++ b/src/file_analysis/Component.cc
@@ -11,8 +11,9 @@ namespace zeek::file_analysis
 
 Component::Component(const std::string& name, factory_function arg_factory, Tag::subtype_t subtype,
                      bool arg_enabled)
-	: plugin::Component(plugin::component::FILE_ANALYZER, name),
-	  plugin::TaggedComponent<file_analysis::Tag>(subtype)
+	: plugin::Component(plugin::component::FILE_ANALYZER, name), plugin::TaggedComponent(
+																	 subtype,
+																	 file_mgr->GetTagType())
 	{
 	factory_func = arg_factory;
 	enabled = arg_enabled;
diff --git a/src/file_analysis/Component.h b/src/file_analysis/Component.h
index b6f75bc247..681bb20acc 100644
--- a/src/file_analysis/Component.h
+++ b/src/file_analysis/Component.h
@@ -27,7 +27,7 @@ class Manager;
  * A plugin can provide a specific file analyzer by registering this
  * analyzer component, describing the analyzer.
  */
-class Component : public plugin::Component, public plugin::TaggedComponent<file_analysis::Tag>
+class Component : public plugin::Component, public plugin::TaggedComponent
 	{
 public:
 	using factory_function = Analyzer* (*)(RecordValPtr args, File* file);
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index a631ee081a..634110e8cc 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -27,7 +27,6 @@ namespace file_analysis
 	{
 
 class FileReassembler;
-class Tag;
 
 /**
  * Wrapper class around \c fa_file record values from script layer.
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 5cc65054a0..60fd82acc4 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -19,8 +19,8 @@ namespace zeek::file_analysis
 	{
 
 Manager::Manager()
-	: plugin::ComponentManager<file_analysis::Tag, file_analysis::Component>("Files", "Tag"),
-	  current_file_id(), magic_state(), cumulative_files(0), max_files(0)
+	: plugin::ComponentManager<file_analysis::Component>("Files", "Tag"), current_file_id(),
+	  magic_state(), cumulative_files(0), max_files(0)
 	{
 	}
 
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index 38a5d40160..97e4c66be9 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -23,7 +23,6 @@ namespace analyzer
 	{
 
 class Analyzer;
-class Tag;
 
 	} // namespace analyzer
 
@@ -31,12 +30,11 @@ namespace file_analysis
 	{
 
 class File;
-class Tag;
 
 /**
  * Main entry point for interacting with file analysis.
  */
-class Manager : public plugin::ComponentManager<Tag, Component>
+class Manager : public plugin::ComponentManager<Component>
 	{
 public:
 	/**
diff --git a/src/file_analysis/Tag.cc b/src/file_analysis/Tag.cc
deleted file mode 100644
index 75e0583941..0000000000
--- a/src/file_analysis/Tag.cc
+++ /dev/null
@@ -1,27 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek/file_analysis/Tag.h"
-
-#include "zeek/file_analysis/Manager.h"
-
-namespace zeek::file_analysis
-	{
-
-const Tag Tag::Error;
-
-Tag::Tag(type_t type, subtype_t subtype) : zeek::Tag(file_mgr->GetTagType(), type, subtype) { }
-
-Tag& Tag::operator=(const Tag& other)
-	{
-	zeek::Tag::operator=(other);
-	return *this;
-	}
-
-const EnumValPtr& Tag::AsVal() const
-	{
-	return zeek::Tag::AsVal(file_mgr->GetTagType());
-	}
-
-Tag::Tag(EnumValPtr val) : zeek::Tag(std::move(val)) { }
-
-	} // namespace zeek::file_analysis
diff --git a/src/file_analysis/Tag.h b/src/file_analysis/Tag.h
index 59ce6f54b5..3f3150bc5d 100644
--- a/src/file_analysis/Tag.h
+++ b/src/file_analysis/Tag.h
@@ -6,105 +6,9 @@
 
 #include "zeek/Tag.h"
 
-namespace zeek::plugin
-	{
-template <class T> class TaggedComponent;
-template <class T, class C> class ComponentManager;
-	}
-
-namespace zeek
+namespace zeek::file_analysis
 	{
 
-class EnumVal;
+using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
 
-namespace file_analysis
-	{
-
-class Component;
-
-/**
- * Class to identify a file analyzer type.
- *
- * The script-layer analogue is Files::Tag.
- */
-class Tag : public zeek::Tag
-	{
-public:
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : zeek::Tag(other) { }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : zeek::Tag() { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() { }
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal analyzer type.
-	 */
-	explicit operator bool() const { return *this != Error; }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other);
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return zeek::Tag::operator==(other); }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return zeek::Tag::operator!=(other); }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return zeek::Tag::operator<(other); }
-
-	/**
-	 * Returns the \c Files::Tag enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const EnumValPtr& AsVal() const;
-
-	static const Tag Error;
-
-protected:
-	friend class plugin::ComponentManager<Tag, Component>;
-	friend class plugin::TaggedComponent<Tag>;
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the \a file_analysis::Manager
-	 * manages the value space internally, so noone else should assign
-	 * main types.
-	 *
-	 * @param subtype The sub type, which is left to an analyzer for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(type_t type, subtype_t subtype = 0);
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Files::Tag.
-	 */
-	explicit Tag(EnumValPtr val);
-	};
-
-	} // namespace file_analysis
-	} // namespace zeek
+	} // namespace zeek::file_analysis
diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h
index 5b3eaac0dc..25d3efa558 100644
--- a/src/file_analysis/analyzer/x509/X509Common.h
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@@ -23,7 +23,6 @@ namespace file_analysis
 	{
 
 class File;
-class Tag;
 
 namespace detail
 	{
diff --git a/src/input/CMakeLists.txt b/src/input/CMakeLists.txt
index 2b41487021..faad566e04 100644
--- a/src/input/CMakeLists.txt
+++ b/src/input/CMakeLists.txt
@@ -13,11 +13,9 @@ set(input_SRCS
     Manager.cc
     ReaderBackend.cc
     ReaderFrontend.cc
-    Tag.cc
 )
 
 bif_target(input.bif)
 
 bro_add_subdir_library(input ${input_SRCS})
 add_dependencies(bro_input generate_outputs)
-
diff --git a/src/input/Component.cc b/src/input/Component.cc
index 3ca4ef9d5d..e926f7e91f 100644
--- a/src/input/Component.cc
+++ b/src/input/Component.cc
@@ -10,7 +10,8 @@ namespace zeek::input
 	{
 
 Component::Component(const std::string& name, factory_callback arg_factory)
-	: plugin::Component(plugin::component::READER, name)
+	: plugin::Component(plugin::component::READER, name), plugin::TaggedComponent(
+															  0, input_mgr->GetTagType())
 	{
 	factory = arg_factory;
 	}
diff --git a/src/input/Component.h b/src/input/Component.h
index 0fb89f5fc2..d52202a414 100644
--- a/src/input/Component.h
+++ b/src/input/Component.h
@@ -15,7 +15,7 @@ class ReaderBackend;
 /**
  * Component description for plugins providing log readers.
  */
-class Component : public plugin::Component, public plugin::TaggedComponent<Tag>
+class Component : public plugin::Component, public plugin::TaggedComponent
 	{
 public:
 	using factory_callback = ReaderBackend* (*)(ReaderFrontend* frontend);
diff --git a/src/input/Manager.cc b/src/input/Manager.cc
index d8c389cef6..7dbef26ebb 100644
--- a/src/input/Manager.cc
+++ b/src/input/Manager.cc
@@ -179,7 +179,7 @@ Manager::AnalysisStream::AnalysisStream() : Manager::Stream::Stream(ANALYSIS_STR
 
 Manager::AnalysisStream::~AnalysisStream() { }
 
-Manager::Manager() : plugin::ComponentManager<input::Tag, input::Component>("Input", "Reader")
+Manager::Manager() : plugin::ComponentManager<input::Component>("Input", "Reader")
 	{
 	end_of_data = event_registry->Register("Input::end_of_data");
 	}
diff --git a/src/input/Manager.h b/src/input/Manager.h
index 9feb45a598..1c0b34d55b 100644
--- a/src/input/Manager.h
+++ b/src/input/Manager.h
@@ -26,7 +26,7 @@ class ReaderBackend;
 /**
  * Singleton class for managing input streams.
  */
-class Manager : public plugin::ComponentManager<Tag, Component>
+class Manager : public plugin::ComponentManager<Component>
 	{
 public:
 	/**
diff --git a/src/input/Tag.cc b/src/input/Tag.cc
deleted file mode 100644
index c490e91556..0000000000
--- a/src/input/Tag.cc
+++ /dev/null
@@ -1,27 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek/input/Tag.h"
-
-#include "zeek/input/Manager.h"
-
-namespace zeek::input
-	{
-
-const Tag Tag::Error;
-
-Tag::Tag(type_t type, subtype_t subtype) : zeek::Tag(input_mgr->GetTagType(), type, subtype) { }
-
-Tag& Tag::operator=(const Tag& other)
-	{
-	zeek::Tag::operator=(other);
-	return *this;
-	}
-
-const EnumValPtr& Tag::AsVal() const
-	{
-	return zeek::Tag::AsVal(input_mgr->GetTagType());
-	}
-
-Tag::Tag(EnumValPtr val) : zeek::Tag(std::move(val)) { }
-
-	} // namespace zeek::input
diff --git a/src/input/Tag.h b/src/input/Tag.h
index f62a38bc65..22da728f74 100644
--- a/src/input/Tag.h
+++ b/src/input/Tag.h
@@ -6,108 +6,9 @@
 
 #include "zeek/Tag.h"
 
-namespace zeek
+namespace zeek::input
 	{
 
-class EnumVal;
+using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
 
-namespace plugin
-	{
-
-template <class T> class TaggedComponent;
-template <class T, class C> class ComponentManager;
-
-	} // namespace plugin
-
-namespace input
-	{
-
-class Manager;
-class Component;
-
-/**
- * Class to identify a reader type.
- *
- * The script-layer analogue is Input::Reader.
- */
-class Tag : public zeek::Tag
-	{
-public:
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : zeek::Tag(other) { }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : zeek::Tag() { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() { }
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal reader type.
-	 */
-	explicit operator bool() const { return *this != Error; }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other);
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return zeek::Tag::operator==(other); }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return zeek::Tag::operator!=(other); }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return zeek::Tag::operator<(other); }
-
-	/**
-	 * Returns the \c Input::Reader enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const EnumValPtr& AsVal() const;
-
-	static const Tag Error;
-
-protected:
-	friend class plugin::ComponentManager<Tag, Component>;
-	friend class plugin::TaggedComponent<Tag>;
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the \a input::Manager
-	 * manages the value space internally, so noone else should assign
-	 * any main types.
-	 *
-	 * @param subtype The sub type, which is left to an reader for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(type_t type, subtype_t subtype = 0);
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Input::Reader.
-	 */
-	explicit Tag(EnumValPtr val);
-	};
-
-	} // namespace input
-	} // namespace zeek
+	} // namespace zeek::input
diff --git a/src/logging/CMakeLists.txt b/src/logging/CMakeLists.txt
index 849444b647..6a24de5149 100644
--- a/src/logging/CMakeLists.txt
+++ b/src/logging/CMakeLists.txt
@@ -15,11 +15,9 @@ set(logging_SRCS
     Manager.cc
     WriterBackend.cc
     WriterFrontend.cc
-    Tag.cc
 )
 
 bif_target(logging.bif)
 
 bro_add_subdir_library(logging ${logging_SRCS})
 add_dependencies(bro_logging generate_outputs)
-
diff --git a/src/logging/Component.cc b/src/logging/Component.cc
index ba90b7042b..04982a8248 100644
--- a/src/logging/Component.cc
+++ b/src/logging/Component.cc
@@ -10,7 +10,8 @@ namespace zeek::logging
 	{
 
 Component::Component(const std::string& name, factory_callback arg_factory)
-	: plugin::Component(plugin::component::WRITER, name)
+	: plugin::Component(plugin::component::WRITER, name), plugin::TaggedComponent(
+															  0, log_mgr->GetTagType())
 	{
 	factory = arg_factory;
 	}
diff --git a/src/logging/Component.h b/src/logging/Component.h
index 286dc7c0e3..b0b29bc02d 100644
--- a/src/logging/Component.h
+++ b/src/logging/Component.h
@@ -15,7 +15,7 @@ class WriterBackend;
 /**
  * Component description for plugins providing log writers.
  */
-class Component : public plugin::Component, public plugin::TaggedComponent<logging::Tag>
+class Component : public plugin::Component, public plugin::TaggedComponent
 	{
 public:
 	using factory_callback = WriterBackend* (*)(WriterFrontend* frontend);
diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 3e1b161893..5966dd87d5 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -132,7 +132,7 @@ Manager::Stream::~Stream()
 		delete *f;
 	}
 
-Manager::Manager() : plugin::ComponentManager<logging::Tag, logging::Component>("Log", "Writer")
+Manager::Manager() : plugin::ComponentManager<logging::Component>("Log", "Writer")
 	{
 	rotations_pending = 0;
 	}
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index 5bad3283f6..81526b8a9e 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -36,7 +36,7 @@ class RotationTimer;
 /**
  * Singleton class for managing log streams.
  */
-class Manager : public plugin::ComponentManager<Tag, Component>
+class Manager : public plugin::ComponentManager<Component>
 	{
 public:
 	/**
diff --git a/src/logging/Tag.cc b/src/logging/Tag.cc
deleted file mode 100644
index ab9de9507e..0000000000
--- a/src/logging/Tag.cc
+++ /dev/null
@@ -1,33 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek/logging/Tag.h"
-
-#include "zeek/logging/Manager.h"
-
-namespace zeek::logging
-	{
-
-const Tag Tag::Error;
-
-Tag::Tag(type_t type, subtype_t subtype) : zeek::Tag(log_mgr->GetTagType(), type, subtype) { }
-
-Tag& Tag::operator=(const Tag& other)
-	{
-	zeek::Tag::operator=(other);
-	return *this;
-	}
-
-Tag& Tag::operator=(const Tag&& other) noexcept
-	{
-	zeek::Tag::operator=(other);
-	return *this;
-	}
-
-const EnumValPtr& Tag::AsVal() const
-	{
-	return zeek::Tag::AsVal(log_mgr->GetTagType());
-	}
-
-Tag::Tag(EnumValPtr val) : zeek::Tag(std::move(val)) { }
-
-	} // namespace zeek::logging
diff --git a/src/logging/Tag.h b/src/logging/Tag.h
index e9ed93c03b..05a8bd329e 100644
--- a/src/logging/Tag.h
+++ b/src/logging/Tag.h
@@ -6,113 +6,9 @@
 
 #include "zeek/Tag.h"
 
-namespace zeek
+namespace zeek::logging
 	{
 
-class EnumVal;
+using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
 
-namespace plugin
-	{
-
-template <class T> class TaggedComponent;
-template <class T, class C> class ComponentManager;
-
-	} // namespace plugin
-
-namespace logging
-	{
-
-class Manager;
-class Component;
-
-/**
- * Class to identify a writer type.
- *
- * The script-layer analogue is Log::Writer.
- */
-class Tag : public zeek::Tag
-	{
-public:
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : zeek::Tag(other) { }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : zeek::Tag() { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() { }
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal writer type.
-	 */
-	explicit operator bool() const { return *this != Error; }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other);
-
-	/**
-	 * Move assignment operator.
-	 */
-	Tag& operator=(const Tag&& other) noexcept;
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return zeek::Tag::operator==(other); }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return zeek::Tag::operator!=(other); }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return zeek::Tag::operator<(other); }
-
-	/**
-	 * Returns the \c Log::Writer enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const EnumValPtr& AsVal() const;
-
-	static const Tag Error;
-
-protected:
-	friend class plugin::ComponentManager<Tag, Component>;
-	friend class plugin::TaggedComponent<Tag>;
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the \a logging::Manager
-	 * manages the value space internally, so noone else should assign
-	 * any main types.
-	 *
-	 * @param subtype The sub type, which is left to an writer for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(type_t type, subtype_t subtype = 0);
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Log::Writer.
-	 */
-	explicit Tag(EnumValPtr val);
-	};
-
-	} // namespace logging
-	} // namespace zeek
+	} // namespace zeek::logging
diff --git a/src/packet_analysis/CMakeLists.txt b/src/packet_analysis/CMakeLists.txt
index e823e0399c..b59202ae2d 100644
--- a/src/packet_analysis/CMakeLists.txt
+++ b/src/packet_analysis/CMakeLists.txt
@@ -13,7 +13,6 @@ set(packet_analysis_SRCS
     Dispatcher.cc
     Manager.cc
     Component.cc
-    Tag.cc
     )
 
 bro_add_subdir_library(packet_analysis ${packet_analysis_SRCS})
diff --git a/src/packet_analysis/Component.cc b/src/packet_analysis/Component.cc
index 21798cb973..e4651aa700 100644
--- a/src/packet_analysis/Component.cc
+++ b/src/packet_analysis/Component.cc
@@ -9,8 +9,9 @@ using namespace zeek::packet_analysis;
 
 Component::Component(const std::string& name, factory_callback arg_factory,
                      Tag::subtype_t arg_subtype)
-	: plugin::Component(plugin::component::PACKET_ANALYZER, name),
-	  plugin::TaggedComponent<packet_analysis::Tag>(arg_subtype)
+	: plugin::Component(plugin::component::PACKET_ANALYZER, name), plugin::TaggedComponent(
+																	   arg_subtype,
+																	   packet_mgr->GetTagType())
 	{
 	factory = arg_factory;
 	}
diff --git a/src/packet_analysis/Component.h b/src/packet_analysis/Component.h
index c58525e293..25203940bd 100644
--- a/src/packet_analysis/Component.h
+++ b/src/packet_analysis/Component.h
@@ -17,7 +17,7 @@ namespace zeek::packet_analysis
 class Analyzer;
 using AnalyzerPtr = std::shared_ptr<Analyzer>;
 
-class Component : public plugin::Component, public plugin::TaggedComponent<packet_analysis::Tag>
+class Component : public plugin::Component, public plugin::TaggedComponent
 	{
 public:
 	using factory_callback = std::function<AnalyzerPtr()>;
diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc
index dc53ce4bbc..dfc2ac8dd9 100644
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@@ -13,9 +13,7 @@
 
 using namespace zeek::packet_analysis;
 
-Manager::Manager()
-	: plugin::ComponentManager<packet_analysis::Tag, packet_analysis::Component>("PacketAnalyzer",
-                                                                                 "Tag")
+Manager::Manager() : plugin::ComponentManager<packet_analysis::Component>("PacketAnalyzer", "Tag")
 	{
 	}
 
diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h
index ecb659db23..ba1a4d8b81 100644
--- a/src/packet_analysis/Manager.h
+++ b/src/packet_analysis/Manager.h
@@ -29,7 +29,7 @@ namespace packet_analysis
 class Analyzer;
 using AnalyzerPtr = std::shared_ptr<Analyzer>;
 
-class Manager : public plugin::ComponentManager<Tag, Component>
+class Manager : public plugin::ComponentManager<Component>
 	{
 public:
 	/**
diff --git a/src/packet_analysis/Tag.cc b/src/packet_analysis/Tag.cc
deleted file mode 100644
index 625a37dc4b..0000000000
--- a/src/packet_analysis/Tag.cc
+++ /dev/null
@@ -1,27 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek/packet_analysis/Tag.h"
-
-#include "zeek/packet_analysis/Manager.h"
-
-namespace zeek::packet_analysis
-	{
-
-Tag Tag::Error;
-
-Tag::Tag(type_t type, subtype_t subtype) : zeek::Tag(packet_mgr->GetTagType(), type, subtype) { }
-
-Tag& Tag::operator=(const Tag& other)
-	{
-	zeek::Tag::operator=(other);
-	return *this;
-	}
-
-const IntrusivePtr<EnumVal>& Tag::AsVal() const
-	{
-	return zeek::Tag::AsVal(packet_mgr->GetTagType());
-	}
-
-Tag::Tag(IntrusivePtr<EnumVal> val) : zeek::Tag(std::move(val)) { }
-
-	}
diff --git a/src/packet_analysis/Tag.h b/src/packet_analysis/Tag.h
index 8feb482c06..bf1ee1ef66 100644
--- a/src/packet_analysis/Tag.h
+++ b/src/packet_analysis/Tag.h
@@ -6,99 +6,9 @@
 
 #include "zeek/Tag.h"
 
-namespace zeek::plugin
-	{
-template <class T> class TaggedComponent;
-template <class T, class C> class ComponentManager;
-	}
-
 namespace zeek::packet_analysis
 	{
 
-class Manager;
-class Component;
+using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
 
-/**
- * Class to identify a protocol analyzer type.
- */
-class Tag : public zeek::Tag
-	{
-public:
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : zeek::Tag(other) { }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : zeek::Tag() { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() = default;
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal analyzer type.
-	 */
-	explicit operator bool() const { return *this != Tag(); }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other);
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return zeek::Tag::operator==(other); }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return zeek::Tag::operator!=(other); }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return zeek::Tag::operator<(other); }
-
-	/**
-	 * Returns the \c Analyzer::Tag enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const IntrusivePtr<EnumVal>& AsVal() const;
-
-	static Tag Error;
-
-protected:
-	friend class packet_analysis::Manager;
-	friend class plugin::ComponentManager<Tag, Component>;
-	friend class plugin::TaggedComponent<Tag>;
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the \a zeek::packet_analysis::Manager
-	 * manages the value space internally, so noone else should assign any main
-	 * types.
-	 *
-	 * @param subtype The sub type, which is left to an analyzer for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(type_t type, subtype_t subtype = 0);
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Analyzer::Tag.
-	 */
-	explicit Tag(IntrusivePtr<EnumVal> val);
-	};
-
-	}
+	} // namespace zeek::packet_analysis
diff --git a/src/plugin/ComponentManager.h b/src/plugin/ComponentManager.h
index a1bb6d80be..48c5763ebf 100644
--- a/src/plugin/ComponentManager.h
+++ b/src/plugin/ComponentManager.h
@@ -7,6 +7,7 @@
 #include "zeek/DebugLogger.h"
 #include "zeek/Reporter.h"
 #include "zeek/Scope.h"
+#include "zeek/Tag.h"
 #include "zeek/Type.h"
 #include "zeek/Val.h"
 #include "zeek/Var.h" // for add_type()
@@ -20,10 +21,9 @@ namespace zeek::plugin
  * installs identifiers in the script-layer to identify them by a unique tag,
  * (a script-layer enum value).
  *
- * @tparam T A ::Tag type or derivative.
  * @tparam C A plugin::TaggedComponent type derivative.
  */
-template <class T, class C> class ComponentManager
+template <class C> class ComponentManager
 	{
 public:
 	/**
@@ -59,7 +59,7 @@ public:
 	 * @param tag A component's tag.
 	 * @return The canonical component name.
 	 */
-	const std::string& GetComponentName(T tag) const;
+	const std::string& GetComponentName(zeek::Tag tag) const;
 
 	/**
 	 * Get a component name from it's enum value.
@@ -76,7 +76,7 @@ public:
 	 * @return The component's tag, or a tag representing an error if
 	 * no such component assoicated with the name exists.
 	 */
-	T GetComponentTag(const std::string& name) const;
+	zeek::Tag GetComponentTag(const std::string& name) const;
 
 	/**
 	 * Get a component tag from its enum value.
@@ -85,7 +85,7 @@ public:
 	 * @return The component's tag, or a tag representing an error if
 	 * no such component assoicated with the value exists.
 	 */
-	T GetComponentTag(Val* v) const;
+	zeek::Tag GetComponentTag(Val* v) const;
 
 	/**
 	 * Add a component the internal maps used to keep track of it and create
@@ -110,7 +110,7 @@ public:
 	 * @return The component associated with the tag or a null pointer if no
 	 * such component exists.
 	 */
-	C* Lookup(const T& tag) const;
+	C* Lookup(const zeek::Tag& tag) const;
 
 	/**
 	 * @param name A component's enum value.
@@ -123,12 +123,12 @@ private:
 	std::string module; /**< Script layer module in which component tags live. */
 	EnumTypePtr tag_enum_type; /**< Enum type of component tags. */
 	std::map<std::string, C*> components_by_name;
-	std::map<T, C*> components_by_tag;
+	std::map<zeek::Tag, C*> components_by_tag;
 	std::map<int, C*> components_by_val;
 	};
 
-template <class T, class C>
-ComponentManager<T, C>::ComponentManager(const std::string& arg_module, const std::string& local_id)
+template <class C>
+ComponentManager<C>::ComponentManager(const std::string& arg_module, const std::string& local_id)
 	: module(arg_module), tag_enum_type(make_intrusive<EnumType>(module + "::" + local_id))
 	{
 	auto id = zeek::detail::install_ID(local_id.c_str(), module.c_str(), true, true);
@@ -136,15 +136,15 @@ ComponentManager<T, C>::ComponentManager(const std::string& arg_module, const st
 	zeek::detail::zeekygen_mgr->Identifier(std::move(id));
 	}
 
-template <class T, class C> const std::string& ComponentManager<T, C>::GetModule() const
+template <class C> const std::string& ComponentManager<C>::GetModule() const
 	{
 	return module;
 	}
 
-template <class T, class C> std::list<C*> ComponentManager<T, C>::GetComponents() const
+template <class C> std::list<C*> ComponentManager<C>::GetComponents() const
 	{
 	std::list<C*> rval;
-	typename std::map<T, C*>::const_iterator i;
+	typename std::map<zeek::Tag, C*>::const_iterator i;
 
 	for ( i = components_by_tag.begin(); i != components_by_tag.end(); ++i )
 		rval.push_back(i->second);
@@ -152,12 +152,12 @@ template <class T, class C> std::list<C*> ComponentManager<T, C>::GetComponents(
 	return rval;
 	}
 
-template <class T, class C> const EnumTypePtr& ComponentManager<T, C>::GetTagType() const
+template <class C> const EnumTypePtr& ComponentManager<C>::GetTagType() const
 	{
 	return tag_enum_type;
 	}
 
-template <class T, class C> const std::string& ComponentManager<T, C>::GetComponentName(T tag) const
+template <class C> const std::string& ComponentManager<C>::GetComponentName(zeek::Tag tag) const
 	{
 	static const std::string error = "<error>";
 
@@ -173,45 +173,44 @@ template <class T, class C> const std::string& ComponentManager<T, C>::GetCompon
 	return error;
 	}
 
-template <class T, class C>
-const std::string& ComponentManager<T, C>::GetComponentName(EnumValPtr val) const
+template <class C> const std::string& ComponentManager<C>::GetComponentName(EnumValPtr val) const
 	{
-	return GetComponentName(T(std::move(val)));
+	return GetComponentName(zeek::Tag(std::move(val)));
 	}
 
-template <class T, class C> T ComponentManager<T, C>::GetComponentTag(const std::string& name) const
+template <class C> zeek::Tag ComponentManager<C>::GetComponentTag(const std::string& name) const
 	{
 	C* c = Lookup(name);
-	return c ? c->Tag() : T();
+	return c ? c->Tag() : zeek::Tag();
 	}
 
-template <class T, class C> T ComponentManager<T, C>::GetComponentTag(Val* v) const
+template <class C> zeek::Tag ComponentManager<C>::GetComponentTag(Val* v) const
 	{
 	C* c = Lookup(v->AsEnumVal());
-	return c ? c->Tag() : T();
+	return c ? c->Tag() : zeek::Tag();
 	}
 
-template <class T, class C> C* ComponentManager<T, C>::Lookup(const std::string& name) const
+template <class C> C* ComponentManager<C>::Lookup(const std::string& name) const
 	{
 	typename std::map<std::string, C*>::const_iterator i = components_by_name.find(
 		util::to_upper(name));
 	return i != components_by_name.end() ? i->second : 0;
 	}
 
-template <class T, class C> C* ComponentManager<T, C>::Lookup(const T& tag) const
+template <class C> C* ComponentManager<C>::Lookup(const zeek::Tag& tag) const
 	{
-	typename std::map<T, C*>::const_iterator i = components_by_tag.find(tag);
+	typename std::map<zeek::Tag, C*>::const_iterator i = components_by_tag.find(tag);
 	return i != components_by_tag.end() ? i->second : 0;
 	}
 
-template <class T, class C> C* ComponentManager<T, C>::Lookup(EnumVal* val) const
+template <class C> C* ComponentManager<C>::Lookup(EnumVal* val) const
 	{
 	typename std::map<int, C*>::const_iterator i = components_by_val.find(val->InternalInt());
 	return i != components_by_val.end() ? i->second : 0;
 	}
 
-template <class T, class C>
-void ComponentManager<T, C>::RegisterComponent(C* component, const std::string& prefix)
+template <class C>
+void ComponentManager<C>::RegisterComponent(C* component, const std::string& prefix)
 	{
 	std::string cname = component->CanonicalName();
 
diff --git a/src/plugin/TaggedComponent.cc b/src/plugin/TaggedComponent.cc
new file mode 100644
index 0000000000..da285d1499
--- /dev/null
+++ b/src/plugin/TaggedComponent.cc
@@ -0,0 +1,36 @@
+#include "zeek/plugin/TaggedComponent.h"
+
+#include "zeek/IntrusivePtr.h"
+#include "zeek/Type.h"
+
+namespace zeek::plugin
+	{
+
+Tag::type_t TaggedComponent::type_counter(0);
+
+TaggedComponent::TaggedComponent(Tag::subtype_t subtype, EnumTypePtr etype)
+	: tag(etype, 1, 0), subtype(subtype), initialized(false), etype(std::move(etype))
+	{
+	}
+
+/**
+ * Initializes tag by creating the unique tag value for thos componend.
+ * Has to be called exactly once.
+ */
+void TaggedComponent::InitializeTag()
+	{
+	assert(initialized == false);
+	initialized = true;
+	tag = zeek::Tag(etype, ++type_counter, subtype);
+	}
+
+/**
+ * @return The component's tag.
+ */
+zeek::Tag TaggedComponent::Tag() const
+	{
+	assert(initialized);
+	return tag;
+	}
+
+	} // namespace zeek::plugin
diff --git a/src/plugin/TaggedComponent.h b/src/plugin/TaggedComponent.h
index 055aba79ae..4e0c853ab8 100644
--- a/src/plugin/TaggedComponent.h
+++ b/src/plugin/TaggedComponent.h
@@ -2,15 +2,16 @@
 
 #include <cassert>
 
+#include "zeek/Tag.h"
+#include "zeek/Type.h"
+
 namespace zeek::plugin
 	{
 
 /**
  * A class which has a tag of a given type associated with it.
- *
- * @tparam T A ::Tag type or derivative.
  */
-template <class T> class TaggedComponent
+class TaggedComponent
 	{
 public:
 	/**
@@ -24,7 +25,7 @@ public:
 	 * and component instances can accordingly access it via Tag().
 	 * If not used, leave at zero.
 	 */
-	explicit TaggedComponent(typename T::subtype_t subtype = 0);
+	explicit TaggedComponent(Tag::subtype_t subtype = 0, zeek::EnumTypePtr etype = nullptr);
 
 	/**
 	 * Initializes tag by creating the unique tag value for thos componend.
@@ -35,36 +36,15 @@ public:
 	/**
 	 * @return The component's tag.
 	 */
-	T Tag() const;
+	zeek::Tag Tag() const;
 
 private:
-	T tag; /**< The automatically assigned analyzer tag. */
-	typename T::subtype_t subtype;
+	zeek::Tag tag; /**< The automatically assigned analyzer tag. */
+	Tag::subtype_t subtype;
 	bool initialized;
-	static typename T::type_t type_counter; /**< Used to generate globally
+	EnumTypePtr etype;
+	static Tag::type_t type_counter; /**< Used to generate globally
 	                                             unique tags. */
 	};
 
-template <class T> TaggedComponent<T>::TaggedComponent(typename T::subtype_t subtype)
-	{
-	tag = T(1, 0);
-	this->subtype = subtype;
-	initialized = false;
-	}
-
-template <class T> void TaggedComponent<T>::InitializeTag()
-	{
-	assert(initialized == false);
-	initialized = true;
-	tag = T(++type_counter, subtype);
-	}
-
-template <class T> T TaggedComponent<T>::Tag() const
-	{
-	assert(initialized);
-	return tag;
-	}
-
-template <class T> typename T::type_t TaggedComponent<T>::type_counter(0);
-
 	} // namespace zeek::plugin
diff --git a/testing/btest/Baseline/scripts.base.files.x509.files/files.log b/testing/btest/Baseline/scripts.base.files.x509.files/files.log
index 13ceb3e627..1232fff183 100644
--- a/testing/btest/Baseline/scripts.base.files.x509.files/files.log
+++ b/testing/btest/Baseline/scripts.base.files.x509.files/files.log
@@ -7,10 +7,10 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	fuid	tx_hosts	rx_hosts	conn_uids	source	depth	analyzers	mime_type	filename	duration	local_orig	is_orig	seen_bytes	total_bytes	missing_bytes	overflow_bytes	timedout	parent_fuid	md5	sha1	sha256
 #types	time	string	set[addr]	set[addr]	set[string]	string	count	set[string]	string	string	interval	bool	bool	count	count	count	count	bool	string	string	string	string
-XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	74.125.239.129	192.168.4.149	CHhAvVGS1DHFjwGM9	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	-	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	74.125.239.129	192.168.4.149	CHhAvVGS1DHFjwGM9	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	74.125.239.129	192.168.4.149	CHhAvVGS1DHFjwGM9	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
-XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	74.125.239.129	192.168.4.149	ClEkJM2Vm5giqnMf4h	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-user-cert	-	0.000000	-	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
-XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	74.125.239.129	192.168.4.149	ClEkJM2Vm5giqnMf4h	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
-XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	74.125.239.129	192.168.4.149	ClEkJM2Vm5giqnMf4h	SSL	0	SHA256,X509,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FgN3AE3of2TRIqaeQe	74.125.239.129	192.168.4.149	CHhAvVGS1DHFjwGM9	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	-	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	Fv2Agc4z5boBOacQi6	74.125.239.129	192.168.4.149	CHhAvVGS1DHFjwGM9	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Ftmyeg2qgI2V38Dt3g	74.125.239.129	192.168.4.149	CHhAvVGS1DHFjwGM9	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
+XXXXXXXXXX.XXXXXX	FUFNf84cduA0IJCp07	74.125.239.129	192.168.4.149	ClEkJM2Vm5giqnMf4h	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-user-cert	-	0.000000	-	F	1859	-	0	0	F	-	7af07aca6d5c6e8e87fe4bb34786edc0	548b9e03bc183d1cd39f93a37985cb3950f8f06f	6bacfa4536150ed996f2b0c05ab6e345a257225f449aeb9d2018ccd88f4ede43
+XXXXXXXXXX.XXXXXX	F1H4bd2OKGbLPEdHm4	74.125.239.129	192.168.4.149	ClEkJM2Vm5giqnMf4h	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	1032	-	0	0	F	-	9e4ac96474245129d9766700412a1f89	d83c1a7f4d0446bb2081b81a1670f8183451ca24	a047a37fa2d2e118a4f5095fe074d6cfe0e352425a7632bf8659c03919a6c81d
+XXXXXXXXXX.XXXXXX	Fgsbci2jxFXYMOHOhi	74.125.239.129	192.168.4.149	ClEkJM2Vm5giqnMf4h	SSL	0	X509,SHA256,SHA1,MD5	application/x-x509-ca-cert	-	0.000000	-	F	897	-	0	0	F	-	2e7db2a31d0e3da4b25f49b9542a2e1a	7359755c6df9a0abc3060bce369564c8ec4542a3	3c35cc963eb004451323d3275d05b353235053490d9cd83729a2faf5e7ca1cc0
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index ef314c68db..c05aab1097 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -862,195 +862,195 @@ XXXXXXXXXX.XXXXXX file_sniff
                   [1] meta: fa_metadata  = [mime_type=application/x-x509-user-cert, mime_types=<uninitialized>, inferred=F]
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 1bf9696d9f337805383427e88781d001
-
-XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = sha256
                   [2] hash: string       = f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56
 
+XXXXXXXXXX.XXXXXX file_hash
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
+
 XXXXXXXXXX.XXXXXX x509_certificate
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 
 XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]
 
 XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 1bf9696d9f337805383427e88781d001
 
 XXXXXXXXXX.XXXXXX file_state_remove
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX file_new
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX file_over_new_connection
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 XXXXXXXXXX.XXXXXX file_sniff
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=application/x-x509-ca-cert, mime_types=<uninitialized>, inferred=F]
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
-
-XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = sha256
                   [2] hash: string       = ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b
 
+XXXXXXXXXX.XXXXXX file_hash
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
+
 XXXXXXXXXX.XXXXXX x509_certificate
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 
 XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
 
 XXXXXXXXXX.XXXXXX file_state_remove
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 11
                   [3] length: count      = 2507
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csx, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csx, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 14
                   [3] length: count      = 0
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 2596
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 16
                   [3] length: count      = 258
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] record_version: count = 771
                   [3] content_type: count = 22
                   [4] length: count      = 262
 
 XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] record_version: count = 771
                   [3] content_type: count = 20
                   [4] length: count      = 1
 
 XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] record_version: count = 771
                   [3] content_type: count = 20
                   [4] length: count      = 1
 
 XXXXXXXXXX.XXXXXX ssl_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX net_done
                   [0] t: time            = XXXXXXXXXX.XXXXXX
@@ -1058,7 +1058,7 @@ XXXXXXXXXX.XXXXXX net_done
 XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX filter_change_tracking
 XXXXXXXXXX.XXXXXX connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_state_remove
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=147.0 msecs 503.137589 usecs, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
index 3836b0306c..ddceeae2e6 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
@@ -8794,162 +8794,162 @@ XXXXXXXXXX.XXXXXX file_sniff
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 1bf9696d9f337805383427e88781d001
-
-XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = sha256
                   [2] hash: string       = f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56
 
+XXXXXXXXXX.XXXXXX file_hash
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
+
 XXXXXXXXXX.XXXXXX x509_certificate
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]
 
 XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=F, path_len=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]
 
 XXXXXXXXXX.XXXXXX x509_ext_subject_alternative_name
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=<uninitialized>, basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::SubjectAlternativeName = [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=<uninitialized>, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = f5ccb1a724133607548b00d8eb402efca3076d58
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 1bf9696d9f337805383427e88781d001
 
 XXXXXXXXXX.XXXXXX file_state_remove
-                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=FTerEX1QTrF67YJcA3, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX file_new
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX X509::log_x509
                   [0] rec: X509::Info    = [ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]]
 
 XXXXXXXXXX.XXXXXX Files::log_files
-                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX file_over_new_connection
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0a}, rx_hosts={\x0a\x0a}, conn_uids={\x0a\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [2] is_orig: bool      = F
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_sniff
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0a\x0a}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] meta: fa_metadata  = [mime_type=application/x-x509-ca-cert, mime_types=<uninitialized>, inferred=F]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = md5
-                  [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
-
-XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] kind: string       = sha256
                   [2] hash: string       = ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b
 
+XXXXXXXXXX.XXXXXX file_hash
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = sha1
+                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
+
 XXXXXXXXXX.XXXXXX x509_certificate
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] cert_ref: opaque of x509 = <no value description>
                   [2] cert: X509::Certificate = [version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]
 
 XXXXXXXXXX.XXXXXX x509_ext_basic_constraints
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=<uninitialized>, extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::BasicConstraints = [ca=T, path_len=0]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]
 
 XXXXXXXXXX.XXXXXX x509_extension
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
                   [1] ext: X509::Extension = [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]
 
 XXXXXXXXXX.XXXXXX file_hash
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=<uninitialized>, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
-                  [1] kind: string       = sha1
-                  [2] hash: string       = 8e8321ca08b08e3726fe1d82996884eeb5f0d655
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [1] kind: string       = md5
+                  [2] hash: string       = 48f0e38385112eeca5fc9ffd402eaecd
 
 XXXXXXXXXX.XXXXXX file_state_remove
-                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
+                  [0] f: fa_file         = [id=F58hAEwidvB37CYEf, parent_id=<uninitialized>, source=SSL, is_orig=F, conns={\x0a\x09[[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp]] = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a\x09}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09\x09SSL::finalize_ssl\x0a\x09\x09{ \x0a\x09\x09if (!SSL::c?$ssl) \x0a\x09\x09\x09return ;\x0a\x0a\x09\x09if (!SSL::c$ssl$logged) \x0a\x09\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09\x09SSL::finish(SSL::c, F);\x0a\x09\x09}\x0a\x09}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a\x09], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a\x09], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x09\x0917.167.150.73\x0a\x09}, rx_hosts={\x0a\x09\x09192.168.133.100\x0a\x09}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a\x09}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a\x09}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a\x09], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a\x09], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a\x09], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a\x09]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]\x0a}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=<uninitialized>], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Cs, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 11
                   [3] length: count      = 2507
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csx, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csx, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] msg_type: count    = 14
                   [3] length: count      = 0
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=2, num_bytes_ip=1532, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 423.881531 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] record_version: count = 771
                   [3] content_type: count = 22
@@ -8963,15 +8963,15 @@ XXXXXXXXXX.XXXXXX X509::log_x509
                   [0] rec: X509::Info    = [ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]]
 
 XXXXXXXXXX.XXXXXX Files::log_files
-                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
+                  [0] rec: Files::Info   = [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 494.930267 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 494.930267 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=10474, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=0, reserved=0, flags=16, win=8155], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 494.930267 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=4, num_bytes_ip=385, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=303.0 msecs 494.930267 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 202
@@ -8985,15 +8985,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=307, id=4791, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393581, ack=2319612745, hl=20, dl=267, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x16\x03\x03\x01\x06\x10\x00\x01\x02\x01\x00A\x8e)<\xc0\xaa\xe4\x99\xac\xddGv\x1as~,u\x9c<\x0b\xb31\\x96\xff\x8b\x1f\xc1D+mnJ:\xa0s\x99\x10\xe0\xaf_d\xdfs\xa5\x1eQ\x7f\xd7\xd0\x04t7\x8e\x91\\x10\xb7\x07\x7f\xf7tz\xc0\xff:\xb3\xa1\xd1\xcb\x843\xa6w \xef\xf6\x959D\x04\xf1\x1f\x9d+ClXJ[\xda\x01\x9d\xc5\xac\xee\x81\x10\xad3\xd5\x8b.\xa5\xf2\x03\xacP\xdf\xc1\xcfB\xc6d\xe8\xe4O\xd0\x08\x88\x17#\x1c\xe2\xe4K\x94f\xfd\xca\x1a\x1c-H:RSU\xe5\x83\xd0&C\xfb\x10c\x19\xa0\xae\xf3Vi\xe7\x8a\xad\xa9j6]\xc7\xa5\xac\xea\x11|\xec\x0a\x8d\xb6\xadlF\xeeI\xa8\x12d.\xf8\xa6~\x1a5\xc5ba\x90\x11\x15"\xf4\x99\xf6t\xc0\x07\x06\xd5l\x91.\x11\x0b\xd7>\xf6\x97\x9cI\xc4\xf3\x1a\xf8\xc6\xe3\x18L#d\xea\x0c\x02\xa8\xe0-\xdaU\x04\x09\x9eh\xe1$\x10g\x09\x85\xc5w-\xabJ\xb1\xce\x84\xa4\xaf&\xa0\xbc\x94\xd9\xefg~\xa5
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 202
@@ -9002,17 +9002,17 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x16\x03\x03\x01\x06\x10\x00\x01\x02\x01\x00A\x8e)<\xc0\xaa\xe4\x99\xac\xddGv\x1as~,u\x9c<\x0b\xb31\\x96\xff\x8b\x1f\xc1D+mnJ:\xa0s\x99\x10\xe0\xaf_d\xdfs\xa5\x1eQ\x7f\xd7\xd0\x04t7\x8e\x91\\x10\xb7\x07\x7f\xf7tz\xc0\xff:\xb3\xa1\xd1\xcb\x843\xa6w \xef\xf6\x959D\x04\xf1\x1f\x9d+ClXJ[\xda\x01\x9d\xc5\xac\xee\x81\x10\xad3\xd5\x8b.\xa5\xf2\x03\xacP\xdf\xc1\xcfB\xc6d\xe8\xe4O\xd0\x08\x88\x17#\x1c\xe2\xe4K\x94f\xfd\xca\x1a\x1c-H:RSU\xe5\x83\xd0&C\xfb\x10c\x19\xa0\xae\xf3Vi\xe7\x8a\xad\xa9j6]\xc7\xa5\xac\xea\x11|\xec\x0a\x8d\xb6\xadlF\xeeI\xa8\x12d.\xf8\xa6~\x1a5\xc5ba\x90\x11\x15"\xf4\x99\xf6t\xc0\x07\x06\xd5l\x91.\x11\x0b\xd7>\xf6\x97\x9cI\xc4\xf3\x1a\xf8\xc6\xe3\x18L#d\xea\x0c\x02\xa8\xe0-\xdaU\x04\x09\x9eh\xe1$\x10g\x09\x85\xc5w-\xabJ\xb1\xce\x84\xa4\xaf&\xa0\xbc\x94\xd9\xefg~\xa5
 
 XXXXXXXXXX.XXXXXX ssl_rsa_client_pms
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] pms: string        = \x01\x00A\x8e)<\xc0\xaa\xe4\x99\xac\xddGv\x1as~,u\x9c<\x0b\xb31\\x96\xff\x8b\x1f\xc1D+mnJ:\xa0s\x99\x10\xe0\xaf_d\xdfs\xa5\x1eQ\x7f\xd7\xd0\x04t7\x8e\x91\\x10\xb7\x07\x7f\xf7tz\xc0\xff:\xb3\xa1\xd1\xcb\x843\xa6w \xef\xf6\x959D\x04\xf1\x1f\x9d+ClXJ[\xda\x01\x9d\xc5\xac\xee\x81\x10\xad3\xd5\x8b.\xa5\xf2\x03\xacP\xdf\xc1\xcfB\xc6d\xe8\xe4O\xd0\x08\x88\x17#\x1c\xe2\xe4K\x94f\xfd\xca\x1a\x1c-H:RSU\xe5\x83\xd0&C\xfb\x10c\x19\xa0\xae\xf3Vi\xe7\x8a\xad\xa9j6]\xc7\xa5\xac\xea\x11|\xec\x0a\x8d\xb6\xadlF\xeeI\xa8\x12d.\xf8\xa6~\x1a5\xc5ba\x90\x11\x15"\xf4\x99\xf6t\xc0\x07\x06\xd5l\x91.\x11\x0b\xd7>\xf6\x97\x9cI\xc4\xf3\x1a\xf8\xc6\xe3\x18L#d\xea\x0c\x02\xa8\xe0-\xdaU\x04\x09\x9eh\xe1$\x10g\x09\x85\xc5w-\xabJ\xb1\xce\x84\xa4\xaf&\xa0\xbc\x94\xd9\xefg~\xa5
 
 XXXXXXXXXX.XXXXXX ssl_handshake_message
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=Csxn, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] msg_type: count    = 16
                   [3] length: count      = 258
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=468, state=4, num_pkts=5, num_bytes_ip=425, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 43.962479 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] record_version: count = 771
                   [3] content_type: count = 22
@@ -9024,15 +9024,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=46, id=53789, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393848, ack=2319612745, hl=20, dl=6, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x14\x03\x03\x00\x01\x01
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 469
@@ -9041,11 +9041,11 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x14\x03\x03\x00\x01\x01
 
 XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnG, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=474, state=4, num_pkts=6, num_bytes_ip=732, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] record_version: count = 771
                   [3] content_type: count = 20
@@ -9057,15 +9057,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=77, id=51331, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393854, ack=2319612745, hl=20, dl=37, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x16\x03\x03\x00 \x1c\x1c\x84S/9\x14e\xb6'\xe5,\x03\x0fY\xdf\x1b\xcfu\xc84\xae\x1a"\xea]9j'\xbeZ\xa7
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 475
@@ -9074,7 +9074,7 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x16\x03\x03\x00 \x1c\x1c\x84S/9\x14e\xb6'\xe5,\x03\x0fY\xdf\x1b\xcfu\xc84\xae\x1a"\xea]9j'\xbeZ\xa7
 
 XXXXXXXXXX.XXXXXX ssl_encrypted_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=7, num_bytes_ip=778, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=377.0 msecs 44.916153 usecs, service={\x0aSSL\x0a}, history=ShADd, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] record_version: count = 771
                   [3] content_type: count = 22
@@ -9086,11 +9086,11 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 362.983704 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 362.983704 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50803, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393848, hl=20, dl=0, reserved=0, flags=16, win=2908], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 362.983704 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=3, num_bytes_ip=2733, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 362.983704 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2602
@@ -9104,11 +9104,11 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=4, num_bytes_ip=2773, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 400.892258 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=4, num_bytes_ip=2773, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 400.892258 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50804, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393854, hl=20, dl=0, reserved=0, flags=16, win=3268], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=4, num_bytes_ip=2773, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 400.892258 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=4, num_bytes_ip=2773, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 400.892258 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2602
@@ -9122,11 +9122,11 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=5, num_bytes_ip=2813, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 489.822388 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=5, num_bytes_ip=2813, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 489.822388 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50805, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=0, reserved=0, flags=16, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=5, num_bytes_ip=2813, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 489.822388 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2601, state=4, num_pkts=5, num_bytes_ip=2813, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 489.822388 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2602
@@ -9140,15 +9140,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=83, id=50807, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612745, ack=3289393891, hl=20, dl=43, reserved=0, flags=24, win=3626], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x14\x03\x03\x00\x01\x01\x16\x03\x03\x00 Z\x99\x17~d\x06\xbd;\xb4\xdf\xe2\xb3~9,|\xac\xdb\xb4\xeb\xcc\x95.\x17\xd2Q\x8a\x96\xdb\x13\x09!
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 2602
@@ -9157,21 +9157,21 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [6] payload: string    = \x14\x03\x03\x00\x01\x01\x16\x03\x03\x00 Z\x99\x17~d\x06\xbd;\xb4\xdf\xe2\xb3~9,|\xac\xdb\xb4\xeb\xcc\x95.\x17\xd2Q\x8a\x96\xdb\x13\x09!
 
 XXXXXXXXXX.XXXXXX ssl_change_cipher_spec
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGI, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
 
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] record_version: count = 771
                   [3] content_type: count = 20
                   [4] length: count      = 1
 
 XXXXXXXXXX.XXXXXX ssl_established
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=35, established=F, logged=F, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[], client_cert_chain=[], client_cert_chain_fps=[], subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX ssl_encrypted_data
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=6, num_bytes_ip=2853, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 548.950195 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] record_version: count = 771
                   [3] content_type: count = 22
@@ -9182,15 +9182,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX SSL::log_ssl
-                  [0] rec: SSL::Info     = [ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0]
+                  [0] rec: SSL::Info     = [ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0]
 
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 623.813629 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 623.813629 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=18678, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 623.813629 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=511, state=4, num_pkts=8, num_bytes_ip=855, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=584.0 msecs 623.813629 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 512
@@ -9204,15 +9204,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=661, id=10957, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289393891, ack=2319612788, hl=20, dl=621, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x02h\xb3\xc7\xe1\xb6|\xfeW\xee]\xac/\xba\x97\x8ai\xcaK4\xaf\xb9V\xe4\xa0G\x95\xa7\x93\xc8K\x8d\x88\x82p\xbdA\x93U;B\xcf\x0c\x87\xc2\x90\x8a\x80?'\x18\xcc\xcb+\xd7\xec\x95\xcaWA?\xb8t\xe0\xe7?\xdbJ.E\xb1\xea\xa7\xcd\x9a\x1e{\xaf\xca(\x03\xb9j\xc8;5\xe4\xca\x1for\xe5\x13F\xff; \xac\xe9\x97E\xb5\xb9\xc3\x0a\x97\xd1"\xf4\x15\x96{q\xb4\x11\xf2\xe1<\x91\x1f\xc6'l\xbf\xb6\x17\xae\x17!F\xbc\xb2\xecD\xb8\xeeS\x13a\x97\xd7b\x9a?\xb0e\x1d\x8c\xd3x\xa6.\xe9\x9c)\xd0\xe7>\xf8\x96\xa5%\x1b\xe4YQ|\x93\xc1\xf9F\x8c\x07U\xe6/zL\xae\xc1@\x83[\x89k\xfbE\xcc?\xa47;\x0d\xa6Y\x98\x08\xa9\xe025e}_\xdbK\xdeZ\x1cE\xb7\xd9 'OD.w\xf2Ho\x96\x94\xd4M\x9d\x1b'\x05\x14\xd8\x0c2\xd6\xf3\x15\xf3'[\x9a\x94\xc9\x96\x99A\x1a]\x9b+\x17\x03k\x92\x9c\x8f\x99\xc5\xfbz\xaa\xc3\x88\xf8H\xcbV\xd054\xef\xdbH\xc2\x88\x11\xf3\xf8l\x0c6\x1e9\xa8;\xf9:\x0d\xd2qMN\xbb9+\xabL\x94}\xff\xbe\xe6\xef\xe7\xa6\x1b\xa2\xcd\xba\xee\x84\x87e\xf4&\xc3g\xb1?N$\xe1\xa4"\x09S8\xff\xa8\xbf\xba9\xf48\x1b\x7f[\xf2\xb2\xba\xbb<\x83\xb0\xc5\xefk\xb6k?\xbe\xfc,T\x1b\x9dX\xff\xe1\x91\x18\xd9U\x13W\x09\xa6\xd6\x8aNV+x\xc6\xa3g\x85\xe6\xd7>\xf6\x9a`$\xa5\xeaA\x16\x0a\xc7u\xe4\x00\xdb\x987.2\x8a\xef\x8a\x86{\x17\x06E\x88\x12\xc8B\x04\x97\xe0\xec\xe3vBQ\x15\x81O.\xbc\xc6D\xfa2\xa6v\x1b\x0dle\xfc\xef(]\x9dI\x18"\xd4\xd1\x8e\xbaR\xa6\x17\xb7THv}\xb4]\xae&\x0f{\xd6C\x8b\x92d\xee\xd9\xb68.]\x08uP\xb6^AZ\x0e-E.\xb9\xadn\x05\x7f\xd5\x14\xa8%F)\x84\xa1v\xda\xa0/C\xc8\xf9\x1fAo;\xb1\xffd\xb0\xdfG\xeaT\x940\xdb#\xe2\xdbp\x86s&RJt\xc6\xb1iB\xe8F5\xe2\x83.I\x03\x1dV\x1cs\xcf\xb5\x88\xcf\x13h%\x8a\xbe\xdc\xaa\xc4r3\xc3\x06tj\xf6\x96R\x8a\xf3\x90\xa63\x9c[J\xff\x1c]1\x974d\x0b#O\xc72\x00\x92b"\x1f\x14y\x05A\x85k\x16\x03\x8cB\xf3\xfb\xc4\xf9\xd4\x1f3>\xa2\x9c\xba\x08e\xd67\x00sL\x99\x9fW
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=1132, state=4, num_pkts=9, num_bytes_ip=895, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 261.034012 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 512
@@ -9226,15 +9226,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=1157, id=57830, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289394512, ack=2319612788, hl=20, dl=1117, reserved=0, flags=24, win=8192], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x04X<,@\xce{\xe2\xed\x1d\xe7\xec\\\x96RT\x94y\xa4\xa8%,\xb5X\xe2X\xc0$\x0e\xf1\xde\x0d\xd0C\xc3_\xa84H?\x93\x13\xeb\x89\x12\x98\xa0\xd0\xf6\xbayU\xfd\xf4T\xf6Qb\xa1\xc5j\xe8\xcc9\xb5\xfd\xbds\xf7CT\xbe\xaa\xaa\x14V\x8c\x0aC9&&\x05\xe6\xd8\x8c\xacVbCF\x0f\xc7A\x01^\xd2\x15\x18\xaa\xf8\xdfI\xf8.v\x08Q\xb3K\xfe\xa0\x84\xe5\x93Y\xd9T:\x8c^\xe1\xe5\xf6BY}A=\xee\x970n\xddE;m\x01\xdb,t\x14\xed/\x9a\xdeU\xe7\x92_\xa3\x88\xc8`\xf6n\x0e-\xd5\xd82\xb3\xd8[\xf1\xf5fey\xdb\xab\xfeN\xe9\x94\xf6#\xac\xbd\x9b\xf7\xde\xfb\x17\xf9\x8c\x97\x8f:\xdf\x87KQpK\x93\xb4\xb2r0\xe39\xc2\x85\x8d\x95)\x19le\xdb\xd4S\xb3\x85\xcb\xa7\x96\x1e\x00\xba\xee\x0f\x01\xb6mNf\x82uAH\xba\xa6\xef\xdch\x1c*\x97C\xe5\xc3>\x91^\xc8\xe0S\x07\x96\x02\x94z{\x87\x0f\x9c\xc5\xcd\x009\x09K<\xe7 T\x8d\xda\xce\xca\x00ea*v2\x83\xfd\xef\x8d2\xcd0J\xff\x0ad\xcd\x8a\x9el\x90\x02\xfe\xc8\x9c%<\xa4\xed\x1c\xac \x8c\xf4\xe5\x9c\x9c^\x0cJ\xb4\x06\xff\xc6#\x07=\xe299!Q\x13\xf1\xdb\xc1\xfe\xa6&\xd7D};Y\xechBD(\x81\x9c\x8c\xd6\x80\xaa{uA\xfcj\xa3\xd0Vq\xb4Z\x01\xb3\xc4\x9f\x9d\xb9\xc0\xe4`}\xb2\x01o\xf9\xe4\x87\xbe\xd0\x94_\xba0\xffN\x82E\x1c\xc9\xc9\x8d\xae\xd5{\x9fIkV\x98\x81\xed\x00\xbeo\xe9\x97\xc7\x07B\xb4\\xcd\xfb\x94h\xde\x0d\xe6M\x8eb\x94\xa1\x04V\x89\xc5\x0e\xd8\xc7}\xc2\x0f8\xaf\xd0a\xef\xdf\xac\x9c1~\x04\x109\x0ef\xa7_\xe0\xa1RF<\x94\xc2O\xebT,\xde7\xf7\x19\xb1\xf3\x91\xba#\xf4\x98Y\x9d"l\xa6\xf8\xb3\xfd\xc6\xcb\xf6+t\x00\xd7\xb9\xe8S\xb5a\xc5K\xd6c\xe9\xe7\xcd2\xe1b\x8f\xfbe\xf1u\xb2Wa\x0eE\xe0\x85\xe8h\x8e8\x90\xd3\x83i\xbf\x8dOK5\xc6\xba\x1a;\x1bt\xbb\x85\x90\x1b\xcf\x10g\x9f\x81\x96N\xca\x81\xb5{C\xf2G\xd4]\xf3\xc9Q\x85M\x1e/5{N!\x18\xd6%\xbby\x03\xb1mc\xd4\x92\x15\x8f\x09\xc3\xf6Z\xaa,\xa3z\xd3\x97D\xf8\xf0\x82\x14\xad\xa7\x0aFs\xa0\xfbU\x84\xea\x14^\x1f{\x0a\x91[\xcc\x97\x87\x9a\x82p\xffu,\xcd\xa1\xd5\x1a\xa4_:\xfd_\xcd\xe5i\xcc\x0c=\x93"e\x19\xab\x83\xbbr\xa9\x1e\x92\xc2Bg\xd0\x8f\xef\x85\xd0\x9b\xdc\x09B\xd2C\x09\x8c\xb8\xf3\xc9\xf7F\xd0\x8c\xf5sb\xc5\x070~\xe0\xb0\xe7y\x1d\xe6\xdf\xb1G\xa3Vi\x91\x0fg\xce\xd1\x86\xb7\x99\x90rT\xa0(\xcf\x9eT\x18\xa4\xb4=\x16\x1e-j\x19}\x9bS\xd1\x10e9\xcc\xbe1O\xcb\xb1\xa6\xc5WT\xb8A\xc3\x13\xf3\x13ra\xf3O\xea\xe9\xa1\xea\xb1\x0f\xa3\xce^\xbd\xe9\x93,\x8ao\xf3y\xd2\xf7\xba$\x92oX\xb2(\xea\x94\xbd\xeb}\x08 \x85\xe4$1tK\xda(\xfa\xdd\xcdX9\xa4L\xdb\x19k\x12T\xa8\xe6@\xf55\xa0\x85@\xec\x9dD\xe6SK\xbc@\x05\x93*-z\x17]\xe6\x13l`\x13f\x0a\xf18\xdbvkU\x90\xe6\x88S\x9b\x85)\x9fa`\x08\xea\xe5Q\x96\x04\xf1fe\xdei\xbd\xc9\xb3x\xff7\xd2\x0f6\x82YA\xf1_\x04x\x81QMf\xe6uD%\x95\x7f\xf6ph\xbf\x7f\xa6\xea\x98\x8f\x1f<G\xe5U\xc5I\xf3\xd1?\x83\xc6\xb2\xbd\xa2I*\xeceN\x91b\xd9\xc2\xa3\xc2\xf3\xc2\x17\x0ch\xeeH\x15\xf4\xc1x\xc7"\xacj\x8a@\x07\xa4+\xa0\xab\xf7\xc2\xb8\xd1\xc8\xd8\xfc\x07\x1b\x12'I!\x90\xb7\x88\xd8\x1a\xbf\xdeq\x98\xe9\xf6=\xedHmH\x84)\x09p\xbb!\x95\xc1qP\x13\xba\x1f\xdd\xf7\\x831\xb2\xd8\x82N\xdfM\x81K\xf5\x95+\xdd\xc2\xcd\xc5"\xc8\x14\x81>\xa6\x18.\xdeh\xd1\x94\xa9k\x13\x0a\x12\xaf\x9c\xe2\xd6\x96\x05\x9e\xb1\xc3\xcaEx\xb8c\xbf\xa1\xaa38g\xa7\x0d\xc0\x99\x83\xbc1<\x0c}\xb9#\x0c\x1a\xb3\x0e\xc4X?`\x15\x8e\xcc\xb9\xa1F#\xb5\x84N3\xc9\xcd\xb4\xf3\x0a{5\xcd\x1a\xd5f\xf8*\xef\x1e\x16\xc1\xef\xea|!\xe9\xaapy&~qx\xaa\xbeY\xa0X\x92'\x83\x89\xf5s\xa5\xeb\x8f&At\x93j\xcc\xe7\xb8(C\x9d
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=10, num_bytes_ip=1556, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=586.0 msecs 365.938187 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = AP
                   [3] seq: count         = 1133
@@ -9248,11 +9248,11 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=735.0 msecs 651.016235 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=735.0 msecs 651.016235 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50808, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289394512, hl=20, dl=0, reserved=0, flags=16, win=3947], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=735.0 msecs 651.016235 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=7, num_bytes_ip=2936, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=735.0 msecs 651.016235 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2645
@@ -9266,11 +9266,11 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=8, num_bytes_ip=2976, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=736.0 msecs 14.842987 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=8, num_bytes_ip=2976, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=736.0 msecs 14.842987 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=50809, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=0, reserved=0, flags=16, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=8, num_bytes_ip=2976, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=736.0 msecs 14.842987 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=2644, state=4, num_pkts=8, num_bytes_ip=2976, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=736.0 msecs 14.842987 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = A
                   [3] seq: count         = 2645
@@ -9284,15 +9284,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=427, id=50811, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319612788, ack=3289395629, hl=20, dl=387, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x01~^\x0a\x11^Z\xfb\x1e\x9fV2\x00V\xa4\x7fkj.\x97\xc8\xd7\xbc1\xf5M\xd5\x06\xb6y\xca\xd3\x12#\\x87\xa9\x1d\xad\xbe\xd0\xbe\x88\xb2\x99\x1b\x16mb!\xed\xd0^\x04]\x85\xbdw\x8d\x94\xad!\xea\x08~}\x06\x09\x97\x8c\xf3H\xa0\x10'\x14^977\xf5J\xee\xf7G\xaeV_\xe9\xbdx,\xb4\xb7\xa7\xe7u\xdd\xff\xa4\xf5\x9a\xe8z~Y\x12.\xdb\x1d\x0e\x0c\xe5k\xd9/\xee\xd0;\x94<\xf9~QT\xc7?\xac_\xb3\xae\xd9\x0e;\x1c\xa7\x82\xdavy\xb0\xe8\x1a\xa3\xc6\xdf\x8c\xec\xb4\xe9^\x97\xca\xce\x06\xf3m\x15Nd\x96\xb5-c\xdd(\x9f\xed\x0ag\x05s\xbd\xc3v\x00'\x1b\x86j<@\xb6\xed\x88\x1fZI\x809-GKAu\xb2>" \xa0I\xa90\xbc\x83\xcb\x9f\xd5~\xf0n\xef\xe7\xf3\x7f\x93s0\xc4\xa3\x83\xd8J\x1fPsjx\x83\xe3p\xe6b\x99\xd2\x8d\xa6qV\xbe\xef\x8c\xfc\xed-\xebvLg\xf1\xe5L\xe4\x12\x8c9\x9e\x10%%k\x17\xc9\x8c%=1!\xd7\x08\xc3\xa3r\xe6\xda\xc7\xba\xb4\x7f}\xf9\x15\xfd\xef\xe1\xd0\xb0\x0a\x0a!AT6%\xf8\x1a|\x85\xe5\xd5\x0d\x1a\xad\xb4\x8c\xd4\x123\x80d4s\x15\x0d3\xb4\x83\xe7\xa7,l0\x9dSq:\x1c\x9d\x09&~Q\xc7'u\xe8}Qj\x88\xc3\xcd\x7ft\x80\xcc\xb8\\xfc{\xcb\xaa\xa9\x99xaS\x0c\xab\x81\xfe'}`J\xd4a6\xcb\xe0D\x12\xfa\xbd\x02\xbc\x0c\xc0\x1b\x14Q\x9a\xbd\xd9
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=9, num_bytes_ip=3016, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=755.0 msecs 894.899368 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 2645
@@ -9306,11 +9306,11 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 0.041962 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 0.041962 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=57216, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613175, hl=20, dl=0, reserved=0, flags=16, win=8179], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 0.041962 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=11, num_bytes_ip=2713, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3031, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 0.041962 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 2250
@@ -9324,15 +9324,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=76, id=50813, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613175, ack=3289395629, hl=20, dl=36, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x00\x1f\x86\xcbd\x09A\xce\xf6\x10BC*\xde\xe9\x1a\x0e\B\xccr\xbe\xe4\xe4A`+[\x19\x9dh/\x0b
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=10, num_bytes_ip=3443, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 251.811981 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 3032
@@ -9346,11 +9346,11 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 317.853928 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 317.853928 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=61089, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613211, hl=20, dl=0, reserved=0, flags=16, win=8190], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 317.853928 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=12, num_bytes_ip=2753, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3067, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 317.853928 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 2250
@@ -9364,15 +9364,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=600, id=50815, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613211, ack=3289395629, hl=20, dl=560, reserved=0, flags=24, win=4237], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x02+\xb3\x16\x88+\x1d\xcc#\xdb\x91;d\xe5&\xa2\xa7\x12\x19W<\xb3m\xe7d\x89\x98f\x98}J\x0c\xdb\x0d\xba\xe1A\xf5\xeb\x90 yY\xa5\x82O\x85\xd0\x02\xbc\x1d\xa6w\x9a\xe8\xfe5\x91\xcfkrwn,\x12\xc0'\xe2\xb5\xf8\xff\x15\xfd\xc9Kq\x1fY\xfb1p\xd6\x11;7\x89\xc4\xddQ]\x19C\xcf\x80\xac\xbc\xa1\x8ch\xb0\x87e3\x85-o\x17\xbc@\xb5M\x82\x82Q\x93$!G1~\xa5"\x8aE\xc3\x83\xd7\x8d\xa1H\xa4\x84\x8c\xab\x84T\xc56\x89\x16\xa9Q\x1d\x8e\xc0\xa0\xe2\x01\x02\x8e=\xce\x7f{\xc6E\xf3Z\xd9\x059\x19:\xfc\x19\xe7Tb6_\x02\x9eH#\x86\xae\xfe\xac\xe3\xbe\xfb\xc2\xb9$;\x0e\x0e,7\x09\xac.\x96\x008\xdax\xbd\xef\x88\x1e@\x98\x97\x97\xb6A\x0c\xf2^\x87\x036\xe3@\x9d\x08\xf5\xb4\x9ay\xd4AIc\x08P\x95\xfd\xde\x9a23\xd8\x047>C\x81g{\x0d\xd9\xb4\x99\xc2\xd5\x8e?\xb9\x1d\x9di\x14\xdd\x98Q\xd4\x12\x18\x07\x02\x1cr\xb8%6T0\xb5l\x1e\xa9\x85U\x8d\xc5=`Q\xa2\x05lF\x96\x9d\xf0\xdd\xe0\xb5T:K\x94O\x81\x97\xaa\xd9\x1dQE\xfd\xa6C\xbc\xd9\xaa\xcc\xef{\x14Z\xfc\x0d\xaez4\x96\xa2q\x91\x9aN{@Y\xef\x1dt\xe06\x9e\xd7\xd9H\xdbw\xed{\xf6\Y\xf4\x96l\xd9\\xb5\x0fH\xcf-\xf1\x1c\xf5\x9a%\x06\x8e\xde\xbbk\xa5\N\xbf\x16\xea_SN\xa4\x1fp\x93TY\x1f\xf0\x08=\x9al\x83)\xf1."z\xd2Z\x1a\xe8.N\xe74\x7f\xa6l};\xe3\x86\x8d\x85v\x0c\x9a\xd3'T\xac\x8a\x9a\\xc0\xdf5h\xd3\xd0\x06<R\xe8\xf1\x1d\x80\xad\x99l\x9d\x96g\xa3\xb3\xfe\xd2\xf5$\x03\xc5r\xa7\x02\xa8\xb2\x93\xbb\xa8!?\x8a&\xd4\x84n\x85s\x9e]\xf5\xcc!\x9f\xeehm+Y\xf9\xee\xc8\xd6\xf46K\x0f\xce'\xef/V\xa6\xaf$\x0f\xdc\xccA*\xbc\xdd'\xe5\x97d\x188\xa9\xd7\x9bxE\xc3\x82I\xa0\xb4\xf4\x09\x1cCL.3\x98\x08FLV.f\xfd\x8a2\xd7\x83\x9c\xfb\x05\xa6\xde\xe10/!\x0a\xa6\x1epWLX\xa7\x05\xc5\x15\xca.w\xdd\xcd\x91\xf6
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3627, state=4, num_pkts=11, num_bytes_ip=3519, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 594.896317 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 3068
@@ -9386,15 +9386,15 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=66, id=50817, ttl=243, p=6, src=17.167.150.73, dst=192.168.133.100], ip6=<uninitialized>, tcp=[sport=443/tcp, dport=49655/tcp, seq=2319613771, ack=3289395629, hl=20, dl=26, reserved=0, flags=24, win=4345], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX packet_contents
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] contents: string   = \x17\x03\x03\x00\x15m\xfc&\xad\x07\xf2\xc9\xc3\xd3\xae/X\x8c=\xa4q\xec\xc09M\x1c
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=12, num_bytes_ip=4119, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 633.996964 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = F
                   [2] flags: string      = AP
                   [3] seq: count         = 3628
@@ -9408,11 +9408,11 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 666.898727 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 666.898727 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=42793, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613771, hl=20, dl=0, reserved=0, flags=16, win=8174], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 666.898727 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=13, num_bytes_ip=2793, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 666.898727 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 2250
@@ -9426,11 +9426,11 @@ XXXXXXXXXX.XXXXXX raw_packet
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX new_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=14, num_bytes_ip=2833, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=14, num_bytes_ip=2833, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] p: pkt_hdr         = [ip=[hl=20, tos=0, len=40, id=11881, ttl=64, p=6, src=192.168.133.100, dst=17.167.150.73], ip6=<uninitialized>, tcp=[sport=49655/tcp, dport=443/tcp, seq=3289395629, ack=2319613797, hl=20, dl=0, reserved=0, flags=16, win=8173], udp=<uninitialized>, icmp=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX tcp_packet
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=14, num_bytes_ip=2833, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=14, num_bytes_ip=2833, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] is_orig: bool      = T
                   [2] flags: string      = A
                   [3] seq: count         = 2250
@@ -9456,10 +9456,10 @@ XXXXXXXXXX.XXXXXX filter_change_tracking
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX event_queue_flush_point
 XXXXXXXXXX.XXXXXX connection_pending
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_state_remove
-                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aSHA256,\x0aX509,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
+                  [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=2249, state=4, num_pkts=15, num_bytes_ip=2873, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=3653, state=4, num_pkts=13, num_bytes_ip=4185, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=756.0 msecs 701.946259 usecs, service={\x0aSSL\x0a}, history=ShADda, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=771, version=TLSv12, cipher=TLS_RSA_WITH_RC4_128_MD5, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=T, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=T, logged=T, ssl_history=CsxnGIi, delay_tokens=<uninitialized>, cert_chain=[[ts=XXXXXXXXXX.XXXXXX, fuid=FTerEX1QTrF67YJcA3, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-user-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1406, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=1bf9696d9f337805383427e88781d001, sha1=f5ccb1a724133607548b00d8eb402efca3076d58, sha256=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, certificate=[version=3, serial=053FCE9BA6805B00, subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, cn=*.icloud.com, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com]], san=[dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F], basic_constraints=[ca=F, path_len=<uninitialized>], extensions_cache=[[name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://ocsp.apple.com/ocsp04-appleistca2g101\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=8E:51:A1:0E:0A:9B:1C:04:F7:59:D3:69:2E:23:16:91:0E:AD:06:FB], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:FALSE], [ca=F, path_len=<uninitialized>], [name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 1.2.840.113635.100.5.11.4\x0a  User Notice:\x0a    Explicit Text: Reliance on this certificate by any party assumes acceptance of any applicable terms and conditions of use and/or certification practice statements.\x0a  CPS: http://www.apple.com/certificateauthority/rpa\x0a], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://crl.apple.com/appleistca2g1.crl\x0a], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Digital Signature, Key Encipherment], [name=X509v3 Extended Key Usage, short_name=extendedKeyUsage, oid=2.5.29.37, critical=F, value=TLS Web Server Authentication, TLS Web Client Authentication], [name=X509v3 Subject Alternative Name, short_name=subjectAltName, oid=2.5.29.17, critical=F, value=DNS:*.icloud.com], [dns=[*.icloud.com], uri=<uninitialized>, email=<uninitialized>, ip=<uninitialized>, other_fields=F]], host_cert=T, client_cert=F, deduplication_index=[fingerprint=f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, host_cert=T, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], [ts=XXXXXXXXXX.XXXXXX, fuid=F58hAEwidvB37CYEf, tx_hosts={\x0a\x0917.167.150.73\x0a}, rx_hosts={\x0a\x09192.168.133.100\x0a}, conn_uids={\x0aC3eiCBGOLw3VtHfOj\x0a}, source=SSL, depth=0, analyzers={\x0aX509,\x0aSHA256,\x0aSHA1,\x0aMD5\x0a}, mime_type=application/x-x509-ca-cert, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=1092, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=48f0e38385112eeca5fc9ffd402eaecd, sha1=8e8321ca08b08e3726fe1d82996884eeb5f0d655, sha256=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, x509=[ts=XXXXXXXXXX.XXXXXX, fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, certificate=[version=3, serial=023A74, subject=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, issuer=CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US, cn=Apple IST CA 2 - G1, not_valid_before=XXXXXXXXXX.XXXXXX, not_valid_after=XXXXXXXXXX.XXXXXX, key_alg=rsaEncryption, sig_alg=sha256WithRSAEncryption, key_type=rsa, key_length=2048, exponent=65537, curve=<uninitialized>], handle=<no value description>, extensions=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], san=<uninitialized>, basic_constraints=[ca=T, path_len=0], extensions_cache=[[name=X509v3 Authority Key Identifier, short_name=authorityKeyIdentifier, oid=2.5.29.35, critical=F, value=keyid:C0:7A:98:68:8D:89:FB:AB:05:64:0C:11:7D:AA:7D:65:B8:CA:CC:4E\x0a], [name=X509v3 Subject Key Identifier, short_name=subjectKeyIdentifier, oid=2.5.29.14, critical=F, value=D8:7A:94:44:7C:90:70:90:16:9E:DD:17:9C:01:44:03:86:D6:2A:29], [name=X509v3 Basic Constraints, short_name=basicConstraints, oid=2.5.29.19, critical=T, value=CA:TRUE, pathlen:0], [ca=T, path_len=0], [name=X509v3 Key Usage, short_name=keyUsage, oid=2.5.29.15, critical=T, value=Certificate Sign, CRL Sign], [name=X509v3 CRL Distribution Points, short_name=crlDistributionPoints, oid=2.5.29.31, critical=F, value=\x0aFull Name:\x0a  URI:http://g.symcb.com/crls/gtglobal.crl\x0a], [name=Authority Information Access, short_name=authorityInfoAccess, oid=1.3.6.1.5.5.7.1.1, critical=F, value=OCSP - URI:http://g.symcd.com\x0a], [name=X509v3 Certificate Policies, short_name=certificatePolicies, oid=2.5.29.32, critical=F, value=Policy: 2.16.840.1.113733.1.7.54\x0a  CPS: http://www.geotrust.com/resources/cps\x0a]], host_cert=F, client_cert=F, deduplication_index=[fingerprint=ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b, host_cert=F, client_cert=F]], extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]], cert_chain_fps=[f94f3f5bf51899148fa4c51a1b39bd98cd0bf053f2e838eb68a2a96d0359ed56, ac2b922ecfd5e01711772fea8ed372de9d1e2245fce3f57a9cdbec77296a424b], client_cert_chain=[], client_cert_chain_fps=[], subject=C=US,ST=California,O=Apple Inc.,OU=management:idms.group.506364,CN=*.icloud.com, issuer=C=US,O=Apple Inc.,OU=Certification Authority,CN=Apple IST CA 2 - G1, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=T, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
 
 XXXXXXXXXX.XXXXXX connection_pending
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49153/tcp, resp_h=17.172.238.21, resp_p=5223/tcp], orig=[size=714, state=3, num_pkts=1, num_bytes_ip=766, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=3, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=147.0 msecs 503.137589 usecs, service={\x0a\x0a}, history=Da, uid=C37jN32gN3y3AZzyf6, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]

From 8b544d648de5c8c5d0f5b58c8890d21f3f9193f5 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 29 Sep 2021 10:11:17 -0700
Subject: [PATCH 086/210] Remove uses of deprecated Tag types

---
 src/Conn.cc                                   |  2 +-
 src/Conn.h                                    |  4 +-
 src/RuleAction.cc                             |  2 +-
 src/RuleAction.h                              |  8 ++--
 src/analyzer/Analyzer.cc                      | 24 +++++------
 src/analyzer/Analyzer.h                       | 24 +++++------
 src/analyzer/Component.cc                     |  2 +-
 src/analyzer/Component.h                      |  8 ++--
 src/analyzer/Manager.cc                       | 28 ++++++-------
 src/analyzer/Manager.h                        | 42 +++++++++----------
 src/analyzer/analyzer.bif                     |  2 +-
 src/analyzer/protocol/pia/PIA.cc              |  8 ++--
 src/analyzer/protocol/pia/PIA.h               | 12 +++---
 src/file_analysis/Analyzer.cc                 |  4 +-
 src/file_analysis/Analyzer.h                  | 10 ++---
 src/file_analysis/AnalyzerSet.cc              | 14 +++----
 src/file_analysis/AnalyzerSet.h               | 24 +++++------
 src/file_analysis/Component.h                 |  8 ++--
 src/file_analysis/File.cc                     |  6 +--
 src/file_analysis/File.h                      |  6 +--
 src/file_analysis/Manager.cc                  | 30 +++++++------
 src/file_analysis/Manager.h                   | 26 ++++++------
 src/file_analysis/analyzer/x509/X509Common.cc |  2 +-
 src/file_analysis/analyzer/x509/X509Common.h  |  3 +-
 src/input/Component.h                         |  2 +-
 src/logging/Component.h                       |  2 +-
 src/packet_analysis/Analyzer.h                | 10 ++---
 src/packet_analysis/Component.h               |  4 +-
 src/packet_analysis/Manager.h                 |  4 +-
 .../protocol/icmp/ICMPSessionAdapter.cc       |  2 +-
 .../protocol/ip/IPBasedAnalyzer.cc            |  6 +--
 .../protocol/ip/IPBasedAnalyzer.h             | 10 ++---
 .../protocol/tcp/TCPSessionAdapter.cc         |  6 +--
 .../protocol/tcp/TCPSessionAdapter.h          |  3 +-
 .../protocol/udp/UDPSessionAdapter.cc         |  2 +-
 35 files changed, 172 insertions(+), 178 deletions(-)

diff --git a/src/Conn.cc b/src/Conn.cc
index 46d057a268..36d45dd3b2 100644
--- a/src/Conn.cc
+++ b/src/Conn.cc
@@ -286,7 +286,7 @@ analyzer::Analyzer* Connection::FindAnalyzer(analyzer::ID id)
 	return adapter ? adapter->FindChild(id) : nullptr;
 	}
 
-analyzer::Analyzer* Connection::FindAnalyzer(const analyzer::Tag& tag)
+analyzer::Analyzer* Connection::FindAnalyzer(const zeek::Tag& tag)
 	{
 	return adapter ? adapter->FindChild(tag) : nullptr;
 	}
diff --git a/src/Conn.h b/src/Conn.h
index 4ce9c51a4c..960df18129 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -11,12 +11,12 @@
 #include "zeek/IPAddr.h"
 #include "zeek/IntrusivePtr.h"
 #include "zeek/Rule.h"
+#include "zeek/Tag.h"
 #include "zeek/Timer.h"
 #include "zeek/UID.h"
 #include "zeek/WeirdState.h"
 #include "zeek/ZeekArgs.h"
 #include "zeek/analyzer/Analyzer.h"
-#include "zeek/analyzer/Tag.h"
 #include "zeek/iosource/Packet.h"
 #include "zeek/session/Session.h"
 
@@ -136,7 +136,7 @@ public:
 	void FlipRoles();
 
 	analyzer::Analyzer* FindAnalyzer(analyzer::ID id);
-	analyzer::Analyzer* FindAnalyzer(const analyzer::Tag& tag); // find first in tree.
+	analyzer::Analyzer* FindAnalyzer(const zeek::Tag& tag); // find first in tree.
 	analyzer::Analyzer* FindAnalyzer(const char* name); // find first in tree.
 
 	TransportProto ConnTransport() const { return proto; }
diff --git a/src/RuleAction.cc b/src/RuleAction.cc
index 32feb824e8..fc3e57adcc 100644
--- a/src/RuleAction.cc
+++ b/src/RuleAction.cc
@@ -67,7 +67,7 @@ RuleActionAnalyzer::RuleActionAnalyzer(const char* arg_analyzer)
 			reporter->Warning("unknown analyzer '%s' specified in rule", arg.c_str());
 		}
 	else
-		child_analyzer = analyzer::Tag();
+		child_analyzer = zeek::Tag();
 	}
 
 void RuleActionAnalyzer::PrintDebug()
diff --git a/src/RuleAction.h b/src/RuleAction.h
index c280a6bc5d..c9d1b45db8 100644
--- a/src/RuleAction.h
+++ b/src/RuleAction.h
@@ -73,12 +73,12 @@ public:
 
 	void PrintDebug() override;
 
-	analyzer::Tag Analyzer() const { return analyzer; }
-	analyzer::Tag ChildAnalyzer() const { return child_analyzer; }
+	zeek::Tag Analyzer() const { return analyzer; }
+	zeek::Tag ChildAnalyzer() const { return child_analyzer; }
 
 private:
-	analyzer::Tag analyzer;
-	analyzer::Tag child_analyzer;
+	zeek::Tag analyzer;
+	zeek::Tag child_analyzer;
 	};
 
 class RuleActionEnable : public RuleActionAnalyzer
diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc
index 61c8a0b3bf..2a98ac0b72 100644
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@@ -75,7 +75,7 @@ const char* Analyzer::GetAnalyzerName() const
 	return analyzer_mgr->GetComponentName(tag).c_str();
 	}
 
-void Analyzer::SetAnalyzerTag(const Tag& arg_tag)
+void Analyzer::SetAnalyzerTag(const zeek::Tag& arg_tag)
 	{
 	assert(! tag || tag == arg_tag);
 	tag = arg_tag;
@@ -89,7 +89,7 @@ bool Analyzer::IsAnalyzer(const char* name)
 
 Analyzer::Analyzer(const char* name, Connection* conn)
 	{
-	Tag tag = analyzer_mgr->GetComponentTag(name);
+	zeek::Tag tag = analyzer_mgr->GetComponentTag(name);
 
 	if ( ! tag )
 		reporter->InternalError("unknown analyzer name %s; mismatch with tag analyzer::Component?",
@@ -98,17 +98,17 @@ Analyzer::Analyzer(const char* name, Connection* conn)
 	CtorInit(tag, conn);
 	}
 
-Analyzer::Analyzer(const Tag& tag, Connection* conn)
+Analyzer::Analyzer(const zeek::Tag& tag, Connection* conn)
 	{
 	CtorInit(tag, conn);
 	}
 
 Analyzer::Analyzer(Connection* conn)
 	{
-	CtorInit(Tag(), conn);
+	CtorInit(zeek::Tag(), conn);
 	}
 
-void Analyzer::CtorInit(const Tag& arg_tag, Connection* arg_conn)
+void Analyzer::CtorInit(const zeek::Tag& arg_tag, Connection* arg_conn)
 	{
 	// Don't Ref conn here to avoid circular ref'ing. It can't be deleted
 	// before us.
@@ -411,7 +411,7 @@ bool Analyzer::AddChildAnalyzer(Analyzer* analyzer, bool init)
 	return true;
 	}
 
-Analyzer* Analyzer::AddChildAnalyzer(const Tag& analyzer)
+Analyzer* Analyzer::AddChildAnalyzer(const zeek::Tag& analyzer)
 	{
 	if ( HasChildAnalyzer(analyzer) )
 		return nullptr;
@@ -466,7 +466,7 @@ bool Analyzer::Remove()
 	return removing;
 	}
 
-void Analyzer::PreventChildren(Tag tag)
+void Analyzer::PreventChildren(zeek::Tag tag)
 	{
 	auto it = std::find(prevented.begin(), prevented.end(), tag);
 
@@ -476,7 +476,7 @@ void Analyzer::PreventChildren(Tag tag)
 	prevented.emplace_back(tag);
 	}
 
-bool Analyzer::HasChildAnalyzer(Tag tag)
+bool Analyzer::HasChildAnalyzer(zeek::Tag tag)
 	{
 	LOOP_OVER_CHILDREN(i)
 	if ( (*i)->tag == tag )
@@ -511,7 +511,7 @@ Analyzer* Analyzer::FindChild(ID arg_id)
 	return nullptr;
 	}
 
-Analyzer* Analyzer::FindChild(Tag arg_tag)
+Analyzer* Analyzer::FindChild(zeek::Tag arg_tag)
 	{
 	if ( tag == arg_tag )
 		return this;
@@ -535,7 +535,7 @@ Analyzer* Analyzer::FindChild(Tag arg_tag)
 
 Analyzer* Analyzer::FindChild(const char* name)
 	{
-	Tag tag = analyzer_mgr->GetComponentTag(name);
+	zeek::Tag tag = analyzer_mgr->GetComponentTag(name);
 	return tag ? FindChild(tag) : nullptr;
 	}
 
@@ -607,7 +607,7 @@ void Analyzer::RemoveSupportAnalyzer(SupportAnalyzer* analyzer)
 	return;
 	}
 
-bool Analyzer::HasSupportAnalyzer(const Tag& tag, bool orig)
+bool Analyzer::HasSupportAnalyzer(const zeek::Tag& tag, bool orig)
 	{
 	SupportAnalyzer* s = orig ? orig_supporters : resp_supporters;
 	for ( ; s; s = s->sibling )
@@ -677,7 +677,7 @@ void Analyzer::FlipRoles()
 	resp_supporters = tmp;
 	}
 
-void Analyzer::ProtocolConfirmation(Tag arg_tag)
+void Analyzer::ProtocolConfirmation(zeek::Tag arg_tag)
 	{
 	if ( protocol_confirmed )
 		return;
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index ec79400531..06dee27559 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -125,7 +125,7 @@ public:
 	 *
 	 * @param conn The connection the analyzer is associated with.
 	 */
-	Analyzer(const Tag& tag, Connection* conn);
+	Analyzer(const zeek::Tag& tag, Connection* conn);
 
 	/**
 	 * Constructor. As this version of the constructor does not receive a
@@ -357,7 +357,7 @@ public:
 	/**
 	 * Returns the tag associated with the analyzer's type.
 	 */
-	Tag GetAnalyzerTag() const
+	zeek::Tag GetAnalyzerTag() const
 		{
 		assert(tag);
 		return tag;
@@ -369,7 +369,7 @@ public:
 	 * did not receive a name or tag. The method cannot be used to change
 	 * an existing tag.
 	 */
-	void SetAnalyzerTag(const Tag& tag);
+	void SetAnalyzerTag(const zeek::Tag& tag);
 
 	/**
 	 * Returns a textual description of the analyzer's type. This is
@@ -405,7 +405,7 @@ public:
 	 * @param tag The type of analyzer to add.
 	 * @return the new analyzer instance that was added.
 	 */
-	Analyzer* AddChildAnalyzer(const Tag& tag);
+	Analyzer* AddChildAnalyzer(const zeek::Tag& tag);
 
 	/**
 	 * Removes a child analyzer. It's ok for the analyzer to not to be a
@@ -434,14 +434,14 @@ public:
 	 *
 	 * @param tag The type of analyzer to prevent.
 	 */
-	void PreventChildren(Tag tag);
+	void PreventChildren(zeek::Tag tag);
 
 	/**
 	 * Returns true if analyzer has a direct child of a given type.
 	 *
 	 * @param tag The type of analyzer to check for.
 	 */
-	bool HasChildAnalyzer(Tag tag);
+	bool HasChildAnalyzer(zeek::Tag tag);
 
 	/**
 	 * Recursively searches all (direct or indirect) childs of the
@@ -463,7 +463,7 @@ public:
 	 * @return The first analyzer of the given type found, or null if
 	 * none.
 	 */
-	virtual Analyzer* FindChild(Tag tag);
+	virtual Analyzer* FindChild(zeek::Tag tag);
 
 	/**
 	 * Recursively searches all (direct or indirect) childs of the
@@ -533,7 +533,7 @@ public:
 	 * If tag is given, it overrides the analyzer tag passed to the
 	 * scripting layer; the default is the one of the analyzer itself.
 	 */
-	virtual void ProtocolConfirmation(Tag tag = Tag());
+	virtual void ProtocolConfirmation(zeek::Tag tag = zeek::Tag());
 
 	/**
 	 * Signals Bro's protocol detection that the analyzer has found a
@@ -667,7 +667,7 @@ protected:
 	 *
 	 * @param orig True if asking about the originator side.
 	 */
-	bool HasSupportAnalyzer(const Tag& tag, bool orig);
+	bool HasSupportAnalyzer(const zeek::Tag& tag, bool orig);
 
 	/**
 	 * Returns the first still active support analyzer for the given
@@ -711,9 +711,9 @@ private:
 	analyzer_list::iterator DeleteChild(analyzer_list::iterator i);
 
 	// Helper for the ctors.
-	void CtorInit(const Tag& tag, Connection* conn);
+	void CtorInit(const zeek::Tag& tag, Connection* conn);
 
-	Tag tag;
+	zeek::Tag tag;
 	ID id;
 
 	Connection* conn;
@@ -726,7 +726,7 @@ private:
 	SupportAnalyzer* resp_supporters;
 
 	analyzer_list new_children;
-	std::vector<Tag> prevented;
+	std::vector<zeek::Tag> prevented;
 
 	bool protocol_confirmed;
 
diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc
index f8dfa32f72..b01eb2f0ba 100644
--- a/src/analyzer/Component.cc
+++ b/src/analyzer/Component.cc
@@ -10,7 +10,7 @@ namespace zeek::analyzer
 	{
 
 Component::Component(const std::string& name, factory_callback arg_factory,
-                     Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial,
+                     zeek::Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial,
                      bool arg_adapter)
 	: plugin::Component(
 		  arg_adapter ? plugin::component::SESSION_ADAPTER : plugin::component::ANALYZER, name),
diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h
index adf8dceea4..0ad42f253a 100644
--- a/src/analyzer/Component.h
+++ b/src/analyzer/Component.h
@@ -4,7 +4,7 @@
 
 #include "zeek/zeek-config.h"
 
-#include "zeek/analyzer/Tag.h"
+#include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
 #include "zeek/plugin/TaggedComponent.h"
 #include "zeek/util.h"
@@ -45,8 +45,8 @@ public:
 	 *
 	 * @param subtype A subtype associated with this component that
 	 * further distinguishes it. The subtype will be integrated into
-	 * the analyzer::Tag that the manager associates with this analyzer,
-	 * and analyzer instances can accordingly access it via analyzer::Tag().
+	 * the Tag that the manager associates with this analyzer,
+	 * and analyzer instances can accordingly access it via Tag().
 	 * If not used, leave at zero.
 	 *
 	 * @param enabled If false the analyzer starts out as disabled and
@@ -62,7 +62,7 @@ public:
 	 * @param adapter If true, this analyzer is a session adapter from
 	 * the packet analyzer framework.
 	 */
-	Component(const std::string& name, factory_callback factory, Tag::subtype_t subtype = 0,
+	Component(const std::string& name, factory_callback factory, zeek::Tag::subtype_t subtype = 0,
 	          bool enabled = true, bool partial = false, bool adapter = false);
 
 	/**
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 4416fa4fe5..70d4847931 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -123,7 +123,7 @@ void Manager::DumpDebug()
 
 void Manager::Done() { }
 
-bool Manager::EnableAnalyzer(const Tag& tag)
+bool Manager::EnableAnalyzer(const zeek::Tag& tag)
 	{
 	Component* p = Lookup(tag);
 
@@ -149,7 +149,7 @@ bool Manager::EnableAnalyzer(EnumVal* val)
 	return true;
 	}
 
-bool Manager::DisableAnalyzer(const Tag& tag)
+bool Manager::DisableAnalyzer(const zeek::Tag& tag)
 	{
 	Component* p = Lookup(tag);
 
@@ -185,12 +185,12 @@ void Manager::DisableAllAnalyzers()
 		(*i)->SetEnabled(false);
 	}
 
-analyzer::Tag Manager::GetAnalyzerTag(const char* name)
+zeek::Tag Manager::GetAnalyzerTag(const char* name)
 	{
 	return GetComponentTag(name);
 	}
 
-bool Manager::IsEnabled(const Tag& tag)
+bool Manager::IsEnabled(const zeek::Tag& tag)
 	{
 	if ( ! tag )
 		return false;
@@ -233,7 +233,7 @@ bool Manager::UnregisterAnalyzerForPort(EnumVal* val, PortVal* port)
 	return UnregisterAnalyzerForPort(p->Tag(), port->PortType(), port->Port());
 	}
 
-bool Manager::RegisterAnalyzerForPort(const Tag& tag, TransportProto proto, uint32_t port)
+bool Manager::RegisterAnalyzerForPort(const zeek::Tag& tag, TransportProto proto, uint32_t port)
 	{
 	if ( initialized )
 		return RegisterAnalyzerForPort(std::make_tuple(tag, proto, port));
@@ -247,7 +247,7 @@ bool Manager::RegisterAnalyzerForPort(const Tag& tag, TransportProto proto, uint
 		}
 	}
 
-bool Manager::RegisterAnalyzerForPort(const std::tuple<Tag, TransportProto, uint32_t>& p)
+bool Manager::RegisterAnalyzerForPort(const std::tuple<zeek::Tag, TransportProto, uint32_t>& p)
 	{
 	const auto& [tag, proto, port] = p;
 
@@ -267,7 +267,7 @@ bool Manager::RegisterAnalyzerForPort(const std::tuple<Tag, TransportProto, uint
 	return ipba->RegisterAnalyzerForPort(tag, port);
 	}
 
-bool Manager::UnregisterAnalyzerForPort(const Tag& tag, TransportProto proto, uint32_t port)
+bool Manager::UnregisterAnalyzerForPort(const zeek::Tag& tag, TransportProto proto, uint32_t port)
 	{
 	if ( auto i = pending_analyzers_for_ports.find(std::make_tuple(tag, proto, port));
 	     i != pending_analyzers_for_ports.end() )
@@ -289,7 +289,7 @@ bool Manager::UnregisterAnalyzerForPort(const Tag& tag, TransportProto proto, ui
 	return ipba->UnregisterAnalyzerForPort(tag, port);
 	}
 
-Analyzer* Manager::InstantiateAnalyzer(const Tag& tag, Connection* conn)
+Analyzer* Manager::InstantiateAnalyzer(const zeek::Tag& tag, Connection* conn)
 	{
 	Component* c = Lookup(tag);
 
@@ -324,7 +324,7 @@ Analyzer* Manager::InstantiateAnalyzer(const Tag& tag, Connection* conn)
 
 Analyzer* Manager::InstantiateAnalyzer(const char* name, Connection* conn)
 	{
-	Tag tag = GetComponentTag(name);
+	zeek::Tag tag = GetComponentTag(name);
 	return tag ? InstantiateAnalyzer(tag, conn) : nullptr;
 	}
 
@@ -367,7 +367,7 @@ void Manager::ExpireScheduledAnalyzers()
 	}
 
 void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16_t resp_p,
-                               TransportProto proto, const Tag& analyzer, double timeout)
+                               TransportProto proto, const zeek::Tag& analyzer, double timeout)
 	{
 	if ( ! run_state::network_time )
 		{
@@ -392,9 +392,9 @@ void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16_t
 void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16_t resp_p,
                                TransportProto proto, const char* analyzer, double timeout)
 	{
-	Tag tag = GetComponentTag(analyzer);
+	zeek::Tag tag = GetComponentTag(analyzer);
 
-	if ( tag != Tag() )
+	if ( tag != zeek::Tag() )
 		ScheduleAnalyzer(orig, resp, resp_p, proto, tag, timeout);
 	}
 
@@ -402,8 +402,8 @@ void Manager::ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, PortVal*
                                Val* analyzer, double timeout)
 	{
 	EnumValPtr ev{NewRef{}, analyzer->AsEnumVal()};
-	return ScheduleAnalyzer(orig, resp, resp_p->Port(), resp_p->PortType(), Tag(std::move(ev)),
-	                        timeout);
+	return ScheduleAnalyzer(orig, resp, resp_p->Port(), resp_p->PortType(),
+	                        zeek::Tag(std::move(ev)), timeout);
 	}
 
 Manager::tag_set Manager::GetScheduled(const Connection* conn)
diff --git a/src/analyzer/Manager.h b/src/analyzer/Manager.h
index 8211824e3d..74938c8941 100644
--- a/src/analyzer/Manager.h
+++ b/src/analyzer/Manager.h
@@ -25,9 +25,9 @@
 
 #include "zeek/Dict.h"
 #include "zeek/IP.h"
+#include "zeek/Tag.h"
 #include "zeek/analyzer/Analyzer.h"
 #include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/Tag.h"
 #include "zeek/analyzer/analyzer.bif.h"
 #include "zeek/net_util.h"
 #include "zeek/plugin/ComponentManager.h"
@@ -50,7 +50,7 @@ namespace analyzer
  * Class maintaining and scheduling available protocol analyzers.
  *
  * The manager maintains a registry of all available protocol analyzers,
- * including a mapping between their textual names and analyzer::Tag. It
+ * including a mapping between their textual names and Tag. It
  * instantantiates new analyzers on demand. For new connections, the manager
  * sets up their initial analyzer tree, including adding the right \c PIA,
  * respecting well-known ports, and tracking any analyzers specifically
@@ -95,14 +95,14 @@ public:
 	 *
 	 * @return True if successful.
 	 */
-	bool EnableAnalyzer(const Tag& tag);
+	bool EnableAnalyzer(const zeek::Tag& tag);
 
 	/**
 	 * Enables an analyzer type. Only enabled analyzers will be
 	 * instantiated for new connections.
 	 *
 	 * @param tag The analyzer's tag as an enum of script type \c
-	 * Analyzer::Tag.
+	 * Tag.
 	 *
 	 * @return True if successful.
 	 */
@@ -116,14 +116,14 @@ public:
 	 *
 	 * @return True if successful.
 	 */
-	bool DisableAnalyzer(const Tag& tag);
+	bool DisableAnalyzer(const zeek::Tag& tag);
 
 	/**
 	 * Disables an analyzer type. Disabled analyzers will not be
 	 * instantiated for new connections.
 	 *
 	 * @param tag The analyzer's tag as an enum of script type \c
-	 * Analyzer::Tag.
+	 * Tag.
 	 *
 	 * @return True if successful.
 	 */
@@ -140,20 +140,20 @@ public:
 	 *
 	 * @param name The canonical analyzer name to check.
 	 */
-	Tag GetAnalyzerTag(const char* name);
+	zeek::Tag GetAnalyzerTag(const char* name);
 
 	/**
 	 * Returns true if an analyzer is enabled.
 	 *
 	 * @param tag The analyzer's tag.
 	 */
-	bool IsEnabled(const Tag& tag);
+	bool IsEnabled(const zeek::Tag& tag);
 
 	/**
 	 * Returns true if an analyzer is enabled.
 	 *
 	 * @param tag The analyzer's tag as an enum of script type \c
-	 * Analyzer::Tag.
+	 * Tag.
 	 */
 	bool IsEnabled(EnumVal* tag);
 
@@ -163,7 +163,7 @@ public:
 	 * assigned.
 	 *
 	 * @param tag The analyzer's tag as an enum of script type \c
-	 * Analyzer::Tag.
+	 * Tag.
 	 *
 	 * @param port The well-known port.
 	 *
@@ -184,13 +184,13 @@ public:
 	 *
 	 * @return True if successful.
 	 */
-	bool RegisterAnalyzerForPort(const Tag& tag, TransportProto proto, uint32_t port);
+	bool RegisterAnalyzerForPort(const zeek::Tag& tag, TransportProto proto, uint32_t port);
 
 	/**
 	 * Unregisters a well-known port for an anlyzers.
 	 *
 	 * @param tag The analyzer's tag as an enum of script type \c
-	 * Analyzer::Tag.
+	 * Tag.
 	 *
 	 * @param port The well-known port.
 	 *
@@ -210,9 +210,9 @@ public:
 	 * @param port The port's number.
 	 *
 	 * @param tag The analyzer's tag as an enum of script type \c
-	 * Analyzer::Tag.
+	 * Tag.
 	 */
-	bool UnregisterAnalyzerForPort(const Tag& tag, TransportProto proto, uint32_t port);
+	bool UnregisterAnalyzerForPort(const zeek::Tag& tag, TransportProto proto, uint32_t port);
 
 	/**
 	 * Instantiates a new analyzer instance for a connection.
@@ -226,7 +226,7 @@ public:
 	 * null if tag is invalid, the requested analyzer is disabled, or the
 	 * analyzer can't be instantiated.
 	 */
-	Analyzer* InstantiateAnalyzer(const Tag& tag, Connection* c);
+	Analyzer* InstantiateAnalyzer(const zeek::Tag& tag, Connection* c);
 
 	/**
 	 * Instantiates a new analyzer instance for a connection.
@@ -263,7 +263,7 @@ public:
 	 * schedule this analyzer. Must be non-zero.
 	 */
 	void ScheduleAnalyzer(const IPAddr& orig, const IPAddr& resp, uint16_t resp_p,
-	                      TransportProto proto, const Tag& analyzer, double timeout);
+	                      TransportProto proto, const zeek::Tag& analyzer, double timeout);
 
 	/**
 	 * Schedules a particular analyzer for an upcoming connection. Once
@@ -321,7 +321,7 @@ public:
 	 * @param resp_p The connection's anticipated responder port.
 	 *
 	 * @param analyzer The analyzer to use once the connection is seen as
-	 * an enum value of script-type \c Analyzer::Tag.
+	 * an enum value of script-type \c Tag.
 	 *
 	 * @param timeout An interval after which to timeout the request to
 	 * schedule this analyzer. Must be non-zero.
@@ -336,11 +336,11 @@ public:
 
 private:
 	// Internal version that must be used only once InitPostScript has completed.
-	bool RegisterAnalyzerForPort(const std::tuple<Tag, TransportProto, uint32_t>& p);
+	bool RegisterAnalyzerForPort(const std::tuple<zeek::Tag, TransportProto, uint32_t>& p);
 
 	friend class packet_analysis::IP::IPBasedAnalyzer;
 
-	using tag_set = std::set<Tag>;
+	using tag_set = std::set<zeek::Tag>;
 
 	tag_set GetScheduled(const Connection* conn);
 	void ExpireScheduledAnalyzers();
@@ -365,7 +365,7 @@ private:
 	struct ScheduledAnalyzer
 		{
 		ConnIndex conn;
-		Tag analyzer;
+		zeek::Tag analyzer;
 		double timeout;
 
 		struct Comparator
@@ -377,7 +377,7 @@ private:
 			};
 		};
 
-	using protocol_analyzers = std::set<std::tuple<Tag, TransportProto, uint32_t>>;
+	using protocol_analyzers = std::set<std::tuple<zeek::Tag, TransportProto, uint32_t>>;
 	using conns_map = std::multimap<ConnIndex, ScheduledAnalyzer*>;
 	using conns_queue = std::priority_queue<ScheduledAnalyzer*, std::vector<ScheduledAnalyzer*>,
 	                                        ScheduledAnalyzer::Comparator>;
diff --git a/src/analyzer/analyzer.bif b/src/analyzer/analyzer.bif
index 18ed0e883b..9e8018342f 100644
--- a/src/analyzer/analyzer.bif
+++ b/src/analyzer/analyzer.bif
@@ -46,6 +46,6 @@ function __name%(atype: Analyzer::Tag%) : string
 
 function __tag%(name: string%) : Analyzer::Tag
 	%{
-	analyzer::Tag t = zeek::analyzer_mgr->GetComponentTag(name->CheckString());
+	zeek::Tag t = zeek::analyzer_mgr->GetComponentTag(name->CheckString());
 	return t.AsVal();
 	%}
diff --git a/src/analyzer/protocol/pia/PIA.cc b/src/analyzer/protocol/pia/PIA.cc
index a4314294c1..3103c84ad9 100644
--- a/src/analyzer/protocol/pia/PIA.cc
+++ b/src/analyzer/protocol/pia/PIA.cc
@@ -147,7 +147,7 @@ void PIA::DoMatch(const u_char* data, int len, bool is_orig, bool bol, bool eol,
 	                                      clear_state);
 	}
 
-void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule)
+void PIA_UDP::ActivateAnalyzer(zeek::Tag tag, const zeek::detail::Rule* rule)
 	{
 	if ( pkt_buffer.state == MATCHING_ONLY )
 		{
@@ -181,7 +181,7 @@ void PIA_UDP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule
 	ReplayPacketBuffer(a);
 	}
 
-void PIA_UDP::DeactivateAnalyzer(analyzer::Tag tag)
+void PIA_UDP::DeactivateAnalyzer(zeek::Tag tag)
 	{
 	reporter->InternalError("PIA_UDP::Deact not implemented yet");
 	}
@@ -307,7 +307,7 @@ void PIA_TCP::Undelivered(uint64_t seq, int len, bool is_orig)
 		}
 	}
 
-void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule)
+void PIA_TCP::ActivateAnalyzer(zeek::Tag tag, const zeek::detail::Rule* rule)
 	{
 	if ( stream_buffer.state == MATCHING_ONLY )
 		{
@@ -429,7 +429,7 @@ void PIA_TCP::ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule
 	tcp->SetReassembler(reass_orig, reass_resp);
 	}
 
-void PIA_TCP::DeactivateAnalyzer(analyzer::Tag tag)
+void PIA_TCP::DeactivateAnalyzer(zeek::Tag tag)
 	{
 	reporter->InternalError("PIA_TCP::Deact not implemented yet");
 	}
diff --git a/src/analyzer/protocol/pia/PIA.h b/src/analyzer/protocol/pia/PIA.h
index ba31190cb6..b00145d2c9 100644
--- a/src/analyzer/protocol/pia/PIA.h
+++ b/src/analyzer/protocol/pia/PIA.h
@@ -29,10 +29,10 @@ public:
 
 	// Called when PIA wants to put an Analyzer in charge.  rule is the
 	// signature that triggered the activitation, if any.
-	virtual void ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule = nullptr) = 0;
+	virtual void ActivateAnalyzer(zeek::Tag tag, const zeek::detail::Rule* rule = nullptr) = 0;
 
 	// Called when PIA wants to remove an Analyzer.
-	virtual void DeactivateAnalyzer(analyzer::Tag tag) = 0;
+	virtual void DeactivateAnalyzer(zeek::Tag tag) = 0;
 
 	void Match(zeek::detail::Rule::PatternType type, const u_char* data, int len, bool is_orig,
 	           bool bol, bool eol, bool clear_state);
@@ -129,8 +129,8 @@ protected:
 		PIA_DeliverPacket(len, data, is_orig, seq, ip, caplen, true);
 		}
 
-	void ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule) override;
-	void DeactivateAnalyzer(analyzer::Tag tag) override;
+	void ActivateAnalyzer(zeek::Tag tag, const zeek::detail::Rule* rule) override;
+	void DeactivateAnalyzer(zeek::Tag tag) override;
 	};
 
 // PIA for TCP.  Accepts both packet and stream input (and reassembles
@@ -180,8 +180,8 @@ protected:
 	void DeliverStream(int len, const u_char* data, bool is_orig) override;
 	void Undelivered(uint64_t seq, int len, bool is_orig) override;
 
-	void ActivateAnalyzer(analyzer::Tag tag, const zeek::detail::Rule* rule = nullptr) override;
-	void DeactivateAnalyzer(analyzer::Tag tag) override;
+	void ActivateAnalyzer(zeek::Tag tag, const zeek::detail::Rule* rule = nullptr) override;
+	void DeactivateAnalyzer(zeek::Tag tag) override;
 
 private:
 	// FIXME: Not sure yet whether we need both pkt_buffer and stream_buffer.
diff --git a/src/file_analysis/Analyzer.cc b/src/file_analysis/Analyzer.cc
index 70bb644b63..b30a2cd786 100644
--- a/src/file_analysis/Analyzer.cc
+++ b/src/file_analysis/Analyzer.cc
@@ -15,13 +15,13 @@ Analyzer::~Analyzer()
 	DBG_LOG(DBG_FILE_ANALYSIS, "Destroy file analyzer %s", file_mgr->GetComponentName(tag).c_str());
 	}
 
-void Analyzer::SetAnalyzerTag(const file_analysis::Tag& arg_tag)
+void Analyzer::SetAnalyzerTag(const zeek::Tag& arg_tag)
 	{
 	assert(! tag || tag == arg_tag);
 	tag = arg_tag;
 	}
 
-Analyzer::Analyzer(file_analysis::Tag arg_tag, RecordValPtr arg_args, File* arg_file)
+Analyzer::Analyzer(zeek::Tag arg_tag, RecordValPtr arg_args, File* arg_file)
 	: tag(arg_tag), args(std::move(arg_args)), file(arg_file), got_stream_delivery(false),
 	  skip(false)
 	{
diff --git a/src/file_analysis/Analyzer.h b/src/file_analysis/Analyzer.h
index 10669bb843..4e10a46ff3 100644
--- a/src/file_analysis/Analyzer.h
+++ b/src/file_analysis/Analyzer.h
@@ -4,7 +4,7 @@
 
 #include <sys/types.h> // for u_char
 
-#include "zeek/file_analysis/Tag.h"
+#include "zeek/Tag.h"
 
 namespace zeek
 	{
@@ -81,7 +81,7 @@ public:
 	/**
 	 * @return the analyzer type enum value.
 	 */
-	file_analysis::Tag Tag() const { return tag; }
+	zeek::Tag Tag() const { return tag; }
 
 	/**
 	 * Returns the analyzer instance's internal ID. These IDs are unique
@@ -106,7 +106,7 @@ public:
 	 * did not receive a name or tag. The method cannot be used to change
 	 * an existing tag.
 	 */
-	void SetAnalyzerTag(const file_analysis::Tag& tag);
+	void SetAnalyzerTag(const zeek::Tag& tag);
 
 	/**
 	 * @return true if the analyzer has ever seen a stream-wise delivery.
@@ -141,7 +141,7 @@ protected:
 	 *        tunable options, if any, related to a particular analyzer type.
 	 * @param arg_file the file to which the the analyzer is being attached.
 	 */
-	Analyzer(file_analysis::Tag arg_tag, RecordValPtr arg_args, File* arg_file);
+	Analyzer(zeek::Tag arg_tag, RecordValPtr arg_args, File* arg_file);
 
 	/**
 	 * Constructor.  Only derived classes are meant to be instantiated.
@@ -156,7 +156,7 @@ protected:
 
 private:
 	ID id; /**< Unique instance ID. */
-	file_analysis::Tag tag; /**< The particular type of the analyzer instance. */
+	zeek::Tag tag; /**< The particular type of the analyzer instance. */
 	RecordValPtr args; /**< \c AnalyzerArgs val gives tunable analyzer params. */
 	File* file; /**< The file to which the analyzer is attached. */
 	bool got_stream_delivery;
diff --git a/src/file_analysis/AnalyzerSet.cc b/src/file_analysis/AnalyzerSet.cc
index 45e58dfac5..bbae639081 100644
--- a/src/file_analysis/AnalyzerSet.cc
+++ b/src/file_analysis/AnalyzerSet.cc
@@ -42,14 +42,14 @@ AnalyzerSet::~AnalyzerSet()
 	delete analyzer_hash;
 	}
 
-Analyzer* AnalyzerSet::Find(const file_analysis::Tag& tag, RecordValPtr args)
+Analyzer* AnalyzerSet::Find(const zeek::Tag& tag, RecordValPtr args)
 	{
 	auto key = GetKey(tag, std::move(args));
 	Analyzer* rval = analyzer_map.Lookup(key.get());
 	return rval;
 	}
 
-bool AnalyzerSet::Add(const file_analysis::Tag& tag, RecordValPtr args)
+bool AnalyzerSet::Add(const zeek::Tag& tag, RecordValPtr args)
 	{
 	auto key = GetKey(tag, args);
 
@@ -71,7 +71,7 @@ bool AnalyzerSet::Add(const file_analysis::Tag& tag, RecordValPtr args)
 	return true;
 	}
 
-Analyzer* AnalyzerSet::QueueAdd(const file_analysis::Tag& tag, RecordValPtr args)
+Analyzer* AnalyzerSet::QueueAdd(const zeek::Tag& tag, RecordValPtr args)
 	{
 	auto key = GetKey(tag, args);
 	file_analysis::Analyzer* a = InstantiateAnalyzer(tag, std::move(args));
@@ -105,12 +105,12 @@ void AnalyzerSet::AddMod::Abort()
 	delete a;
 	}
 
-bool AnalyzerSet::Remove(const file_analysis::Tag& tag, RecordValPtr args)
+bool AnalyzerSet::Remove(const zeek::Tag& tag, RecordValPtr args)
 	{
 	return Remove(tag, GetKey(tag, std::move(args)));
 	}
 
-bool AnalyzerSet::Remove(const file_analysis::Tag& tag, std::unique_ptr<zeek::detail::HashKey> key)
+bool AnalyzerSet::Remove(const zeek::Tag& tag, std::unique_ptr<zeek::detail::HashKey> key)
 	{
 	auto a = (file_analysis::Analyzer*)analyzer_map.Remove(key.get());
 
@@ -134,7 +134,7 @@ bool AnalyzerSet::Remove(const file_analysis::Tag& tag, std::unique_ptr<zeek::de
 	return true;
 	}
 
-bool AnalyzerSet::QueueRemove(const file_analysis::Tag& tag, RecordValPtr args)
+bool AnalyzerSet::QueueRemove(const zeek::Tag& tag, RecordValPtr args)
 	{
 	auto key = GetKey(tag, std::move(args));
 	auto rval = analyzer_map.Lookup(key.get());
@@ -147,7 +147,7 @@ bool AnalyzerSet::RemoveMod::Perform(AnalyzerSet* set)
 	return set->Remove(tag, std::move(key));
 	}
 
-std::unique_ptr<zeek::detail::HashKey> AnalyzerSet::GetKey(const file_analysis::Tag& t,
+std::unique_ptr<zeek::detail::HashKey> AnalyzerSet::GetKey(const zeek::Tag& t,
                                                            RecordValPtr args) const
 	{
 	auto lv = make_intrusive<ListVal>(TYPE_ANY);
diff --git a/src/file_analysis/AnalyzerSet.h b/src/file_analysis/AnalyzerSet.h
index 4ec009f68c..518c4f4d10 100644
--- a/src/file_analysis/AnalyzerSet.h
+++ b/src/file_analysis/AnalyzerSet.h
@@ -6,7 +6,7 @@
 #include <queue>
 
 #include "zeek/Dict.h"
-#include "zeek/file_analysis/Tag.h"
+#include "zeek/Tag.h"
 
 namespace zeek
 	{
@@ -55,7 +55,7 @@ public:
 	 * @param args an \c AnalyzerArgs record.
 	 * @return pointer to an analyzer instance, or a null pointer if not found.
 	 */
-	Analyzer* Find(const file_analysis::Tag& tag, RecordValPtr args);
+	Analyzer* Find(const zeek::Tag& tag, RecordValPtr args);
 
 	/**
 	 * Attach an analyzer to #file immediately.
@@ -63,7 +63,7 @@ public:
 	 * @param args an \c AnalyzerArgs value which specifies an analyzer.
 	 * @return true if analyzer was instantiated/attached, else false.
 	 */
-	bool Add(const file_analysis::Tag& tag, RecordValPtr args);
+	bool Add(const zeek::Tag& tag, RecordValPtr args);
 
 	/**
 	 * Queue the attachment of an analyzer to #file.
@@ -72,7 +72,7 @@ public:
 	 * @return if successful, a pointer to a newly instantiated analyzer else
 	 * a null pointer.  The caller does *not* take ownership of the memory.
 	 */
-	file_analysis::Analyzer* QueueAdd(const file_analysis::Tag& tag, RecordValPtr args);
+	file_analysis::Analyzer* QueueAdd(const zeek::Tag& tag, RecordValPtr args);
 
 	/**
 	 * Remove an analyzer from #file immediately.
@@ -80,7 +80,7 @@ public:
 	 * @param args an \c AnalyzerArgs value which specifies an analyzer.
 	 * @return false if analyzer didn't exist and so wasn't removed, else true.
 	 */
-	bool Remove(const file_analysis::Tag& tag, RecordValPtr args);
+	bool Remove(const zeek::Tag& tag, RecordValPtr args);
 
 	/**
 	 * Queue the removal of an analyzer from #file.
@@ -88,7 +88,7 @@ public:
 	 * @param args an \c AnalyzerArgs value which specifies an analyzer.
 	 * @return true if analyzer exists at time of call, else false;
 	 */
-	bool QueueRemove(const file_analysis::Tag& tag, RecordValPtr args);
+	bool QueueRemove(const zeek::Tag& tag, RecordValPtr args);
 
 	/**
 	 * Perform all queued modifications to the current analyzer set.
@@ -146,8 +146,7 @@ protected:
 	 * @param args an \c AnalyzerArgs value which specifies an analyzer.
 	 * @return the hash key calculated from \a args
 	 */
-	std::unique_ptr<zeek::detail::HashKey> GetKey(const file_analysis::Tag& tag,
-	                                              RecordValPtr args) const;
+	std::unique_ptr<zeek::detail::HashKey> GetKey(const zeek::Tag& tag, RecordValPtr args) const;
 
 	/**
 	 * Create an instance of a file analyzer.
@@ -155,8 +154,7 @@ protected:
 	 * @param args an \c AnalyzerArgs value which specifies an analyzer.
 	 * @return a new file analyzer instance.
 	 */
-	file_analysis::Analyzer* InstantiateAnalyzer(const file_analysis::Tag& tag,
-	                                             RecordValPtr args) const;
+	file_analysis::Analyzer* InstantiateAnalyzer(const zeek::Tag& tag, RecordValPtr args) const;
 
 	/**
 	 * Insert an analyzer instance in to the set.
@@ -171,7 +169,7 @@ protected:
 	 *        just used for debugging messages.
 	 * @param key the hash key which represents the analyzer's \c AnalyzerArgs.
 	 */
-	bool Remove(const file_analysis::Tag& tag, std::unique_ptr<zeek::detail::HashKey> key);
+	bool Remove(const zeek::Tag& tag, std::unique_ptr<zeek::detail::HashKey> key);
 
 private:
 	File* file; /**< File which owns the set */
@@ -234,7 +232,7 @@ private:
 		 * @param arg_a an analyzer instance to add to an analyzer set.
 		 * @param arg_key hash key representing the analyzer's \c AnalyzerArgs.
 		 */
-		RemoveMod(const file_analysis::Tag& arg_tag, std::unique_ptr<zeek::detail::HashKey> arg_key)
+		RemoveMod(const zeek::Tag& arg_tag, std::unique_ptr<zeek::detail::HashKey> arg_key)
 			: Modification(), tag(arg_tag), key(std::move(arg_key))
 			{
 			}
@@ -243,7 +241,7 @@ private:
 		void Abort() override { }
 
 	protected:
-		file_analysis::Tag tag;
+		zeek::Tag tag;
 		std::unique_ptr<zeek::detail::HashKey> key;
 		};
 
diff --git a/src/file_analysis/Component.h b/src/file_analysis/Component.h
index 681bb20acc..c085e10947 100644
--- a/src/file_analysis/Component.h
+++ b/src/file_analysis/Component.h
@@ -4,7 +4,7 @@
 
 #include "zeek/zeek-config.h"
 
-#include "zeek/file_analysis/Tag.h"
+#include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
 #include "zeek/plugin/TaggedComponent.h"
 
@@ -47,15 +47,15 @@ public:
 	 *
 	 * @param subtype A subtype associated with this component that
 	 * further distinguishes it. The subtype will be integrated into the
-	 * analyzer::Tag that the manager associates with this analyzer, and
-	 * analyzer instances can accordingly access it via analyzer::Tag().
+	 * Tag that the manager associates with this analyzer, and
+	 * analyzer instances can accordingly access it via Tag().
 	 * If not used, leave at zero.
 	 *
 	 * @param enabled If false the analyzer starts out as disabled and
 	 * hence won't be used. It can still be enabled later via the
 	 * manager, including from script-land.
 	 */
-	Component(const std::string& name, factory_function factory, Tag::subtype_t subtype = 0,
+	Component(const std::string& name, factory_function factory, zeek::Tag::subtype_t subtype = 0,
 	          bool enabled = true);
 
 	/**
diff --git a/src/file_analysis/File.cc b/src/file_analysis/File.cc
index 74d389ceb7..4c4229e5bd 100644
--- a/src/file_analysis/File.cc
+++ b/src/file_analysis/File.cc
@@ -79,7 +79,7 @@ void File::StaticInit()
 	}
 
 File::File(const std::string& file_id, const std::string& source_name, Connection* conn,
-           analyzer::Tag tag, bool is_orig)
+           zeek::Tag tag, bool is_orig)
 	: id(file_id), val(nullptr), file_reassembler(nullptr), stream_offset(0),
 	  reassembly_max_buffer(0), did_metadata_inference(false), reassembly_enabled(false),
 	  postpone_timeout(false), done(false), analyzers(this)
@@ -246,7 +246,7 @@ void File::ScheduleInactivityTimer() const
 		new detail::FileTimer(run_state::network_time, id, GetTimeoutInterval()));
 	}
 
-bool File::AddAnalyzer(file_analysis::Tag tag, RecordValPtr args)
+bool File::AddAnalyzer(zeek::Tag tag, RecordValPtr args)
 	{
 	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Queuing addition of %s analyzer", id.c_str(),
 	        file_mgr->GetComponentName(tag).c_str());
@@ -257,7 +257,7 @@ bool File::AddAnalyzer(file_analysis::Tag tag, RecordValPtr args)
 	return analyzers.QueueAdd(tag, std::move(args)) != nullptr;
 	}
 
-bool File::RemoveAnalyzer(file_analysis::Tag tag, RecordValPtr args)
+bool File::RemoveAnalyzer(zeek::Tag tag, RecordValPtr args)
 	{
 	DBG_LOG(DBG_FILE_ANALYSIS, "[%s] Queuing remove of %s analyzer", id.c_str(),
 	        file_mgr->GetComponentName(tag).c_str());
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index 634110e8cc..db8e20f025 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -119,7 +119,7 @@ public:
 	 * @param args an \c AnalyzerArgs value representing a file analyzer.
 	 * @return false if analyzer can't be instantiated, else true.
 	 */
-	bool AddAnalyzer(file_analysis::Tag tag, RecordValPtr args);
+	bool AddAnalyzer(zeek::Tag tag, RecordValPtr args);
 
 	/**
 	 * Queues removal of an analyzer.
@@ -127,7 +127,7 @@ public:
 	 * @param args an \c AnalyzerArgs value representing a file analyzer.
 	 * @return true if analyzer was active at time of call, else false.
 	 */
-	bool RemoveAnalyzer(file_analysis::Tag tag, RecordValPtr args);
+	bool RemoveAnalyzer(zeek::Tag tag, RecordValPtr args);
 
 	/**
 	 * Signal that this analyzer can be deleted once it's safe to do so.
@@ -223,7 +223,7 @@ protected:
 	 *        direction.
 	 */
 	File(const std::string& file_id, const std::string& source_name, Connection* conn = nullptr,
-	     analyzer::Tag tag = analyzer::Tag::Error, bool is_orig = false);
+	     zeek::Tag tag = zeek::Tag::Error, bool is_orig = false);
 
 	/**
 	 * Updates the "conn_ids" and "conn_uids" fields in #val record with the
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index 60fd82acc4..c8a48c5802 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -87,7 +87,7 @@ void Manager::SetHandle(const string& handle)
 	current_file_id = HashHandle(handle);
 	}
 
-string Manager::DataIn(const u_char* data, uint64_t len, uint64_t offset, const analyzer::Tag& tag,
+string Manager::DataIn(const u_char* data, uint64_t len, uint64_t offset, const zeek::Tag& tag,
                        Connection* conn, bool is_orig, const string& precomputed_id,
                        const string& mime_type)
 	{
@@ -117,7 +117,7 @@ string Manager::DataIn(const u_char* data, uint64_t len, uint64_t offset, const
 	return id;
 	}
 
-string Manager::DataIn(const u_char* data, uint64_t len, const analyzer::Tag& tag, Connection* conn,
+string Manager::DataIn(const u_char* data, uint64_t len, const zeek::Tag& tag, Connection* conn,
                        bool is_orig, const string& precomputed_id, const string& mime_type)
 	{
 	string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
@@ -145,7 +145,7 @@ string Manager::DataIn(const u_char* data, uint64_t len, const analyzer::Tag& ta
 void Manager::DataIn(const u_char* data, uint64_t len, const string& file_id, const string& source,
                      const string& mime_type)
 	{
-	File* file = GetFile(file_id, nullptr, analyzer::Tag::Error, false, false, source.c_str());
+	File* file = GetFile(file_id, nullptr, zeek::Tag::Error, false, false, source.c_str());
 
 	if ( ! file )
 		return;
@@ -162,7 +162,7 @@ void Manager::DataIn(const u_char* data, uint64_t len, const string& file_id, co
 void Manager::DataIn(const u_char* data, uint64_t len, uint64_t offset, const string& file_id,
                      const string& source, const string& mime_type)
 	{
-	File* file = GetFile(file_id, nullptr, analyzer::Tag::Error, false, false, source.c_str());
+	File* file = GetFile(file_id, nullptr, zeek::Tag::Error, false, false, source.c_str());
 
 	if ( ! file )
 		return;
@@ -176,13 +176,13 @@ void Manager::DataIn(const u_char* data, uint64_t len, uint64_t offset, const st
 		RemoveFile(file->GetID());
 	}
 
-void Manager::EndOfFile(const analyzer::Tag& tag, Connection* conn)
+void Manager::EndOfFile(const zeek::Tag& tag, Connection* conn)
 	{
 	EndOfFile(tag, conn, true);
 	EndOfFile(tag, conn, false);
 	}
 
-void Manager::EndOfFile(const analyzer::Tag& tag, Connection* conn, bool is_orig)
+void Manager::EndOfFile(const zeek::Tag& tag, Connection* conn, bool is_orig)
 	{
 	// Don't need to create a file if we're just going to remove it right away.
 	RemoveFile(GetFileID(tag, conn, is_orig));
@@ -193,7 +193,7 @@ void Manager::EndOfFile(const string& file_id)
 	RemoveFile(file_id);
 	}
 
-string Manager::Gap(uint64_t offset, uint64_t len, const analyzer::Tag& tag, Connection* conn,
+string Manager::Gap(uint64_t offset, uint64_t len, const zeek::Tag& tag, Connection* conn,
                     bool is_orig, const string& precomputed_id)
 	{
 	string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
@@ -206,7 +206,7 @@ string Manager::Gap(uint64_t offset, uint64_t len, const analyzer::Tag& tag, Con
 	return id;
 	}
 
-string Manager::SetSize(uint64_t size, const analyzer::Tag& tag, Connection* conn, bool is_orig,
+string Manager::SetSize(uint64_t size, const zeek::Tag& tag, Connection* conn, bool is_orig,
                         const string& precomputed_id)
 	{
 	string id = precomputed_id.empty() ? GetFileID(tag, conn, is_orig) : precomputed_id;
@@ -283,8 +283,7 @@ bool Manager::SetExtractionLimit(const string& file_id, RecordValPtr args, uint6
 	return file->SetExtractionLimit(std::move(args), n);
 	}
 
-bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
-                          RecordValPtr args) const
+bool Manager::AddAnalyzer(const string& file_id, const zeek::Tag& tag, RecordValPtr args) const
 	{
 	File* file = LookupFile(file_id);
 
@@ -294,8 +293,7 @@ bool Manager::AddAnalyzer(const string& file_id, const file_analysis::Tag& tag,
 	return file->AddAnalyzer(tag, std::move(args));
 	}
 
-bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& tag,
-                             RecordValPtr args) const
+bool Manager::RemoveAnalyzer(const string& file_id, const zeek::Tag& tag, RecordValPtr args) const
 	{
 	File* file = LookupFile(file_id);
 
@@ -305,8 +303,8 @@ bool Manager::RemoveAnalyzer(const string& file_id, const file_analysis::Tag& ta
 	return file->RemoveAnalyzer(tag, std::move(args));
 	}
 
-File* Manager::GetFile(const string& file_id, Connection* conn, const analyzer::Tag& tag,
-                       bool is_orig, bool update_conn, const char* source_name)
+File* Manager::GetFile(const string& file_id, Connection* conn, const zeek::Tag& tag, bool is_orig,
+                       bool update_conn, const char* source_name)
 	{
 	if ( file_id.empty() )
 		return nullptr;
@@ -417,7 +415,7 @@ bool Manager::IsIgnored(const string& file_id)
 	return ignored.find(file_id) != ignored.end();
 	}
 
-string Manager::GetFileID(const analyzer::Tag& tag, Connection* c, bool is_orig)
+string Manager::GetFileID(const zeek::Tag& tag, Connection* c, bool is_orig)
 	{
 	current_file_id.clear();
 
@@ -437,7 +435,7 @@ string Manager::GetFileID(const analyzer::Tag& tag, Connection* c, bool is_orig)
 	return current_file_id;
 	}
 
-bool Manager::IsDisabled(const analyzer::Tag& tag)
+bool Manager::IsDisabled(const zeek::Tag& tag)
 	{
 	if ( ! disabled )
 		disabled = id::find_const("Files::disable")->AsTableVal();
diff --git a/src/file_analysis/Manager.h b/src/file_analysis/Manager.h
index 97e4c66be9..5f48fddec7 100644
--- a/src/file_analysis/Manager.h
+++ b/src/file_analysis/Manager.h
@@ -8,7 +8,7 @@
 
 #include "zeek/RuleMatcher.h"
 #include "zeek/RunState.h"
-#include "zeek/analyzer/Tag.h"
+#include "zeek/Tag.h"
 #include "zeek/file_analysis/Component.h"
 #include "zeek/file_analysis/FileTimer.h"
 #include "zeek/plugin/ComponentManager.h"
@@ -110,7 +110,7 @@ public:
 	 *         the \c get_file_handle script-layer event).  An empty string
 	 *         indicates the associate file is not going to be analyzed further.
 	 */
-	std::string DataIn(const u_char* data, uint64_t len, uint64_t offset, const analyzer::Tag& tag,
+	std::string DataIn(const u_char* data, uint64_t len, uint64_t offset, const zeek::Tag& tag,
 	                   Connection* conn, bool is_orig, const std::string& precomputed_file_id = "",
 	                   const std::string& mime_type = "");
 
@@ -136,7 +136,7 @@ public:
 	 *         the \c get_file_handle script-layer event).  An empty string
 	 *         indicates the associated file is not going to be analyzed further.
 	 */
-	std::string DataIn(const u_char* data, uint64_t len, const analyzer::Tag& tag, Connection* conn,
+	std::string DataIn(const u_char* data, uint64_t len, const zeek::Tag& tag, Connection* conn,
 	                   bool is_orig, const std::string& precomputed_file_id = "",
 	                   const std::string& mime_type = "");
 
@@ -183,7 +183,7 @@ public:
 	 * @param tag network protocol over which the file data is transferred.
 	 * @param conn network connection over which the file data is transferred.
 	 */
-	void EndOfFile(const analyzer::Tag& tag, Connection* conn);
+	void EndOfFile(const zeek::Tag& tag, Connection* conn);
 
 	/**
 	 * Signal the end of file data being transferred over a connection in
@@ -191,7 +191,7 @@ public:
 	 * @param tag network protocol over which the file data is transferred.
 	 * @param conn network connection over which the file data is transferred.
 	 */
-	void EndOfFile(const analyzer::Tag& tag, Connection* conn, bool is_orig);
+	void EndOfFile(const zeek::Tag& tag, Connection* conn, bool is_orig);
 
 	/**
 	 * Signal the end of file data being transferred using the file identifier.
@@ -215,7 +215,7 @@ public:
 	 *         the \c get_file_handle script-layer event).  An empty string
 	 *         indicates the associate file is not going to be analyzed further.
 	 */
-	std::string Gap(uint64_t offset, uint64_t len, const analyzer::Tag& tag, Connection* conn,
+	std::string Gap(uint64_t offset, uint64_t len, const zeek::Tag& tag, Connection* conn,
 	                bool is_orig, const std::string& precomputed_file_id = "");
 
 	/**
@@ -233,7 +233,7 @@ public:
 	 *         the \c get_file_handle script-layer event).  An empty string
 	 *         indicates the associate file is not going to be analyzed further.
 	 */
-	std::string SetSize(uint64_t size, const analyzer::Tag& tag, Connection* conn, bool is_orig,
+	std::string SetSize(uint64_t size, const zeek::Tag& tag, Connection* conn, bool is_orig,
 	                    const std::string& precomputed_file_id = "");
 
 	/**
@@ -298,8 +298,7 @@ public:
 	 * @param args a \c AnalyzerArgs value which describes a file analyzer.
 	 * @return false if the analyzer failed to be instantiated, else true.
 	 */
-	bool AddAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
-	                 RecordValPtr args) const;
+	bool AddAnalyzer(const std::string& file_id, const zeek::Tag& tag, RecordValPtr args) const;
 
 	/**
 	 * Queue removal of an analyzer for a given file identifier.
@@ -308,8 +307,7 @@ public:
 	 * @param args a \c AnalyzerArgs value which describes a file analyzer.
 	 * @return true if the analyzer is active at the time of call, else false.
 	 */
-	bool RemoveAnalyzer(const std::string& file_id, const file_analysis::Tag& tag,
-	                    RecordValPtr args) const;
+	bool RemoveAnalyzer(const std::string& file_id, const zeek::Tag& tag, RecordValPtr args) const;
 
 	/**
 	 * Tells whether analysis for a file is active or ignored.
@@ -379,7 +377,7 @@ protected:
 	 *         connection-related fields.
 	 */
 	File* GetFile(const std::string& file_id, Connection* conn = nullptr,
-	              const analyzer::Tag& tag = analyzer::Tag::Error, bool is_orig = false,
+	              const zeek::Tag& tag = zeek::Tag::Error, bool is_orig = false,
 	              bool update_conn = true, const char* source_name = nullptr);
 
 	/**
@@ -409,7 +407,7 @@ protected:
 	 * @return #current_file_id, which is a hash of a unique file handle string
 	 *         set by a \c get_file_handle event handler.
 	 */
-	std::string GetFileID(const analyzer::Tag& tag, Connection* c, bool is_orig);
+	std::string GetFileID(const zeek::Tag& tag, Connection* c, bool is_orig);
 
 	/**
 	 * Check if analysis is available for files transferred over a given
@@ -419,7 +417,7 @@ protected:
 	 * @return whether file analysis is disabled for the analyzer given by
 	 *         \a tag.
 	 */
-	static bool IsDisabled(const analyzer::Tag& tag);
+	static bool IsDisabled(const zeek::Tag& tag);
 
 private:
 	using TagSet = std::set<Tag>;
diff --git a/src/file_analysis/analyzer/x509/X509Common.cc b/src/file_analysis/analyzer/x509/X509Common.cc
index 57c74965a7..9d5f839b0b 100644
--- a/src/file_analysis/analyzer/x509/X509Common.cc
+++ b/src/file_analysis/analyzer/x509/X509Common.cc
@@ -17,7 +17,7 @@
 namespace zeek::file_analysis::detail
 	{
 
-X509Common::X509Common(const file_analysis::Tag& arg_tag, RecordValPtr arg_args,
+X509Common::X509Common(const zeek::Tag& arg_tag, RecordValPtr arg_args,
                        file_analysis::File* arg_file)
 	: file_analysis::Analyzer(arg_tag, std::move(arg_args), arg_file)
 	{
diff --git a/src/file_analysis/analyzer/x509/X509Common.h b/src/file_analysis/analyzer/x509/X509Common.h
index 25d3efa558..bcaa4da7d2 100644
--- a/src/file_analysis/analyzer/x509/X509Common.h
+++ b/src/file_analysis/analyzer/x509/X509Common.h
@@ -49,8 +49,7 @@ public:
 	                              Reporter* reporter);
 
 protected:
-	X509Common(const file_analysis::Tag& arg_tag, RecordValPtr arg_args,
-	           file_analysis::File* arg_file);
+	X509Common(const zeek::Tag& arg_tag, RecordValPtr arg_args, file_analysis::File* arg_file);
 
 	void ParseExtension(X509_EXTENSION* ex, const EventHandlerPtr& h, bool global);
 	void ParseSignedCertificateTimestamps(X509_EXTENSION* ext);
diff --git a/src/input/Component.h b/src/input/Component.h
index d52202a414..fe44b09d47 100644
--- a/src/input/Component.h
+++ b/src/input/Component.h
@@ -2,7 +2,7 @@
 
 #pragma once
 
-#include "zeek/input/Tag.h"
+#include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
 #include "zeek/plugin/TaggedComponent.h"
 
diff --git a/src/logging/Component.h b/src/logging/Component.h
index b0b29bc02d..10a43021cf 100644
--- a/src/logging/Component.h
+++ b/src/logging/Component.h
@@ -2,7 +2,7 @@
 
 #pragma once
 
-#include "zeek/logging/Tag.h"
+#include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
 #include "zeek/plugin/TaggedComponent.h"
 
diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h
index 8122c487df..59f37dc291 100644
--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@@ -1,9 +1,9 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
 
+#include "zeek/Tag.h"
 #include "zeek/iosource/Packet.h"
 #include "zeek/packet_analysis/Manager.h"
-#include "zeek/packet_analysis/Tag.h"
 
 namespace zeek::packet_analysis
 	{
@@ -31,7 +31,7 @@ public:
 	 * @param tag The tag for the type of analyzer. The tag must map to
 	 * the name the corresponding Component registers.
 	 */
-	explicit Analyzer(const Tag& tag);
+	explicit Analyzer(const zeek::Tag& tag);
 
 	/**
 	 * Destructor.
@@ -50,7 +50,7 @@ public:
 	/**
 	 * Returns the tag associated with the analyzer's type.
 	 */
-	const Tag GetAnalyzerTag() const;
+	const zeek::Tag GetAnalyzerTag() const;
 
 	/**
 	 * Returns a textual description of the analyzer's type. This is
@@ -165,7 +165,7 @@ protected:
 	void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const;
 
 private:
-	Tag tag;
+	zeek::Tag tag;
 	Dispatcher dispatcher;
 	AnalyzerPtr default_analyzer = nullptr;
 
@@ -174,7 +174,7 @@ private:
 	 */
 	bool report_unknown_protocols = true;
 
-	void Init(const Tag& tag);
+	void Init(const zeek::Tag& tag);
 	};
 
 using AnalyzerPtr = std::shared_ptr<Analyzer>;
diff --git a/src/packet_analysis/Component.h b/src/packet_analysis/Component.h
index 25203940bd..69184a8ca5 100644
--- a/src/packet_analysis/Component.h
+++ b/src/packet_analysis/Component.h
@@ -6,7 +6,7 @@
 
 #include <functional>
 
-#include "zeek/packet_analysis/Tag.h"
+#include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
 #include "zeek/plugin/TaggedComponent.h"
 #include "zeek/util.h"
@@ -22,7 +22,7 @@ class Component : public plugin::Component, public plugin::TaggedComponent
 public:
 	using factory_callback = std::function<AnalyzerPtr()>;
 
-	Component(const std::string& name, factory_callback factory, Tag::subtype_t subtype = 0);
+	Component(const std::string& name, factory_callback factory, zeek::Tag::subtype_t subtype = 0);
 	~Component() override = default;
 
 	/**
diff --git a/src/packet_analysis/Manager.h b/src/packet_analysis/Manager.h
index ba1a4d8b81..1ae50c2ef2 100644
--- a/src/packet_analysis/Manager.h
+++ b/src/packet_analysis/Manager.h
@@ -4,10 +4,10 @@
 
 #include "zeek/Func.h"
 #include "zeek/PacketFilter.h"
+#include "zeek/Tag.h"
 #include "zeek/iosource/Packet.h"
 #include "zeek/packet_analysis/Component.h"
 #include "zeek/packet_analysis/Dispatcher.h"
-#include "zeek/packet_analysis/Tag.h"
 #include "zeek/plugin/ComponentManager.h"
 
 namespace zeek
@@ -151,7 +151,7 @@ private:
 	 * @return The new analyzer instance. Returns null if tag is invalid, the
 	 * requested analyzer is disabled, or the analyzer can't be instantiated.
 	 */
-	AnalyzerPtr InstantiateAnalyzer(const Tag& tag);
+	AnalyzerPtr InstantiateAnalyzer(const zeek::Tag& tag);
 
 	/**
 	 * Instantiates a new analyzer.
diff --git a/src/packet_analysis/protocol/icmp/ICMPSessionAdapter.cc b/src/packet_analysis/protocol/icmp/ICMPSessionAdapter.cc
index 0090e69fa1..6de5fa959c 100644
--- a/src/packet_analysis/protocol/icmp/ICMPSessionAdapter.cc
+++ b/src/packet_analysis/protocol/icmp/ICMPSessionAdapter.cc
@@ -16,7 +16,7 @@ enum ICMP_EndpointState
 
 void ICMPSessionAdapter::AddExtraAnalyzers(Connection* conn)
 	{
-	static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
+	static zeek::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
 
 	if ( analyzer_mgr->IsEnabled(analyzer_connsize) )
 		// Add ConnSize analyzer. Needs to see packets, not stream.
diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
index 81466dbd60..876ce5ef2c 100644
--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
@@ -196,7 +196,7 @@ void IPBasedAnalyzer::BuildSessionAnalyzerTree(Connection* conn)
 		if ( ! analyzers_by_port.empty() && ! zeek::detail::dpd_ignore_ports )
 			{
 			int resp_port = ntohs(conn->RespPort());
-			std::set<analyzer::Tag>* ports = LookupPort(resp_port, false);
+			std::set<zeek::Tag>* ports = LookupPort(resp_port, false);
 
 			if ( ports )
 				{
@@ -227,7 +227,7 @@ void IPBasedAnalyzer::BuildSessionAnalyzerTree(Connection* conn)
 	PLUGIN_HOOK_VOID(HOOK_SETUP_ANALYZER_TREE, HookSetupAnalyzerTree(conn));
 	}
 
-bool IPBasedAnalyzer::RegisterAnalyzerForPort(const analyzer::Tag& tag, uint32_t port)
+bool IPBasedAnalyzer::RegisterAnalyzerForPort(const zeek::Tag& tag, uint32_t port)
 	{
 	tag_set* l = LookupPort(port, true);
 
@@ -243,7 +243,7 @@ bool IPBasedAnalyzer::RegisterAnalyzerForPort(const analyzer::Tag& tag, uint32_t
 	return true;
 	}
 
-bool IPBasedAnalyzer::UnregisterAnalyzerForPort(const analyzer::Tag& tag, uint32_t port)
+bool IPBasedAnalyzer::UnregisterAnalyzerForPort(const zeek::Tag& tag, uint32_t port)
 	{
 	tag_set* l = LookupPort(port, true);
 
diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
index 0a36811dca..0f87d907f8 100644
--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.h
@@ -6,7 +6,7 @@
 #include <set>
 
 #include "zeek/ID.h"
-#include "zeek/analyzer/Tag.h"
+#include "zeek/Tag.h"
 #include "zeek/packet_analysis/Analyzer.h"
 
 namespace zeek::analyzer::pia
@@ -49,7 +49,7 @@ public:
 	 * @param port The port's number.
 	 * @return True if successful.
 	 */
-	bool RegisterAnalyzerForPort(const analyzer::Tag& tag, uint32_t port);
+	bool RegisterAnalyzerForPort(const zeek::Tag& tag, uint32_t port);
 
 	/**
 	 * Unregisters a well-known port for an analyzer.
@@ -57,9 +57,9 @@ public:
 	 * @param tag The analyzer's tag.
 	 * @param port The port's number.
 	 * @param tag The analyzer's tag as an enum of script type \c
-	 * Analyzer::Tag.
+	 * Tag.
 	 */
-	bool UnregisterAnalyzerForPort(const analyzer::Tag& tag, uint32_t port);
+	bool UnregisterAnalyzerForPort(const zeek::Tag& tag, uint32_t port);
 
 	/**
 	 * Dumps information about the registered session analyzers per port.
@@ -180,7 +180,7 @@ private:
 	// While this is storing session analyzer tags, we store it here since packet analyzers
 	// are persitent objects. We can't do this in the adapters because those get created
 	// and destroyed for each connection.
-	using tag_set = std::set<analyzer::Tag>;
+	using tag_set = std::set<zeek::Tag>;
 	using analyzer_map_by_port = std::map<uint32_t, tag_set*>;
 	analyzer_map_by_port analyzers_by_port;
 
diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
index a563650b74..c342f1f3b8 100644
--- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
+++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
@@ -724,7 +724,7 @@ analyzer::Analyzer* TCPSessionAdapter::FindChild(analyzer::ID arg_id)
 	return nullptr;
 	}
 
-analyzer::Analyzer* TCPSessionAdapter::FindChild(analyzer::Tag arg_tag)
+analyzer::Analyzer* TCPSessionAdapter::FindChild(zeek::Tag arg_tag)
 	{
 	analyzer::Analyzer* child = packet_analysis::IP::SessionAdapter::FindChild(arg_tag);
 
@@ -1599,8 +1599,8 @@ bool TCPSessionAdapter::IsReuse(double t, const u_char* pkt)
 
 void TCPSessionAdapter::AddExtraAnalyzers(Connection* conn)
 	{
-	static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
-	static analyzer::Tag analyzer_tcpstats = analyzer_mgr->GetComponentTag("TCPSTATS");
+	static zeek::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
+	static zeek::Tag analyzer_tcpstats = analyzer_mgr->GetComponentTag("TCPSTATS");
 
 	// We have to decide whether to reassamble the stream.
 	// We turn it on right away if we already have an app-layer
diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.h b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.h
index dd62ede029..5025f0299b 100644
--- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.h
+++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.h
@@ -2,6 +2,7 @@
 
 #pragma once
 
+#include "zeek/Tag.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Endpoint.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Flags.h"
 #include "zeek/packet_analysis/Analyzer.h"
@@ -42,7 +43,7 @@ public:
 	void AddChildPacketAnalyzer(analyzer::Analyzer* a);
 
 	Analyzer* FindChild(analyzer::ID id) override;
-	Analyzer* FindChild(analyzer::Tag tag) override;
+	Analyzer* FindChild(zeek::Tag tag) override;
 	bool RemoveChildAnalyzer(analyzer::ID id) override;
 
 	// True if the connection has closed in some sense, false otherwise.
diff --git a/src/packet_analysis/protocol/udp/UDPSessionAdapter.cc b/src/packet_analysis/protocol/udp/UDPSessionAdapter.cc
index 32338cf89c..99a798fe78 100644
--- a/src/packet_analysis/protocol/udp/UDPSessionAdapter.cc
+++ b/src/packet_analysis/protocol/udp/UDPSessionAdapter.cc
@@ -17,7 +17,7 @@ enum UDP_EndpointState
 
 void UDPSessionAdapter::AddExtraAnalyzers(Connection* conn)
 	{
-	static analyzer::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
+	static zeek::Tag analyzer_connsize = analyzer_mgr->GetComponentTag("CONNSIZE");
 
 	if ( analyzer_mgr->IsEnabled(analyzer_connsize) )
 		// Add ConnSize analyzer. Needs to see packets, not stream.

From 7d66f4252f20188ac3bf426b6cb4e5049b695e8d Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 30 Sep 2021 13:34:42 -0700
Subject: [PATCH 087/210] Unify plugin::Component and plugin::TaggedComponent
 into a single class

These two are almost always used in conjunction with each other, and
TaggedComponent is never used by itself. Combining them together into
a single class will help simplify some of the code around managing
the mapping between Tags and Components.
---
 src/CMakeLists.txt               |  1 -
 src/Tag.cc                       | 23 +++++----------
 src/Tag.h                        | 10 +++----
 src/analyzer/Component.cc        |  8 ++---
 src/analyzer/Component.h         |  5 ++--
 src/file_analysis/Component.cc   |  4 +--
 src/file_analysis/Component.h    |  3 +-
 src/input/Component.cc           |  3 +-
 src/input/Component.h            |  3 +-
 src/logging/Component.cc         |  3 +-
 src/logging/Component.h          |  3 +-
 src/packet_analysis/Component.cc |  5 ++--
 src/packet_analysis/Component.h  |  3 +-
 src/plugin/Component.cc          | 37 +++++++++++++----------
 src/plugin/Component.h           | 49 ++++++++++++++++++++++++++-----
 src/plugin/ComponentManager.h    |  2 +-
 src/plugin/TaggedComponent.cc    | 36 -----------------------
 src/plugin/TaggedComponent.h     | 50 --------------------------------
 18 files changed, 90 insertions(+), 158 deletions(-)
 delete mode 100644 src/plugin/TaggedComponent.cc
 delete mode 100644 src/plugin/TaggedComponent.h

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index d2ec1359d0..a14e1cfb78 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -379,7 +379,6 @@ set(MAIN_SRCS
 
     plugin/Component.cc
     plugin/ComponentManager.h
-    plugin/TaggedComponent.cc
     plugin/Manager.cc
     plugin/Plugin.cc
 
diff --git a/src/Tag.cc b/src/Tag.cc
index 080d040a26..c3593b59c3 100644
--- a/src/Tag.cc
+++ b/src/Tag.cc
@@ -17,7 +17,9 @@ Tag::Tag(const EnumTypePtr& etype, type_t arg_type, subtype_t arg_subtype)
 	assert(arg_type > 0);
 
 	int64_t i = (int64_t)(type) | ((int64_t)subtype << 31);
-	val = etype->GetEnumVal(i);
+
+	if ( etype )
+		val = etype->GetEnumVal(i);
 	}
 
 Tag::Tag(EnumValPtr arg_val)
@@ -36,13 +38,13 @@ Tag::Tag(const Tag& other)
 	type = other.type;
 	subtype = other.subtype;
 	val = other.val;
+	etype = other.etype;
 	}
 
 Tag::Tag()
 	{
-	type = 0;
-	subtype = 0;
 	val = nullptr;
+	etype = nullptr;
 	}
 
 Tag::~Tag() = default;
@@ -54,6 +56,7 @@ Tag& Tag::operator=(const Tag& other)
 		type = other.type;
 		subtype = other.subtype;
 		val = other.val;
+		etype = other.etype;
 		}
 
 	return *this;
@@ -66,24 +69,12 @@ Tag& Tag::operator=(const Tag&& other) noexcept
 		type = other.type;
 		subtype = other.subtype;
 		val = std::move(other.val);
+		etype = std::move(other.etype);
 		}
 
 	return *this;
 	}
 
-const EnumValPtr& Tag::AsVal() const
-	{
-	// TODO: this probably isn't valid, and we should just return the null val
-	// if it's null.
-	if ( ! val )
-		{
-		assert(type == 0 && subtype == 0 && etype != nullptr);
-		val = etype->GetEnumVal(0);
-		}
-
-	return val;
-	}
-
 std::string Tag::AsString() const
 	{
 	return util::fmt("%" PRIu32 "/%" PRIu32, type, subtype);
diff --git a/src/Tag.h b/src/Tag.h
index 5c8b554091..9b59c93c59 100644
--- a/src/Tag.h
+++ b/src/Tag.h
@@ -153,7 +153,7 @@ public:
 	 *
 	 * @param etype the script-layer enum type associated with the tag.
 	 */
-	const EnumValPtr& AsVal() const;
+	const EnumValPtr& AsVal() const { return val; }
 
 	/**
 	 * Returns false if the tag represents an error value rather than a
@@ -164,10 +164,10 @@ public:
 	static const Tag Error;
 
 private:
-	type_t type; // Main type.
-	subtype_t subtype; // Subtype.
-	mutable EnumValPtr val; // Script-layer value.
-	mutable EnumTypePtr etype;
+	type_t type = 0; // Main type.
+	subtype_t subtype = 0; // Subtype.
+	EnumValPtr val; // Script-layer value.
+	EnumTypePtr etype;
 	};
 
 	} // namespace zeek
diff --git a/src/analyzer/Component.cc b/src/analyzer/Component.cc
index b01eb2f0ba..12984088d7 100644
--- a/src/analyzer/Component.cc
+++ b/src/analyzer/Component.cc
@@ -12,9 +12,9 @@ namespace zeek::analyzer
 Component::Component(const std::string& name, factory_callback arg_factory,
                      zeek::Tag::subtype_t arg_subtype, bool arg_enabled, bool arg_partial,
                      bool arg_adapter)
-	: plugin::Component(
-		  arg_adapter ? plugin::component::SESSION_ADAPTER : plugin::component::ANALYZER, name),
-	  plugin::TaggedComponent(arg_subtype, analyzer_mgr->GetTagType())
+	: plugin::Component(arg_adapter ? plugin::component::SESSION_ADAPTER
+                                    : plugin::component::ANALYZER,
+                        name, arg_subtype, analyzer_mgr->GetTagType())
 	{
 	factory = arg_factory;
 	enabled = arg_enabled;
@@ -27,8 +27,6 @@ void Component::Initialize()
 	analyzer_mgr->RegisterComponent(this, "ANALYZER_");
 	}
 
-Component::~Component() { }
-
 void Component::DoDescribe(ODesc* d) const
 	{
 	if ( factory )
diff --git a/src/analyzer/Component.h b/src/analyzer/Component.h
index 0ad42f253a..6588c512c9 100644
--- a/src/analyzer/Component.h
+++ b/src/analyzer/Component.h
@@ -6,7 +6,6 @@
 
 #include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
-#include "zeek/plugin/TaggedComponent.h"
 #include "zeek/util.h"
 
 namespace zeek
@@ -25,7 +24,7 @@ class Analyzer;
  * A plugin can provide a specific protocol analyzer by registering this
  * analyzer component, describing the analyzer.
  */
-class Component : public plugin::Component, public plugin::TaggedComponent
+class Component : public plugin::Component
 	{
 public:
 	using factory_callback = Analyzer* (*)(Connection* conn);
@@ -68,7 +67,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	~Component() override;
+	~Component() override = default;
 
 	/**
 	 * Initialization function. This function has to be called before any
diff --git a/src/file_analysis/Component.cc b/src/file_analysis/Component.cc
index 82204fe74a..c2a377c656 100644
--- a/src/file_analysis/Component.cc
+++ b/src/file_analysis/Component.cc
@@ -11,9 +11,7 @@ namespace zeek::file_analysis
 
 Component::Component(const std::string& name, factory_function arg_factory, Tag::subtype_t subtype,
                      bool arg_enabled)
-	: plugin::Component(plugin::component::FILE_ANALYZER, name), plugin::TaggedComponent(
-																	 subtype,
-																	 file_mgr->GetTagType())
+	: plugin::Component(plugin::component::FILE_ANALYZER, name, subtype, file_mgr->GetTagType())
 	{
 	factory_func = arg_factory;
 	enabled = arg_enabled;
diff --git a/src/file_analysis/Component.h b/src/file_analysis/Component.h
index c085e10947..5e391e3599 100644
--- a/src/file_analysis/Component.h
+++ b/src/file_analysis/Component.h
@@ -6,7 +6,6 @@
 
 #include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
-#include "zeek/plugin/TaggedComponent.h"
 
 namespace zeek
 	{
@@ -27,7 +26,7 @@ class Manager;
  * A plugin can provide a specific file analyzer by registering this
  * analyzer component, describing the analyzer.
  */
-class Component : public plugin::Component, public plugin::TaggedComponent
+class Component : public plugin::Component
 	{
 public:
 	using factory_function = Analyzer* (*)(RecordValPtr args, File* file);
diff --git a/src/input/Component.cc b/src/input/Component.cc
index e926f7e91f..9411ee7855 100644
--- a/src/input/Component.cc
+++ b/src/input/Component.cc
@@ -10,8 +10,7 @@ namespace zeek::input
 	{
 
 Component::Component(const std::string& name, factory_callback arg_factory)
-	: plugin::Component(plugin::component::READER, name), plugin::TaggedComponent(
-															  0, input_mgr->GetTagType())
+	: plugin::Component(plugin::component::READER, name, 0, input_mgr->GetTagType())
 	{
 	factory = arg_factory;
 	}
diff --git a/src/input/Component.h b/src/input/Component.h
index fe44b09d47..2c8b184108 100644
--- a/src/input/Component.h
+++ b/src/input/Component.h
@@ -4,7 +4,6 @@
 
 #include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
-#include "zeek/plugin/TaggedComponent.h"
 
 namespace zeek::input
 	{
@@ -15,7 +14,7 @@ class ReaderBackend;
 /**
  * Component description for plugins providing log readers.
  */
-class Component : public plugin::Component, public plugin::TaggedComponent
+class Component : public plugin::Component
 	{
 public:
 	using factory_callback = ReaderBackend* (*)(ReaderFrontend* frontend);
diff --git a/src/logging/Component.cc b/src/logging/Component.cc
index 04982a8248..7b7188a1f1 100644
--- a/src/logging/Component.cc
+++ b/src/logging/Component.cc
@@ -10,8 +10,7 @@ namespace zeek::logging
 	{
 
 Component::Component(const std::string& name, factory_callback arg_factory)
-	: plugin::Component(plugin::component::WRITER, name), plugin::TaggedComponent(
-															  0, log_mgr->GetTagType())
+	: plugin::Component(plugin::component::WRITER, name, 0, log_mgr->GetTagType())
 	{
 	factory = arg_factory;
 	}
diff --git a/src/logging/Component.h b/src/logging/Component.h
index 10a43021cf..305401c341 100644
--- a/src/logging/Component.h
+++ b/src/logging/Component.h
@@ -4,7 +4,6 @@
 
 #include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
-#include "zeek/plugin/TaggedComponent.h"
 
 namespace zeek::logging
 	{
@@ -15,7 +14,7 @@ class WriterBackend;
 /**
  * Component description for plugins providing log writers.
  */
-class Component : public plugin::Component, public plugin::TaggedComponent
+class Component : public plugin::Component
 	{
 public:
 	using factory_callback = WriterBackend* (*)(WriterFrontend* frontend);
diff --git a/src/packet_analysis/Component.cc b/src/packet_analysis/Component.cc
index e4651aa700..8ca945238a 100644
--- a/src/packet_analysis/Component.cc
+++ b/src/packet_analysis/Component.cc
@@ -9,9 +9,8 @@ using namespace zeek::packet_analysis;
 
 Component::Component(const std::string& name, factory_callback arg_factory,
                      Tag::subtype_t arg_subtype)
-	: plugin::Component(plugin::component::PACKET_ANALYZER, name), plugin::TaggedComponent(
-																	   arg_subtype,
-																	   packet_mgr->GetTagType())
+	: plugin::Component(plugin::component::PACKET_ANALYZER, name, arg_subtype,
+                        packet_mgr->GetTagType())
 	{
 	factory = arg_factory;
 	}
diff --git a/src/packet_analysis/Component.h b/src/packet_analysis/Component.h
index 69184a8ca5..8bab2cd896 100644
--- a/src/packet_analysis/Component.h
+++ b/src/packet_analysis/Component.h
@@ -8,7 +8,6 @@
 
 #include "zeek/Tag.h"
 #include "zeek/plugin/Component.h"
-#include "zeek/plugin/TaggedComponent.h"
 #include "zeek/util.h"
 
 namespace zeek::packet_analysis
@@ -17,7 +16,7 @@ namespace zeek::packet_analysis
 class Analyzer;
 using AnalyzerPtr = std::shared_ptr<Analyzer>;
 
-class Component : public plugin::Component, public plugin::TaggedComponent
+class Component : public plugin::Component
 	{
 public:
 	using factory_callback = std::function<AnalyzerPtr()>;
diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc
index 1f876d4ed2..9a1d6d2bbd 100644
--- a/src/plugin/Component.cc
+++ b/src/plugin/Component.cc
@@ -8,25 +8,16 @@
 namespace zeek::plugin
 	{
 
-Component::Component(component::Type arg_type, const std::string& arg_name)
+Tag::type_t Component::type_counter(0);
+
+Component::Component(component::Type arg_type, const std::string& arg_name,
+                     Tag::subtype_t tag_subtype, zeek::EnumTypePtr etype)
+	: type(arg_type), name(arg_name), tag(etype, 1, 0), etype(std::move(etype)),
+	  tag_subtype(tag_subtype)
 	{
-	type = arg_type;
-	name = arg_name;
 	canon_name = util::canonify_name(name);
 	}
 
-Component::~Component() { }
-
-const std::string& Component::Name() const
-	{
-	return name;
-	}
-
-component::Type Component::Type() const
-	{
-	return type;
-	}
-
 void Component::Describe(ODesc* d) const
 	{
 	d->Add("    ");
@@ -84,4 +75,20 @@ void Component::Describe(ODesc* d) const
 	d->Add(")");
 	}
 
+void Component::InitializeTag()
+	{
+	assert(tag_initialized == false);
+	tag_initialized = true;
+	tag = zeek::Tag(etype, ++type_counter, tag_subtype);
+	}
+
+/**
+ * @return The component's tag.
+ */
+zeek::Tag Component::Tag() const
+	{
+	assert(tag_initialized);
+	return tag;
+	}
+
 	} // namespace zeek::plugin
diff --git a/src/plugin/Component.h b/src/plugin/Component.h
index bb9b585f5b..ba7b5d3267 100644
--- a/src/plugin/Component.h
+++ b/src/plugin/Component.h
@@ -6,6 +6,9 @@
 
 #include <string>
 
+#include "zeek/Tag.h"
+#include "zeek/Type.h"
+
 namespace zeek
 	{
 
@@ -49,13 +52,27 @@ public:
 	 *
 	 * @param name A descriptive name for the component.  This name must
 	 * be unique across all components of the same type.
+	 *
+	 * @param tag_subtype A subtype associated with this component that
+	 * further distinguishes it. The subtype will be integrated into
+	 * the Tag that the manager associates with this component,
+	 * and component instances can accordingly access it via Tag().
+	 * If not used, leave at zero.
+	 *
+	 * @param etype An enum type that describes the type for the tag in
+	 * script-land.
 	 */
-	Component(component::Type type, const std::string& name);
+	Component(component::Type type, const std::string& name, Tag::subtype_t tag_subtype = 0,
+	          zeek::EnumTypePtr etype = nullptr);
 
 	/**
 	 * Destructor.
 	 */
-	virtual ~Component();
+	virtual ~Component() = default;
+
+	// Disable.
+	Component(const Component& other) = delete;
+	Component operator=(const Component& other) = delete;
 
 	/**
 	 * Initialization function. This function has to be called before any
@@ -67,12 +84,12 @@ public:
 	/**
 	 * Returns the compoment's type.
 	 */
-	component::Type Type() const;
+	component::Type Type() const { return type; }
 
 	/**
 	 * Returns the compoment's name.
 	 */
-	const std::string& Name() const;
+	const std::string& Name() const { return name; }
 
 	/**
 	 * Returns a canonocalized version of the components's name.  The
@@ -93,6 +110,17 @@ public:
 	 */
 	void Describe(ODesc* d) const;
 
+	/**
+	 * Initializes tag by creating the unique tag value for this component.
+	 * Has to be called exactly once.
+	 */
+	void InitializeTag();
+
+	/**
+	 * @return The component's tag.
+	 */
+	zeek::Tag Tag() const;
+
 protected:
 	/**
 	 * Adds type specific information to the output of Describe().
@@ -104,13 +132,18 @@ protected:
 	virtual void DoDescribe(ODesc* d) const { }
 
 private:
-	// Disable.
-	Component(const Component& other);
-	Component operator=(const Component& other);
-
 	component::Type type;
 	std::string name;
 	std::string canon_name;
+
+	/** The automatically assigned component tag */
+	zeek::Tag tag;
+	EnumTypePtr etype;
+	Tag::subtype_t tag_subtype;
+	bool tag_initialized = false;
+
+	/** Used to generate globally unique tags */
+	static Tag::type_t type_counter;
 	};
 
 	} // namespace plugin
diff --git a/src/plugin/ComponentManager.h b/src/plugin/ComponentManager.h
index 48c5763ebf..c8a5b6e492 100644
--- a/src/plugin/ComponentManager.h
+++ b/src/plugin/ComponentManager.h
@@ -21,7 +21,7 @@ namespace zeek::plugin
  * installs identifiers in the script-layer to identify them by a unique tag,
  * (a script-layer enum value).
  *
- * @tparam C A plugin::TaggedComponent type derivative.
+ * @tparam C A plugin::Component type derivative.
  */
 template <class C> class ComponentManager
 	{
diff --git a/src/plugin/TaggedComponent.cc b/src/plugin/TaggedComponent.cc
deleted file mode 100644
index da285d1499..0000000000
--- a/src/plugin/TaggedComponent.cc
+++ /dev/null
@@ -1,36 +0,0 @@
-#include "zeek/plugin/TaggedComponent.h"
-
-#include "zeek/IntrusivePtr.h"
-#include "zeek/Type.h"
-
-namespace zeek::plugin
-	{
-
-Tag::type_t TaggedComponent::type_counter(0);
-
-TaggedComponent::TaggedComponent(Tag::subtype_t subtype, EnumTypePtr etype)
-	: tag(etype, 1, 0), subtype(subtype), initialized(false), etype(std::move(etype))
-	{
-	}
-
-/**
- * Initializes tag by creating the unique tag value for thos componend.
- * Has to be called exactly once.
- */
-void TaggedComponent::InitializeTag()
-	{
-	assert(initialized == false);
-	initialized = true;
-	tag = zeek::Tag(etype, ++type_counter, subtype);
-	}
-
-/**
- * @return The component's tag.
- */
-zeek::Tag TaggedComponent::Tag() const
-	{
-	assert(initialized);
-	return tag;
-	}
-
-	} // namespace zeek::plugin
diff --git a/src/plugin/TaggedComponent.h b/src/plugin/TaggedComponent.h
deleted file mode 100644
index 4e0c853ab8..0000000000
--- a/src/plugin/TaggedComponent.h
+++ /dev/null
@@ -1,50 +0,0 @@
-#pragma once
-
-#include <cassert>
-
-#include "zeek/Tag.h"
-#include "zeek/Type.h"
-
-namespace zeek::plugin
-	{
-
-/**
- * A class which has a tag of a given type associated with it.
- */
-class TaggedComponent
-	{
-public:
-	/**
-	 * Constructor for TaggedComponend. Note that a unique value
-	 * for this component is only created when InitializeTag is
-	 * called.
-	 *
-	 * @param subtype A subtype associated with this component that
-	 * further distinguishes it. The subtype will be integrated into
-	 * the Tag that the manager associates with this component,
-	 * and component instances can accordingly access it via Tag().
-	 * If not used, leave at zero.
-	 */
-	explicit TaggedComponent(Tag::subtype_t subtype = 0, zeek::EnumTypePtr etype = nullptr);
-
-	/**
-	 * Initializes tag by creating the unique tag value for thos componend.
-	 * Has to be called exactly once.
-	 */
-	void InitializeTag();
-
-	/**
-	 * @return The component's tag.
-	 */
-	zeek::Tag Tag() const;
-
-private:
-	zeek::Tag tag; /**< The automatically assigned analyzer tag. */
-	Tag::subtype_t subtype;
-	bool initialized;
-	EnumTypePtr etype;
-	static Tag::type_t type_counter; /**< Used to generate globally
-	                                             unique tags. */
-	};
-
-	} // namespace zeek::plugin

From a7d3cb48efdb517a3227e7398ced7da31ef56e81 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 1 Oct 2021 12:54:27 -0700
Subject: [PATCH 088/210] Add concept of "parent" tag namespaces

This allows us to create an EnumType that groups all of the analyzer
tag values into a single type, while still having the existing types
that split them up. We can then use this for certain events that benefit
from taking all of the tag types at once.
---
 scripts/base/frameworks/analyzer/main.zeek    | 11 +++-
 src/analyzer/Manager.cc                       |  5 +-
 src/analyzer/analyzer.bif                     | 27 ++++++++--
 src/file_analysis/Manager.cc                  |  4 +-
 src/packet_analysis/Manager.cc                |  3 +-
 src/plugin/Component.cc                       |  2 +-
 src/plugin/Component.h                        |  2 +-
 src/plugin/ComponentManager.h                 | 52 ++++++++++++++++---
 src/util.cc                                   | 16 ++++++
 src/util.h                                    |  3 ++
 .../output                                    |  7 +++
 .../base/frameworks/analyzer/tags.zeek        | 36 +++++++++++++
 12 files changed, 147 insertions(+), 21 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.analyzer.tags/output
 create mode 100644 testing/btest/scripts/base/frameworks/analyzer/tags.zeek

diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek
index 54ba82178d..e4d740979a 100644
--- a/scripts/base/frameworks/analyzer/main.zeek
+++ b/scripts/base/frameworks/analyzer/main.zeek
@@ -9,6 +9,13 @@
 ##! These tags are defined internally by
 ##! the analyzers themselves, and documented in their analyzer-specific
 ##! description along with the events that they generate.
+##!
+##! Analyzer tags are also inserted into a global :zeek:type:`AllAnalyzers` enum
+##! type. This type contains duplicates of all of the :zeek:type:`Analyzer::Tag`,
+##! :zeek:type:`PacketAnalyzer::Tag` and :zeek:type:`Files::Tag` enum values
+##! and can be used for arguments to function/hook/event definitions where they
+##! need to handle any analyzer type. See :zeek:id:`Analyzer::register_for_ports`
+##! for an example.
 
 @load base/frameworks/packet-filter/utils
 
@@ -186,12 +193,12 @@ function all_registered_ports(): table[Analyzer::Tag] of set[port]
 	return ports;
 	}
 
-function name(atype: Analyzer::Tag) : string
+function name(atype: AllAnalyzers::Tag) : string
 	{
 	return __name(atype);
 	}
 
-function get_tag(name: string): Analyzer::Tag
+function get_tag(name: string): AllAnalyzers::Tag
 	{
 	return __tag(name);
 	}
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index 70d4847931..ba21821a84 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -56,7 +56,10 @@ bool Manager::ConnIndex::operator<(const ConnIndex& other) const
 	return false;
 	}
 
-Manager::Manager() : plugin::ComponentManager<analyzer::Component>("Analyzer", "Tag") { }
+Manager::Manager()
+	: plugin::ComponentManager<analyzer::Component>("Analyzer", "Tag", "AllAnalyzers")
+	{
+	}
 
 Manager::~Manager()
 	{
diff --git a/src/analyzer/analyzer.bif b/src/analyzer/analyzer.bif
index 9e8018342f..0bd666fac6 100644
--- a/src/analyzer/analyzer.bif
+++ b/src/analyzer/analyzer.bif
@@ -38,14 +38,31 @@ function Analyzer::__schedule_analyzer%(orig: addr, resp: addr, resp_p: port,
 	return zeek::val_mgr->True();
 	%}
 
-function __name%(atype: Analyzer::Tag%) : string
+function __name%(atype: AllAnalyzers::Tag%) : string
 	%{
-	const auto& n = zeek::analyzer_mgr->GetComponentName(zeek::IntrusivePtr{zeek::NewRef{}, atype->AsEnumVal()});
-	return zeek::make_intrusive<zeek::StringVal>(n);
+	auto val = atype->AsEnumVal();
+
+	plugin::Component* component = zeek::analyzer_mgr->Lookup(val);
+	if ( ! component )
+		component = zeek::packet_mgr->Lookup(val);
+	if ( ! component )
+		component = zeek::file_mgr->Lookup(val);
+	if ( ! component )
+		return zeek::make_intrusive<zeek::StringVal>("<error>");
+
+	return zeek::make_intrusive<zeek::StringVal>(component->CanonicalName());
 	%}
 
-function __tag%(name: string%) : Analyzer::Tag
+function __tag%(name: string%) : AllAnalyzers::Tag
 	%{
-	zeek::Tag t = zeek::analyzer_mgr->GetComponentTag(name->CheckString());
+	auto val = name->CheckString();
+
+	plugin::Component* component = zeek::analyzer_mgr->Lookup(val);
+	if ( ! component )
+		component = zeek::packet_mgr->Lookup(val);
+	if ( ! component )
+		component = zeek::file_mgr->Lookup(val);
+
+	zeek::Tag t = component ? component->Tag() : zeek::Tag();
 	return t.AsVal();
 	%}
diff --git a/src/file_analysis/Manager.cc b/src/file_analysis/Manager.cc
index c8a48c5802..b05545dd23 100644
--- a/src/file_analysis/Manager.cc
+++ b/src/file_analysis/Manager.cc
@@ -19,8 +19,8 @@ namespace zeek::file_analysis
 	{
 
 Manager::Manager()
-	: plugin::ComponentManager<file_analysis::Component>("Files", "Tag"), current_file_id(),
-	  magic_state(), cumulative_files(0), max_files(0)
+	: plugin::ComponentManager<file_analysis::Component>("Files", "Tag", "AllAnalyzers"),
+	  current_file_id(), magic_state(), cumulative_files(0), max_files(0)
 	{
 	}
 
diff --git a/src/packet_analysis/Manager.cc b/src/packet_analysis/Manager.cc
index dfc2ac8dd9..74cb92010a 100644
--- a/src/packet_analysis/Manager.cc
+++ b/src/packet_analysis/Manager.cc
@@ -13,7 +13,8 @@
 
 using namespace zeek::packet_analysis;
 
-Manager::Manager() : plugin::ComponentManager<packet_analysis::Component>("PacketAnalyzer", "Tag")
+Manager::Manager()
+	: plugin::ComponentManager<packet_analysis::Component>("PacketAnalyzer", "Tag", "AllAnalyzers")
 	{
 	}
 
diff --git a/src/plugin/Component.cc b/src/plugin/Component.cc
index 9a1d6d2bbd..b2fafbad0c 100644
--- a/src/plugin/Component.cc
+++ b/src/plugin/Component.cc
@@ -11,7 +11,7 @@ namespace zeek::plugin
 Tag::type_t Component::type_counter(0);
 
 Component::Component(component::Type arg_type, const std::string& arg_name,
-                     Tag::subtype_t tag_subtype, zeek::EnumTypePtr etype)
+                     Tag::subtype_t tag_subtype, EnumTypePtr etype)
 	: type(arg_type), name(arg_name), tag(etype, 1, 0), etype(std::move(etype)),
 	  tag_subtype(tag_subtype)
 	{
diff --git a/src/plugin/Component.h b/src/plugin/Component.h
index ba7b5d3267..c62ad88cb5 100644
--- a/src/plugin/Component.h
+++ b/src/plugin/Component.h
@@ -63,7 +63,7 @@ public:
 	 * script-land.
 	 */
 	Component(component::Type type, const std::string& name, Tag::subtype_t tag_subtype = 0,
-	          zeek::EnumTypePtr etype = nullptr);
+	          EnumTypePtr etype = nullptr);
 
 	/**
 	 * Destructor.
diff --git a/src/plugin/ComponentManager.h b/src/plugin/ComponentManager.h
index c8a5b6e492..f2485ecad8 100644
--- a/src/plugin/ComponentManager.h
+++ b/src/plugin/ComponentManager.h
@@ -4,13 +4,16 @@
 #include <map>
 #include <string>
 
+#include "zeek/Attr.h"
 #include "zeek/DebugLogger.h"
+#include "zeek/Expr.h"
 #include "zeek/Reporter.h"
 #include "zeek/Scope.h"
 #include "zeek/Tag.h"
 #include "zeek/Type.h"
 #include "zeek/Val.h"
 #include "zeek/Var.h" // for add_type()
+#include "zeek/module_util.h"
 #include "zeek/zeekygen/Manager.h"
 
 namespace zeek::plugin
@@ -36,7 +39,8 @@ public:
 	 * @param local_id The local part of the ID of the new enum type
 	 * (e.g., "Tag").
 	 */
-	ComponentManager(const std::string& module, const std::string& local_id);
+	ComponentManager(const std::string& module, const std::string& local_id,
+	                 const std::string& parent_module = "");
 
 	/**
 	 * @return The script-layer module in which the component's "Tag" ID lives.
@@ -120,20 +124,45 @@ public:
 	C* Lookup(EnumVal* val) const;
 
 private:
-	std::string module; /**< Script layer module in which component tags live. */
-	EnumTypePtr tag_enum_type; /**< Enum type of component tags. */
+	/** Script layer module in which component tags live. */
+	std::string module;
+	std::string parent_module;
+
+	/** Module-local type of component tags. */
+	EnumTypePtr tag_enum_type;
+	EnumTypePtr parent_tag_enum_type;
+
 	std::map<std::string, C*> components_by_name;
 	std::map<zeek::Tag, C*> components_by_tag;
 	std::map<int, C*> components_by_val;
 	};
 
 template <class C>
-ComponentManager<C>::ComponentManager(const std::string& arg_module, const std::string& local_id)
-	: module(arg_module), tag_enum_type(make_intrusive<EnumType>(module + "::" + local_id))
+ComponentManager<C>::ComponentManager(const std::string& module, const std::string& local_id,
+                                      const std::string& parent_module)
+	: module(module), parent_module(parent_module)
 	{
+	tag_enum_type = make_intrusive<EnumType>(module + "::" + local_id);
 	auto id = zeek::detail::install_ID(local_id.c_str(), module.c_str(), true, true);
 	zeek::detail::add_type(id.get(), tag_enum_type, nullptr);
 	zeek::detail::zeekygen_mgr->Identifier(std::move(id));
+
+	if ( ! parent_module.empty() )
+		{
+		// check to see if the parent module's type has been created already
+		id = zeek::detail::lookup_ID(local_id.c_str(), parent_module.c_str(), false, true, false);
+		if ( id != zeek::detail::ID::nil )
+			{
+			parent_tag_enum_type = id->GetType<EnumType>();
+			}
+		else
+			{
+			parent_tag_enum_type = make_intrusive<EnumType>(parent_module + "::" + local_id);
+			id = zeek::detail::install_ID(local_id.c_str(), parent_module.c_str(), true, true);
+			zeek::detail::add_type(id.get(), parent_tag_enum_type, nullptr);
+			zeek::detail::zeekygen_mgr->Identifier(std::move(id));
+			}
+		}
 	}
 
 template <class C> const std::string& ComponentManager<C>::GetModule() const
@@ -194,19 +223,19 @@ template <class C> C* ComponentManager<C>::Lookup(const std::string& name) const
 	{
 	typename std::map<std::string, C*>::const_iterator i = components_by_name.find(
 		util::to_upper(name));
-	return i != components_by_name.end() ? i->second : 0;
+	return i != components_by_name.end() ? i->second : nullptr;
 	}
 
 template <class C> C* ComponentManager<C>::Lookup(const zeek::Tag& tag) const
 	{
 	typename std::map<zeek::Tag, C*>::const_iterator i = components_by_tag.find(tag);
-	return i != components_by_tag.end() ? i->second : 0;
+	return i != components_by_tag.end() ? i->second : nullptr;
 	}
 
 template <class C> C* ComponentManager<C>::Lookup(EnumVal* val) const
 	{
 	typename std::map<int, C*>::const_iterator i = components_by_val.find(val->InternalInt());
-	return i != components_by_val.end() ? i->second : 0;
+	return i != components_by_val.end() ? i->second : nullptr;
 	}
 
 template <class C>
@@ -229,6 +258,13 @@ void ComponentManager<C>::RegisterComponent(C* component, const std::string& pre
 	std::string id = util::fmt("%s%s", prefix.c_str(), cname.c_str());
 	tag_enum_type->AddName(module, id.c_str(), component->Tag().AsVal()->InternalInt(), true,
 	                       nullptr);
+
+	if ( parent_tag_enum_type )
+		{
+		std::string parent_id = util::fmt("%s_%s", util::strtoupper(module).c_str(), id.c_str());
+		parent_tag_enum_type->AddName(parent_module, parent_id.c_str(),
+		                              component->Tag().AsVal()->InternalInt(), true, nullptr);
+		}
 	}
 
 	} // namespace zeek::plugin
diff --git a/src/util.cc b/src/util.cc
index f63dfdbc83..ce8026ca2e 100644
--- a/src/util.cc
+++ b/src/util.cc
@@ -1537,6 +1537,22 @@ std::string strtolower(const std::string& s)
 	return t;
 	}
 
+TEST_CASE("util strtoupper")
+	{
+	const char* a = "aBcD";
+	CHECK(strtoupper(a) == "ABCD");
+
+	std::string b = "aBcD";
+	CHECK(strtoupper(b) == "ABCD");
+	}
+
+std::string strtoupper(const std::string& s)
+	{
+	std::string t = s;
+	std::transform(t.begin(), t.end(), t.begin(), ::toupper);
+	return t;
+	}
+
 TEST_CASE("util fmt_bytes")
 	{
 	const char* a = "abcd";
diff --git a/src/util.h b/src/util.h
index c35da260eb..019162a7bb 100644
--- a/src/util.h
+++ b/src/util.h
@@ -342,6 +342,9 @@ extern std::string strstrip(std::string s);
 // Return a lower-cased version of the string.
 extern std::string strtolower(const std::string& s);
 
+// Return a upper-cased version of the string.
+extern std::string strtoupper(const std::string& s);
+
 extern int fputs(int len, const char* s, FILE* fp);
 extern bool is_printable(const char* s, int len);
 
diff --git a/testing/btest/Baseline/scripts.base.frameworks.analyzer.tags/output b/testing/btest/Baseline/scripts.base.frameworks.analyzer.tags/output
new file mode 100644
index 0000000000..184cf06fa8
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.analyzer.tags/output
@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+all, Analyzer::ANALYZER_DNS
+analyzer, Analyzer::ANALYZER_DNS
+all, PacketAnalyzer::ANALYZER_UDP
+packet analyzer, PacketAnalyzer::ANALYZER_UDP
+all, Files::ANALYZER_X509
+file analyzer, Files::ANALYZER_X509
diff --git a/testing/btest/scripts/base/frameworks/analyzer/tags.zeek b/testing/btest/scripts/base/frameworks/analyzer/tags.zeek
new file mode 100644
index 0000000000..66a6acfc48
--- /dev/null
+++ b/testing/btest/scripts/base/frameworks/analyzer/tags.zeek
@@ -0,0 +1,36 @@
+# @TEST-EXEC: zeek %INPUT > output
+# @TEST-EXEC: btest-diff output
+
+# Validate that we can pass the individual Tag types into functions that
+# take both their own Tag type as well the AllAnalyzers type.
+
+global test2: function(a: Analyzer::Tag);
+global test3: function(a: PacketAnalyzer::Tag);
+global test4: function(a: Files::Tag);
+
+function test1(a: AllAnalyzers::Tag) {
+    print "all", a;
+}
+
+function test2(a: Analyzer::Tag) {
+    print "analyzer", a;
+}
+
+function test3(a: PacketAnalyzer::Tag) {
+    print "packet analyzer", a;
+}
+
+function test4(a: Files::Tag) {
+    print "file analyzer", a;
+}
+
+event zeek_init() {
+    test1(Analyzer::ANALYZER_DNS);
+    test2(Analyzer::ANALYZER_DNS);
+
+    test1(PacketAnalyzer::ANALYZER_UDP);
+    test3(PacketAnalyzer::ANALYZER_UDP);
+
+    test1(Files::ANALYZER_X509);
+    test4(Files::ANALYZER_X509);
+}
\ No newline at end of file

From d4f57a61006e8e88a52aa8f620a971d0e853f263 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 10 Jun 2021 16:31:29 -0700
Subject: [PATCH 089/210] Add method for packet analyzers to register for
 protocol detection

---
 src/packet_analysis/Analyzer.cc         | 64 ++++++++++++++++++-------
 src/packet_analysis/Analyzer.h          | 30 ++++++++++++
 src/packet_analysis/packet_analysis.bif | 23 ++++++++-
 3 files changed, 99 insertions(+), 18 deletions(-)

diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc
index 497510786f..3e756d5da7 100644
--- a/src/packet_analysis/Analyzer.cc
+++ b/src/packet_analysis/Analyzer.cc
@@ -77,21 +77,34 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
                              uint32_t identifier) const
 	{
 	auto inner_analyzer = Lookup(identifier);
+	if ( ! inner_analyzer )
+		{
+		for ( const auto& child : analyzers_to_detect )
+			{
+			if ( child->DetectProtocol(len, data, packet) )
+				{
+				DBG_LOG(DBG_PACKET_ANALYSIS,
+				        "Protocol detection in %s succeeded, next layer analyzer is %s",
+				        GetAnalyzerName(), child->GetAnalyzerName());
+				inner_analyzer = child;
+				break;
+				}
+			}
+		}
+
 	if ( ! inner_analyzer )
 		inner_analyzer = default_analyzer;
 
-	if ( inner_analyzer == nullptr )
+	if ( ! inner_analyzer )
 		{
+		DBG_LOG(DBG_PACKET_ANALYSIS,
+		        "Analysis in %s failed, could not find analyzer for identifier %#x.",
+		        GetAnalyzerName(), identifier);
+
 		if ( report_unknown_protocols )
-			{
-			DBG_LOG(DBG_PACKET_ANALYSIS,
-			        "Analysis in %s failed, could not find analyzer for identifier %#x.",
-			        GetAnalyzerName(), identifier);
 			packet_mgr->ReportUnknownProtocol(GetAnalyzerName(), identifier, data, len);
-			return false;
-			}
-		else
-			return true;
+
+		return false;
 		}
 
 	DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s succeeded, next layer identifier is %#x.",
@@ -101,16 +114,35 @@ bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet,
 
 bool Analyzer::ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const
 	{
-	if ( default_analyzer )
-		return default_analyzer->AnalyzePacket(len, data, packet);
+	AnalyzerPtr inner_analyzer = nullptr;
 
-	DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.",
-	        GetAnalyzerName());
+	for ( const auto& child : analyzers_to_detect )
+		{
+		if ( child->DetectProtocol(len, data, packet) )
+			{
+			DBG_LOG(DBG_PACKET_ANALYSIS,
+			        "Protocol detection in %s succeeded, next layer analyzer is %s",
+			        GetAnalyzerName(), child->GetAnalyzerName());
+			inner_analyzer = child;
+			break;
+			}
+		}
 
-	if ( report_unknown_protocols )
-		Weird("no_suitable_analyzer_found", packet);
+	if ( ! inner_analyzer )
+		inner_analyzer = default_analyzer;
 
-	return true;
+	if ( ! inner_analyzer )
+		{
+		DBG_LOG(DBG_PACKET_ANALYSIS, "Analysis in %s stopped, no default analyzer available.",
+		        GetAnalyzerName());
+
+		if ( report_unknown_protocols )
+			Weird("no_suitable_analyzer_found", packet);
+
+		return false;
+		}
+
+	return inner_analyzer->AnalyzePacket(len, data, packet);
 	}
 
 void Analyzer::DumpDebug() const
diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h
index 59f37dc291..3e61bd4428 100644
--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@@ -1,6 +1,8 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 #pragma once
 
+#include <set>
+
 #include "zeek/Tag.h"
 #include "zeek/iosource/Packet.h"
 #include "zeek/packet_analysis/Manager.h"
@@ -98,6 +100,32 @@ public:
 	 */
 	void RegisterProtocol(uint32_t identifier, AnalyzerPtr child);
 
+	/**
+	 * Registers an analyzer to use for protocol detection if identifier
+	 * matching fails. This will also be preferred over the default analyzer
+	 * if one exists.
+	 *
+	 * @param child The analyzer that will be called for protocol detection.
+	 */
+	void RegisterProtocolDetection(AnalyzerPtr child) { analyzers_to_detect.insert(child); }
+
+	/**
+	 * Detects whether the protocol for an analyzer can be found in the packet
+	 * data. Packet analyzers can overload this method to provide any sort of
+	 * pattern-matching or byte-value detection against the packet data to
+	 * determine whether the packet contains the analyzer's protocol. The
+	 * analyzer must also register for the detection in script-land using the
+	 * PacketAnalyzer::register_protocol_detection bif method.
+	 *
+	 * @param len The number of bytes passed in. As we move along the chain of
+	 * analyzers, this is the number of bytes we have left of the packet to
+	 * process.
+	 * @param data Pointer to the input to process.
+	 * @param packet Object that maintains the packet's meta data.
+	 * @return true if the protocol is detected in the packet data.
+	 */
+	virtual bool DetectProtocol(size_t len, const uint8_t* data, Packet* packet) { return false; }
+
 protected:
 	friend class Manager;
 
@@ -174,6 +202,8 @@ private:
 	 */
 	bool report_unknown_protocols = true;
 
+	std::set<AnalyzerPtr> analyzers_to_detect;
+
 	void Init(const zeek::Tag& tag);
 	};
 
diff --git a/src/packet_analysis/packet_analysis.bif b/src/packet_analysis/packet_analysis.bif
index 8298b3946f..c3f6e18194 100644
--- a/src/packet_analysis/packet_analysis.bif
+++ b/src/packet_analysis/packet_analysis.bif
@@ -28,8 +28,8 @@ function register_packet_analyzer%(parent: PacketAnalyzer::Tag, identifier: coun
 	return zeek::val_mgr->True();
 	%}
 
-## Attempts to add an entry to `parent`'s dispatcher that maps a protocol/index to a next-stage `child` analyzer.
-## This may fail if either of the two names does not respond to a known analyzer.
+## Attempts to add an entry to `parent`'s dispatcher that maps a protocol/index to a next-stage `child`
+## analyzer. This may fail if either of the two names does not respond to a known analyzer.
 ##
 ## parent: The parent analyzer being modified
 ## identifier: The identifier for the protocol being registered
@@ -58,3 +58,22 @@ function PacketAnalyzer::__set_ignore_checksums_nets%(v: subnet_set%) : bool
 	zeek::packet_analysis::IP::IPBasedAnalyzer::SetIgnoreChecksumsNets(zeek::IntrusivePtr{zeek::NewRef{}, v->AsTableVal()});
 	return zeek::val_mgr->True();
 	%}
+
+## Registers a child analyzer with a parent analyzer to perform packet detection when determining whether
+## to forward from parent to child.
+##
+## parent: The parent analyzer being modified
+## child: The analyzer that will use protocol detection
+function register_protocol_detection%(parent: PacketAnalyzer::Tag, child: PacketAnalyzer::Tag%): bool
+	%{
+	packet_analysis::AnalyzerPtr parent_analyzer = packet_mgr->GetAnalyzer(parent->AsEnumVal());
+	if ( ! parent_analyzer )
+		return zeek::val_mgr->False();
+
+	packet_analysis::AnalyzerPtr child_analyzer = packet_mgr->GetAnalyzer(child->AsEnumVal());
+	if ( ! child_analyzer )
+		return zeek::val_mgr->False();
+
+	parent_analyzer->RegisterProtocolDetection(child_analyzer);
+	return zeek::val_mgr->True();
+	%}

From ed798c6aba12941981766b78aa36ef66b04e9e0f Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 19 Aug 2021 14:05:38 -0700
Subject: [PATCH 090/210] Change Packet::ip_hdr to be a shared_ptr so it can be
 copied into EncapsulatingConn

---
 src/Discard.cc                                |  2 +-
 src/Discard.h                                 |  2 +-
 src/Frag.cc                                   | 10 +++---
 src/Frag.h                                    | 10 +++---
 src/PacketFilter.cc                           |  2 +-
 src/PacketFilter.h                            |  2 +-
 src/TunnelEncapsulation.h                     | 32 +++++++++++++++++--
 src/analyzer/protocol/ayiya/AYIYA.cc          |  2 +-
 src/analyzer/protocol/geneve/Geneve.cc        |  9 ++++--
 src/analyzer/protocol/gtpv1/GTPv1.cc          |  2 +-
 src/analyzer/protocol/teredo/Teredo.cc        |  4 +--
 src/analyzer/protocol/teredo/Teredo.h         |  2 +-
 src/analyzer/protocol/vxlan/VXLAN.cc          | 11 +++++--
 src/iosource/Packet.h                         |  2 +-
 src/packet_analysis/protocol/icmp/ICMP.cc     |  2 +-
 src/packet_analysis/protocol/ip/IP.cc         | 21 ++++++++----
 src/packet_analysis/protocol/ip/IP.h          |  2 +-
 .../protocol/ip/IPBasedAnalyzer.cc            |  2 +-
 .../protocol/iptunnel/IPTunnel.cc             |  4 +--
 .../protocol/iptunnel/IPTunnel.h              |  2 +-
 src/packet_analysis/protocol/tcp/TCP.cc       |  2 +-
 .../protocol/tcp/TCPSessionAdapter.cc         |  2 +-
 .../protocol/tcp/TCPSessionAdapter.h          |  2 +-
 src/packet_analysis/protocol/udp/UDP.cc       |  2 +-
 24 files changed, 91 insertions(+), 42 deletions(-)

diff --git a/src/Discard.cc b/src/Discard.cc
index 6f3d8b94ca..4ccf71f1df 100644
--- a/src/Discard.cc
+++ b/src/Discard.cc
@@ -34,7 +34,7 @@ bool Discarder::IsActive()
 	return check_ip || check_tcp || check_udp || check_icmp;
 	}
 
-bool Discarder::NextPacket(const std::unique_ptr<IP_Hdr>& ip, int len, int caplen)
+bool Discarder::NextPacket(const std::shared_ptr<IP_Hdr>& ip, int len, int caplen)
 	{
 	bool discard_packet = false;
 
diff --git a/src/Discard.h b/src/Discard.h
index 79222bd6f8..9f082bdccc 100644
--- a/src/Discard.h
+++ b/src/Discard.h
@@ -26,7 +26,7 @@ public:
 
 	bool IsActive();
 
-	bool NextPacket(const std::unique_ptr<IP_Hdr>& ip, int len, int caplen);
+	bool NextPacket(const std::shared_ptr<IP_Hdr>& ip, int len, int caplen);
 
 protected:
 	Val* BuildData(const u_char* data, int hdrlen, int len, int caplen);
diff --git a/src/Frag.cc b/src/Frag.cc
index 06a940008e..17159fee25 100644
--- a/src/Frag.cc
+++ b/src/Frag.cc
@@ -31,7 +31,7 @@ void FragTimer::Dispatch(double t, bool /* is_expire */)
 		reporter->InternalWarning("fragment timer dispatched w/o reassembler");
 	}
 
-FragReassembler::FragReassembler(session::Manager* arg_s, const std::unique_ptr<IP_Hdr>& ip,
+FragReassembler::FragReassembler(session::Manager* arg_s, const std::shared_ptr<IP_Hdr>& ip,
                                  const u_char* pkt, const FragReassemblerKey& k, double t)
 	: Reassembler(0, REASSEM_FRAG)
 	{
@@ -74,7 +74,7 @@ FragReassembler::~FragReassembler()
 	delete[] proto_hdr;
 	}
 
-void FragReassembler::AddFragment(double t, const std::unique_ptr<IP_Hdr>& ip, const u_char* pkt)
+void FragReassembler::AddFragment(double t, const std::shared_ptr<IP_Hdr>& ip, const u_char* pkt)
 	{
 	const struct ip* ip4 = ip->IP4_Hdr();
 
@@ -294,7 +294,7 @@ void FragReassembler::BlockInserted(DataBlockMap::const_iterator /* it */)
 		{
 		struct ip* reassem4 = (struct ip*)pkt_start;
 		reassem4->ip_len = htons(frag_size + proto_hdr_len);
-		reassembled_pkt = std::make_unique<IP_Hdr>(reassem4, true, true);
+		reassembled_pkt = std::make_shared<IP_Hdr>(reassem4, true, true);
 		DeleteTimer();
 		}
 
@@ -303,7 +303,7 @@ void FragReassembler::BlockInserted(DataBlockMap::const_iterator /* it */)
 		struct ip6_hdr* reassem6 = (struct ip6_hdr*)pkt_start;
 		reassem6->ip6_plen = htons(frag_size + proto_hdr_len - 40);
 		const IPv6_Hdr_Chain* chain = new IPv6_Hdr_Chain(reassem6, next_proto, n);
-		reassembled_pkt = std::make_unique<IP_Hdr>(reassem6, true, n, chain, true);
+		reassembled_pkt = std::make_shared<IP_Hdr>(reassem6, true, n, chain, true);
 		DeleteTimer();
 		}
 
@@ -338,7 +338,7 @@ FragmentManager::~FragmentManager()
 	Clear();
 	}
 
-FragReassembler* FragmentManager::NextFragment(double t, const std::unique_ptr<IP_Hdr>& ip,
+FragReassembler* FragmentManager::NextFragment(double t, const std::shared_ptr<IP_Hdr>& ip,
                                                const u_char* pkt)
 	{
 	uint32_t frag_id = ip->ID();
diff --git a/src/Frag.h b/src/Frag.h
index c76989d418..eff680011c 100644
--- a/src/Frag.h
+++ b/src/Frag.h
@@ -31,17 +31,17 @@ using FragReassemblerKey = std::tuple<IPAddr, IPAddr, bro_uint_t>;
 class FragReassembler : public Reassembler
 	{
 public:
-	FragReassembler(session::Manager* s, const std::unique_ptr<IP_Hdr>& ip, const u_char* pkt,
+	FragReassembler(session::Manager* s, const std::shared_ptr<IP_Hdr>& ip, const u_char* pkt,
 	                const FragReassemblerKey& k, double t);
 	~FragReassembler() override;
 
-	void AddFragment(double t, const std::unique_ptr<IP_Hdr>& ip, const u_char* pkt);
+	void AddFragment(double t, const std::shared_ptr<IP_Hdr>& ip, const u_char* pkt);
 
 	void Expire(double t);
 	void DeleteTimer();
 	void ClearTimer() { expire_timer = nullptr; }
 
-	std::unique_ptr<IP_Hdr> ReassembledPkt() { return std::move(reassembled_pkt); }
+	std::shared_ptr<IP_Hdr> ReassembledPkt() { return std::move(reassembled_pkt); }
 	const FragReassemblerKey& Key() const { return key; }
 
 protected:
@@ -50,7 +50,7 @@ protected:
 	void Weird(const char* name) const;
 
 	u_char* proto_hdr;
-	std::unique_ptr<IP_Hdr> reassembled_pkt;
+	std::shared_ptr<IP_Hdr> reassembled_pkt;
 	session::Manager* s;
 	uint64_t frag_size; // size of fully reassembled fragment
 	FragReassemblerKey key;
@@ -81,7 +81,7 @@ public:
 	FragmentManager() = default;
 	~FragmentManager();
 
-	FragReassembler* NextFragment(double t, const std::unique_ptr<IP_Hdr>& ip, const u_char* pkt);
+	FragReassembler* NextFragment(double t, const std::shared_ptr<IP_Hdr>& ip, const u_char* pkt);
 	void Clear();
 	void Remove(detail::FragReassembler* f);
 
diff --git a/src/PacketFilter.cc b/src/PacketFilter.cc
index b9b156343e..91241eb57f 100644
--- a/src/PacketFilter.cc
+++ b/src/PacketFilter.cc
@@ -82,7 +82,7 @@ bool PacketFilter::RemoveDst(Val* dst)
 	return f != nullptr;
 	}
 
-bool PacketFilter::Match(const std::unique_ptr<IP_Hdr>& ip, int len, int caplen)
+bool PacketFilter::Match(const std::shared_ptr<IP_Hdr>& ip, int len, int caplen)
 	{
 	Filter* f = (Filter*)src_filter.Lookup(ip->SrcAddr(), 128);
 	if ( f )
diff --git a/src/PacketFilter.h b/src/PacketFilter.h
index 7c2ba5154e..3470ed0b02 100644
--- a/src/PacketFilter.h
+++ b/src/PacketFilter.h
@@ -38,7 +38,7 @@ public:
 	bool RemoveDst(Val* dst);
 
 	// Returns true if packet matches a drop filter
-	bool Match(const std::unique_ptr<IP_Hdr>& ip, int len, int caplen);
+	bool Match(const std::shared_ptr<IP_Hdr>& ip, int len, int caplen);
 
 private:
 	struct Filter
diff --git a/src/TunnelEncapsulation.h b/src/TunnelEncapsulation.h
index 960886a1a3..88258e297f 100644
--- a/src/TunnelEncapsulation.h
+++ b/src/TunnelEncapsulation.h
@@ -7,6 +7,7 @@
 #include <vector>
 
 #include "zeek/ID.h"
+#include "zeek/IP.h"
 #include "zeek/IPAddr.h"
 #include "zeek/NetVar.h"
 #include "zeek/UID.h"
@@ -66,8 +67,9 @@ public:
 	 * Copy constructor.
 	 */
 	EncapsulatingConn(const EncapsulatingConn& other)
-		: src_addr(other.src_addr), dst_addr(other.dst_addr), src_port(other.src_port),
-		  dst_port(other.dst_port), proto(other.proto), type(other.type), uid(other.uid)
+		: ip_hdr(other.ip_hdr), src_addr(other.src_addr), dst_addr(other.dst_addr),
+		  src_port(other.src_port), dst_port(other.dst_port), proto(other.proto), type(other.type),
+		  uid(other.uid)
 		{
 		}
 
@@ -87,6 +89,7 @@ public:
 			proto = other.proto;
 			type = other.type;
 			uid = other.uid;
+			ip_hdr = other.ip_hdr;
 			}
 
 		return *this;
@@ -127,6 +130,9 @@ public:
 		return ! (ec1 == ec2);
 		}
 
+	// TODO: temporarily public
+	std::shared_ptr<IP_Hdr> ip_hdr;
+
 protected:
 	IPAddr src_addr;
 	IPAddr dst_addr;
@@ -221,6 +227,28 @@ public:
 		return ! (e1 == e2);
 		}
 
+	/**
+	 * Returns a pointer the last element in the stack. Returns a nullptr
+	 * if the stack is empty or hasn't been initialized yet.
+	 */
+	EncapsulatingConn* Last() { return Depth() > 0 ? &(conns->back()) : nullptr; }
+
+	/**
+	 * Returns an EncapsulatingConn from the requested index in the stack.
+	 *
+	 * @param index An index to look up. Note this is one-indexed, since it's generally
+	 * looked up using a value from Depth().
+	 * @return The corresponding EncapsulatingConn, or a nullptr if the requested index is
+	 * out of range.
+	 */
+	EncapsulatingConn* At(size_t index)
+		{
+		if ( index > 0 && index <= Depth() )
+			return &(conns->at(index - 1));
+
+		return nullptr;
+		}
+
 protected:
 	std::vector<EncapsulatingConn>* conns;
 	};
diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc
index 2523607de5..844c76ebe0 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.cc
+++ b/src/analyzer/protocol/ayiya/AYIYA.cc
@@ -47,7 +47,7 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 	caplen -= inner_packet_offset;
 	inner_packet_offset = -1;
 
-	std::unique_ptr<IP_Hdr> inner;
+	std::shared_ptr<IP_Hdr> inner;
 	int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner);
 
 	if ( result == 0 )
diff --git a/src/analyzer/protocol/geneve/Geneve.cc b/src/analyzer/protocol/geneve/Geneve.cc
index 6ad414bf32..92c3570e82 100644
--- a/src/analyzer/protocol/geneve/Geneve.cc
+++ b/src/analyzer/protocol/geneve/Geneve.cc
@@ -46,6 +46,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	EncapsulatingConn inner(Conn(), BifEnum::Tunnel::GENEVE);
 	outer->Add(inner);
+	int encap_index = outer->Depth();
 
 	uint8_t tunnel_opt_len = (data[0] & 0x3F) * 4;
 	auto vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
@@ -83,8 +84,12 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 	ProtocolConfirmation();
 
 	if ( geneve_packet )
-		Conn()->EnqueueEvent(geneve_packet, nullptr, ConnVal(), pkt.ip_hdr->ToPktHdrVal(),
-		                     val_mgr->Count(vni));
+		{
+		EncapsulatingConn* ec = pkt.encap->At(encap_index);
+		if ( ec && ec->ip_hdr )
+			Conn()->EnqueueEvent(geneve_packet, nullptr, ConnVal(), pkt.ip_hdr->ToPktHdrVal(),
+			                     val_mgr->Count(vni));
+		}
 	}
 
 	} // namespace zeek::analyzer::geneve
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.cc b/src/analyzer/protocol/gtpv1/GTPv1.cc
index 8677d0c4ab..89a14fea32 100644
--- a/src/analyzer/protocol/gtpv1/GTPv1.cc
+++ b/src/analyzer/protocol/gtpv1/GTPv1.cc
@@ -48,7 +48,7 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 	caplen -= inner_packet_offset;
 	inner_packet_offset = -1;
 
-	std::unique_ptr<IP_Hdr> inner = nullptr;
+	std::shared_ptr<IP_Hdr> inner = nullptr;
 	int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner);
 
 	if ( result == 0 )
diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc
index 5868031243..20787e41e6 100644
--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ b/src/analyzer/protocol/teredo/Teredo.cc
@@ -94,7 +94,7 @@ bool TeredoEncapsulation::DoParse(const u_char* data, int& len, bool found_origi
 	return false;
 	}
 
-RecordValPtr TeredoEncapsulation::BuildVal(const std::unique_ptr<IP_Hdr>& inner) const
+RecordValPtr TeredoEncapsulation::BuildVal(const std::shared_ptr<IP_Hdr>& inner) const
 	{
 	static auto teredo_hdr_type = id::find_type<RecordType>("teredo_hdr");
 	static auto teredo_auth_type = id::find_type<RecordType>("teredo_auth");
@@ -164,7 +164,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 		return;
 		}
 
-	std::unique_ptr<IP_Hdr> inner = nullptr;
+	std::shared_ptr<IP_Hdr> inner = nullptr;
 	int rslt = packet_analysis::IP::ParsePacket(len, te.InnerIP(), IPPROTO_IPV6, inner);
 
 	if ( rslt > 0 )
diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h
index 04f19cefef..a37ad61505 100644
--- a/src/analyzer/protocol/teredo/Teredo.h
+++ b/src/analyzer/protocol/teredo/Teredo.h
@@ -75,7 +75,7 @@ public:
 
 	const u_char* Authentication() const { return auth; }
 
-	RecordValPtr BuildVal(const std::unique_ptr<IP_Hdr>& inner) const;
+	RecordValPtr BuildVal(const std::shared_ptr<IP_Hdr>& inner) const;
 
 protected:
 	bool DoParse(const u_char* data, int& len, bool found_orig, bool found_au);
diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc
index e5681db8ee..974a033b0a 100644
--- a/src/analyzer/protocol/vxlan/VXLAN.cc
+++ b/src/analyzer/protocol/vxlan/VXLAN.cc
@@ -60,6 +60,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 
 	EncapsulatingConn inner(Conn(), BifEnum::Tunnel::VXLAN);
 	outer->Add(inner);
+	int encap_index = outer->Depth();
 
 	int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
 
@@ -88,8 +89,14 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 	ProtocolConfirmation();
 
 	if ( vxlan_packet )
-		Conn()->EnqueueEvent(vxlan_packet, nullptr, ConnVal(), pkt.ip_hdr->ToPktHdrVal(),
-		                     val_mgr->Count(vni));
+		{
+		EncapsulatingConn* ec = pkt.encap->At(encap_index);
+		if ( ec && ec->ip_hdr )
+			{
+			Conn()->EnqueueEvent(vxlan_packet, nullptr, ConnVal(), ec->ip_hdr->ToPktHdrVal(),
+			                     val_mgr->Count(vni));
+			}
+		}
 	}
 
 	} // namespace zeek::analyzer::vxlan
diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index 8c61abea3d..0705f8fb4e 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -218,7 +218,7 @@ public:
 	 * The IP header for this packet. This is filled in by the IP analyzer
 	 * during processing if the packet contains an IP header.
 	 */
-	std::unique_ptr<IP_Hdr> ip_hdr = nullptr;
+	std::shared_ptr<IP_Hdr> ip_hdr = nullptr;
 
 	/**
 	 * The protocol of the packet. This is used by the tunnel analyzers to
diff --git a/src/packet_analysis/protocol/icmp/ICMP.cc b/src/packet_analysis/protocol/icmp/ICMP.cc
index 18a89c16fb..468d7e11df 100644
--- a/src/packet_analysis/protocol/icmp/ICMP.cc
+++ b/src/packet_analysis/protocol/icmp/ICMP.cc
@@ -72,7 +72,7 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
 		adapter->PacketContents(data + 8, std::min(len, remaining) - 8);
 
 	const struct icmp* icmpp = (const struct icmp*)data;
-	const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
+	const std::shared_ptr<IP_Hdr>& ip = pkt->ip_hdr;
 
 	if ( ! zeek::detail::ignore_checksums &&
 	     ! GetIgnoreChecksumsNets()->Contains(ip->IPHeaderSrcAddr()) && remaining >= len )
diff --git a/src/packet_analysis/protocol/ip/IP.cc b/src/packet_analysis/protocol/ip/IP.cc
index cb45f02e7e..ef244f622c 100644
--- a/src/packet_analysis/protocol/ip/IP.cc
+++ b/src/packet_analysis/protocol/ip/IP.cc
@@ -51,7 +51,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	// This is a unique pointer because of the mass of early returns from this method.
 	if ( protocol == 4 )
 		{
-		packet->ip_hdr = std::make_unique<IP_Hdr>(ip, false);
+		packet->ip_hdr = std::make_shared<IP_Hdr>(ip, false);
 		packet->l3_proto = L3_IPV4;
 		}
 	else if ( protocol == 6 )
@@ -62,7 +62,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 			return false;
 			}
 
-		packet->ip_hdr = std::make_unique<IP_Hdr>((const struct ip6_hdr*)data, false, len);
+		packet->ip_hdr = std::make_shared<IP_Hdr>((const struct ip6_hdr*)data, false, len);
 		packet->l3_proto = L3_IPV6;
 		}
 	else
@@ -71,6 +71,15 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
+	// If there's an encapsulation stack in this packet, meaning this packet is part of a chain
+	// of tunnels, make sure to store the IP header in the last flow in the stack so it can be
+	// used by previous analyzers as we return up the chain.
+	if ( packet->encap )
+		{
+		if ( auto* ec = packet->encap->Last() )
+			ec->ip_hdr = packet->ip_hdr;
+		}
+
 	const struct ip* ip4 = packet->ip_hdr->IP4_Hdr();
 
 	// TotalLen() returns the full length of the IP portion of the packet, including
@@ -164,7 +173,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 			{
 			f = detail::fragment_mgr->NextFragment(run_state::processing_start_time, packet->ip_hdr,
 			                                       packet->data + hdr_size);
-			std::unique_ptr<IP_Hdr> ih = f->ReassembledPkt();
+			std::shared_ptr<IP_Hdr> ih = f->ReassembledPkt();
 
 			if ( ! ih )
 				// It didn't reassemble into anything yet.
@@ -275,7 +284,7 @@ bool IPAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 	}
 
 int zeek::packet_analysis::IP::ParsePacket(int caplen, const u_char* const pkt, int proto,
-                                           std::unique_ptr<zeek::IP_Hdr>& inner)
+                                           std::shared_ptr<zeek::IP_Hdr>& inner)
 	{
 	if ( proto == IPPROTO_IPV6 )
 		{
@@ -283,7 +292,7 @@ int zeek::packet_analysis::IP::ParsePacket(int caplen, const u_char* const pkt,
 			return -1;
 
 		const struct ip6_hdr* ip6 = (const struct ip6_hdr*)pkt;
-		inner = std::make_unique<zeek::IP_Hdr>(ip6, false, caplen);
+		inner = std::make_shared<zeek::IP_Hdr>(ip6, false, caplen);
 		if ( (ip6->ip6_ctlun.ip6_un2_vfc & 0xF0) != 0x60 )
 			return -2;
 		}
@@ -294,7 +303,7 @@ int zeek::packet_analysis::IP::ParsePacket(int caplen, const u_char* const pkt,
 			return -1;
 
 		const struct ip* ip4 = (const struct ip*)pkt;
-		inner = std::make_unique<zeek::IP_Hdr>(ip4, false);
+		inner = std::make_shared<zeek::IP_Hdr>(ip4, false);
 		if ( ip4->ip_v != 4 )
 			return -2;
 		}
diff --git a/src/packet_analysis/protocol/ip/IP.h b/src/packet_analysis/protocol/ip/IP.h
index e9a62d6bf2..9aa00d99f3 100644
--- a/src/packet_analysis/protocol/ip/IP.h
+++ b/src/packet_analysis/protocol/ip/IP.h
@@ -57,5 +57,5 @@ private:
  *         long enough to be an IP header, and \a inner is always non-null
  *         for other return values.
  */
-int ParsePacket(int caplen, const u_char* const pkt, int proto, std::unique_ptr<IP_Hdr>& inner);
+int ParsePacket(int caplen, const u_char* const pkt, int proto, std::shared_ptr<IP_Hdr>& inner);
 	}
diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
index 876ce5ef2c..2994d320ba 100644
--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
@@ -32,7 +32,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
 	if ( ! BuildConnTuple(len, data, pkt, tuple) )
 		return false;
 
-	const std::unique_ptr<IP_Hdr>& ip_hdr = pkt->ip_hdr;
+	const std::shared_ptr<IP_Hdr>& ip_hdr = pkt->ip_hdr;
 	detail::ConnKey key(tuple);
 
 	Connection* conn = session_mgr->FindConnection(key);
diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
index dcde13a94a..23ae906943 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
@@ -44,7 +44,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 	BifEnum::Tunnel::Type tunnel_type = packet->tunnel_type;
 	int gre_link_type = packet->gre_link_type;
 
-	std::unique_ptr<IP_Hdr> inner = nullptr;
+	std::shared_ptr<IP_Hdr> inner = nullptr;
 
 	if ( gre_version != 0 )
 		{
@@ -96,7 +96,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
  * Handles a packet that contains an IP header directly after the tunnel header.
  */
 bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt,
-                                                 const std::unique_ptr<IP_Hdr>& inner,
+                                                 const std::shared_ptr<IP_Hdr>& inner,
                                                  std::shared_ptr<EncapsulationStack> prev,
                                                  const EncapsulatingConn& ec)
 	{
diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.h b/src/packet_analysis/protocol/iptunnel/IPTunnel.h
index 23383bffd4..71c7be7b7a 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.h
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.h
@@ -44,7 +44,7 @@ public:
 	 * @param ec The most-recently found depth of encapsulation.
 	 */
 	bool ProcessEncapsulatedPacket(double t, const Packet* pkt,
-	                               const std::unique_ptr<IP_Hdr>& inner,
+	                               const std::shared_ptr<IP_Hdr>& inner,
 	                               std::shared_ptr<EncapsulationStack> prev,
 	                               const EncapsulatingConn& ec);
 
diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc
index cdd8a4c80f..6bfd02cff5 100644
--- a/src/packet_analysis/protocol/tcp/TCP.cc
+++ b/src/packet_analysis/protocol/tcp/TCP.cc
@@ -113,7 +113,7 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 
 	analyzer::tcp::TCP_Endpoint* endpoint = is_orig ? adapter->orig : adapter->resp;
 	analyzer::tcp::TCP_Endpoint* peer = endpoint->peer;
-	const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
+	const std::shared_ptr<IP_Hdr>& ip = pkt->ip_hdr;
 
 	if ( ! ValidateChecksum(ip.get(), tp, endpoint, len, remaining, adapter) )
 		return;
diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
index c342f1f3b8..53027538e8 100644
--- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
+++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
@@ -542,7 +542,7 @@ static int32_t update_last_seq(analyzer::tcp::TCP_Endpoint* endpoint, uint32_t l
 	}
 
 void TCPSessionAdapter::Process(bool is_orig, const struct tcphdr* tp, int len,
-                                const std::unique_ptr<IP_Hdr>& ip, const u_char* data,
+                                const std::shared_ptr<IP_Hdr>& ip, const u_char* data,
                                 int remaining)
 	{
 	analyzer::tcp::TCP_Flags flags(tp);
diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.h b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.h
index 5025f0299b..d20b28765b 100644
--- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.h
+++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.h
@@ -33,7 +33,7 @@ public:
 	explicit TCPSessionAdapter(Connection* conn);
 	~TCPSessionAdapter() override;
 
-	void Process(bool is_orig, const struct tcphdr* tp, int len, const std::unique_ptr<IP_Hdr>& ip,
+	void Process(bool is_orig, const struct tcphdr* tp, int len, const std::shared_ptr<IP_Hdr>& ip,
 	             const u_char* data, int remaining);
 
 	void EnableReassembly();
diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc
index 374f69c50c..6f60386d3e 100644
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@@ -86,7 +86,7 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 	int len = pkt->ip_hdr->PayloadLen();
 
 	const struct udphdr* up = (const struct udphdr*)data;
-	const std::unique_ptr<IP_Hdr>& ip = pkt->ip_hdr;
+	const std::shared_ptr<IP_Hdr>& ip = pkt->ip_hdr;
 
 	adapter->DeliverPacket(len, data, is_orig, -1, ip.get(), remaining);
 

From 1dede6dd706a4042bc0ca6a18d5d1acf01036b2d Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 25 Aug 2021 17:08:39 -0700
Subject: [PATCH 091/210] Fix error text in IPTunnel analyzer

---
 src/packet_analysis/protocol/iptunnel/IPTunnel.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
index 23ae906943..dadce0a4b5 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
@@ -23,7 +23,7 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 	{
 	if ( ! packet->ip_hdr )
 		{
-		reporter->InternalError("IPTunnelAnalyzer: ip_hdr not found in packet keystore");
+		reporter->InternalError("IPTunnelAnalyzer: null ip_hdr in packet");
 		return false;
 		}
 

From 5f58ce8a5d60492e3d3af66b2579488e24aa4765 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 26 Aug 2021 09:54:05 -0700
Subject: [PATCH 092/210] Minor fix in UDP to avoid duplicating tunnels

---
 src/packet_analysis/protocol/udp/UDP.cc | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc
index 6f60386d3e..1ade1ae208 100644
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@@ -211,8 +211,11 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 		adapter->Event(udp_reply);
 		}
 
-	// Send the packet back into the packet analysis framework.
-	ForwardPacket(len, data, pkt);
+	// Send the packet back into the packet analysis framework. We only check the response
+	// port here because the orig/resp should have already swapped around based on
+	// likely_server_ports. This also prevents us from processing things twice if protocol
+	// detection has to be used.
+	ForwardPacket(len, data, pkt, ntohs(c->RespPort()));
 
 	// Also try sending it into session analysis.
 	if ( remaining >= len )

From f93c5a694296f8847f4b17de8db5f43eb48a07ff Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 26 Aug 2021 10:16:48 -0700
Subject: [PATCH 093/210] Store some additional information in the packet
 during processing

- Session related to the packet
- is_orig information if a UDP header was found
---
 src/iosource/Packet.h                         | 22 ++++++++++++++-----
 src/packet_analysis/protocol/icmp/ICMP.cc     |  4 ++++
 .../protocol/ip/IPBasedAnalyzer.cc            |  1 +
 src/packet_analysis/protocol/tcp/TCP.cc       |  4 ++++
 src/packet_analysis/protocol/udp/UDP.cc       |  4 ++++
 5 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/src/iosource/Packet.h b/src/iosource/Packet.h
index 0705f8fb4e..c93a39a82e 100644
--- a/src/iosource/Packet.h
+++ b/src/iosource/Packet.h
@@ -18,6 +18,7 @@ using pkt_timeval = struct timeval;
 #include "zeek/IP.h"
 #include "zeek/NetVar.h" // For BifEnum::Tunnel
 #include "zeek/TunnelEncapsulation.h"
+#include "zeek/session/Session.h"
 
 namespace zeek
 	{
@@ -172,29 +173,35 @@ public:
 	/**
 	 * (Outermost) VLAN tag if any, else 0.
 	 */
-	uint32_t vlan;
+	uint32_t vlan = 0;
 
 	/**
 	 * (Innermost) VLAN tag if any, else 0.
 	 */
-	uint32_t inner_vlan;
+	uint32_t inner_vlan = 0;
+
+	/**
+	 * If this packet is related to a connection, this flag denotes whether
+	 * this packet is from the originator of the connection.
+	 */
+	bool is_orig = false;
 
 	/**
 	 * Indicates whether the layer 2 checksum was validated by the
 	 * hardware/kernel before being received by zeek.
 	 */
-	bool l2_checksummed;
+	bool l2_checksummed = false;
 
 	/**
 	 * Indicates whether the layer 3 checksum was validated by the
 	 * hardware/kernel before being received by zeek.
 	 */
-	bool l3_checksummed;
+	bool l3_checksummed = false;
 
 	/**
 	 * Indicates whether this packet should be recorded.
 	 */
-	mutable bool dump_packet;
+	mutable bool dump_packet = false;
 
 	/**
 	 * Indicates the amount of data to be dumped. If only a header is needed,
@@ -255,6 +262,11 @@ public:
 	 */
 	bool processed = false;
 
+	/**
+	 * The session related to this packet, if one exists.
+	 */
+	session::Session* session = nullptr;
+
 private:
 	// Renders an MAC address into its ASCII representation.
 	ValPtr FmtEUI48(const u_char* mac) const;
diff --git a/src/packet_analysis/protocol/icmp/ICMP.cc b/src/packet_analysis/protocol/icmp/ICMP.cc
index 468d7e11df..4b24d3be95 100644
--- a/src/packet_analysis/protocol/icmp/ICMP.cc
+++ b/src/packet_analysis/protocol/icmp/ICMP.cc
@@ -121,6 +121,10 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
 		return;
 		}
 
+	// Store the session in the packet in case we get an encapsulation here. We need it for
+	// handling those properly.
+	pkt->session = c;
+
 	ForwardPacket(len, data, pkt);
 
 	if ( remaining >= len )
diff --git a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
index 2994d320ba..6e83984ae7 100644
--- a/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
+++ b/src/packet_analysis/protocol/ip/IPBasedAnalyzer.cc
@@ -68,6 +68,7 @@ bool IPBasedAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pkt
 	pkt->processed = true;
 
 	bool is_orig = (tuple.src_addr == conn->OrigAddr()) && (tuple.src_port == conn->OrigPort());
+	pkt->is_orig = is_orig;
 
 	conn->CheckFlowLabel(is_orig, ip_hdr->FlowLabel());
 
diff --git a/src/packet_analysis/protocol/tcp/TCP.cc b/src/packet_analysis/protocol/tcp/TCP.cc
index 6bfd02cff5..d60a18bea7 100644
--- a/src/packet_analysis/protocol/tcp/TCP.cc
+++ b/src/packet_analysis/protocol/tcp/TCP.cc
@@ -120,6 +120,10 @@ void TCPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 
 	adapter->Process(is_orig, tp, len, ip, data, remaining);
 
+	// Store the session in the packet in case we get an encapsulation here. We need it for
+	// handling those properly.
+	pkt->session = c;
+
 	// Send the packet back into the packet analysis framework.
 	ForwardPacket(len, data, pkt);
 
diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc
index 1ade1ae208..cd7681dcd9 100644
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@@ -211,6 +211,10 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 		adapter->Event(udp_reply);
 		}
 
+	// Store the session in the packet in case we get an encapsulation here. We need it for
+	// handling those properly.
+	pkt->session = c;
+
 	// Send the packet back into the packet analysis framework. We only check the response
 	// port here because the orig/resp should have already swapped around based on
 	// likely_server_ports. This also prevents us from processing things twice if protocol

From 7bffd2eccd436cdfdb6496248cab06a900e8ee9d Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 26 Aug 2021 11:27:23 -0700
Subject: [PATCH 094/210] Add utility function for tunnel analyzers to setup
 encapsulation

---
 .../protocol/iptunnel/IPTunnel.cc             | 32 +++++++++++++++++++
 .../protocol/iptunnel/IPTunnel.h              | 25 +++++++++++++++
 2 files changed, 57 insertions(+)

diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
index dadce0a4b5..699572a950 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
@@ -4,6 +4,7 @@
 
 #include <pcap.h> // For DLT_ constants
 
+#include "zeek/Conn.h"
 #include "zeek/IP.h"
 #include "zeek/RunState.h"
 #include "zeek/TunnelEncapsulation.h"
@@ -170,6 +171,37 @@ bool IPTunnelAnalyzer::ProcessEncapsulatedPacket(double t, const Packet* pkt, ui
 	return return_val;
 	}
 
+std::unique_ptr<Packet> build_inner_packet(Packet* outer_pkt, int* encap_index,
+                                           std::shared_ptr<EncapsulationStack> encap_stack,
+                                           uint32_t len, const u_char* data, int link_type,
+                                           BifEnum::Tunnel::Type tunnel_type,
+                                           const Tag& analyzer_tag)
+	{
+	auto inner_pkt = std::make_unique<Packet>();
+
+	pkt_timeval ts;
+	ts.tv_sec = static_cast<time_t>(run_state::current_timestamp);
+	ts.tv_usec = static_cast<suseconds_t>(
+		(run_state::current_timestamp - static_cast<double>(ts.tv_sec)) * 1000000);
+	inner_pkt->Init(link_type, &ts, len, len, data);
+
+	*encap_index = 0;
+	if ( outer_pkt->session )
+		{
+		EncapsulatingConn inner(static_cast<Connection*>(outer_pkt->session), tunnel_type);
+
+		if ( ! outer_pkt->encap )
+			outer_pkt->encap = encap_stack != nullptr ? encap_stack
+			                                          : std::make_shared<EncapsulationStack>();
+
+		outer_pkt->encap->Add(inner);
+		inner_pkt->encap = outer_pkt->encap;
+		*encap_index = outer_pkt->encap->Depth();
+		}
+
+	return inner_pkt;
+	}
+
 namespace detail
 	{
 
diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.h b/src/packet_analysis/protocol/iptunnel/IPTunnel.h
index 71c7be7b7a..dcb528fb29 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.h
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.h
@@ -78,6 +78,31 @@ protected:
 	IPTunnelMap ip_tunnels;
 	};
 
+/**
+ * Utility function for packet analyzers for encapsulation/tunnel protocols. This
+ * builds a new packet object containing the encapsulated/tunneled packet, as well
+ * as adding to the associated encapsulation stack for the tunnel.
+ *
+ * @param outer_pkt The packet containing the encapsulation. This packet should contain
+ * @param encap_index A return value for the current index into the encapsulation stack.
+ * This is returned to allow analzyers to know what point in the stack they were operating
+ * on as the packet analysis chain unwinds as it returns.
+ * @param encap_stack Tracks the encapsulations as the new encapsulations are discovered
+ * in the inner packets.
+ * @param len The byte length of the packet data containing in the inner packet.
+ * @param data A pointer to the first byte of the inner packet.
+ * @param link_type The link type (DLT_*) for the outer packet. If not known, DLT_RAW can
+ * be passed for this value.
+ * @param tunnel_type The type of tunnel the inner packet is stored in.
+ * @param analyzer_tag The tag for the analyzer calling this method.
+ * return A new packet object describing the encapsulated packet and data.
+ */
+extern std::unique_ptr<Packet> build_inner_packet(Packet* outer_pkt, int* encap_index,
+                                                  std::shared_ptr<EncapsulationStack> encap_stack,
+                                                  uint32_t len, const u_char* data, int link_type,
+                                                  BifEnum::Tunnel::Type tunnel_type,
+                                                  const Tag& analyzer_tag);
+
 namespace detail
 	{
 

From 612212568a981d537c740738d393290fc0642f1e Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 25 Oct 2021 09:03:15 -0700
Subject: [PATCH 095/210] Add analyzer_confirmation and analyzer_violation
 events

---
 scripts/base/frameworks/analyzer/main.zeek    | 19 ++++---
 scripts/base/frameworks/dpd/main.zeek         | 10 ++--
 scripts/base/init-bare.zeek                   |  4 +-
 scripts/base/protocols/conn/inactivity.zeek   |  4 +-
 scripts/base/protocols/rdp/main.zeek          |  4 +-
 scripts/base/protocols/ssh/main.zeek          |  2 +-
 scripts/base/protocols/ssl/main.zeek          |  4 +-
 .../frameworks/dpd/detect-protocols.zeek      | 16 +++---
 .../dpd/packet-segment-logging.zeek           |  4 +-
 .../policy/protocols/conn/known-services.zeek |  4 +-
 src/analyzer/Analyzer.cc                      | 50 +++++++++++++++++--
 src/analyzer/Analyzer.h                       | 48 ++++++++++++++++--
 src/analyzer/protocol/ayiya/AYIYA.cc          | 10 ++--
 .../protocol/ayiya/ayiya-analyzer.pac         |  4 +-
 .../protocol/bittorrent/BitTorrent.cc         |  6 +--
 .../protocol/bittorrent/BitTorrentTracker.cc  | 22 ++++----
 .../bittorrent/bittorrent-analyzer.pac        |  2 +-
 src/analyzer/protocol/dce-rpc/DCE_RPC.cc      |  2 +-
 .../protocol/dce-rpc/dce_rpc-analyzer.pac     |  2 +-
 src/analyzer/protocol/dhcp/DHCP.cc            |  2 +-
 src/analyzer/protocol/dhcp/dhcp-analyzer.pac  |  6 +--
 src/analyzer/protocol/dhcp/dhcp-protocol.pac  |  2 +-
 src/analyzer/protocol/dnp3/DNP3.cc            |  4 +-
 src/analyzer/protocol/dns/DNS.cc              |  4 +-
 src/analyzer/protocol/ftp/FTP.cc              |  4 +-
 src/analyzer/protocol/geneve/Geneve.cc        |  8 +--
 src/analyzer/protocol/gssapi/GSSAPI.cc        |  4 +-
 src/analyzer/protocol/gtpv1/GTPv1.cc          | 10 ++--
 .../protocol/gtpv1/gtpv1-analyzer.pac         |  2 +-
 src/analyzer/protocol/http/HTTP.cc            |  8 +--
 src/analyzer/protocol/imap/IMAP.cc            |  2 +-
 src/analyzer/protocol/imap/imap-analyzer.pac  |  6 +--
 src/analyzer/protocol/irc/IRC.cc              |  8 +--
 src/analyzer/protocol/krb/KRB.cc              |  2 +-
 src/analyzer/protocol/krb/KRB_TCP.cc          |  2 +-
 src/analyzer/protocol/krb/krb-analyzer.pac    | 16 +++---
 .../protocol/modbus/modbus-analyzer.pac       | 18 +++----
 src/analyzer/protocol/mqtt/MQTT.cc            |  2 +-
 .../protocol/mqtt/commands/connect.pac        |  2 +-
 .../protocol/mqtt/commands/publish.pac        |  2 +-
 src/analyzer/protocol/mqtt/mqtt-protocol.pac  |  4 +-
 src/analyzer/protocol/mysql/MySQL.cc          |  2 +-
 .../protocol/mysql/mysql-analyzer.pac         |  2 +-
 src/analyzer/protocol/ncp/NCP.cc              |  2 +-
 src/analyzer/protocol/ntlm/NTLM.cc            |  4 +-
 src/analyzer/protocol/ntlm/ntlm-analyzer.pac  |  2 +-
 src/analyzer/protocol/ntp/NTP.cc              |  2 +-
 src/analyzer/protocol/ntp/ntp-analyzer.pac    |  2 +-
 src/analyzer/protocol/pop3/POP3.cc            |  8 +--
 src/analyzer/protocol/radius/RADIUS.cc        |  2 +-
 .../protocol/radius/radius-analyzer.pac       |  2 +-
 src/analyzer/protocol/rdp/RDP.cc              |  2 +-
 src/analyzer/protocol/rdp/RDPEUDP.cc          |  2 +-
 src/analyzer/protocol/rdp/rdp-analyzer.pac    |  6 +--
 .../protocol/rdp/rdpeudp-analyzer.pac         |  2 +-
 src/analyzer/protocol/rfb/RFB.cc              |  2 +-
 src/analyzer/protocol/rfb/rfb-analyzer.pac    |  8 +--
 src/analyzer/protocol/sip/SIP.cc              |  2 +-
 src/analyzer/protocol/sip/SIP_TCP.cc          |  2 +-
 src/analyzer/protocol/sip/sip-analyzer.pac    |  2 +-
 src/analyzer/protocol/smb/SMB.cc              |  4 +-
 src/analyzer/protocol/smtp/SMTP.cc            |  4 +-
 src/analyzer/protocol/snmp/SNMP.cc            |  2 +-
 src/analyzer/protocol/snmp/snmp-analyzer.pac  |  6 +--
 src/analyzer/protocol/socks/SOCKS.cc          |  2 +-
 .../protocol/socks/socks-analyzer.pac         | 14 +++---
 src/analyzer/protocol/ssh/SSH.cc              |  2 +-
 src/analyzer/protocol/ssh/ssh-analyzer.pac    |  2 +-
 src/analyzer/protocol/ssl/DTLS.cc             |  2 +-
 src/analyzer/protocol/ssl/SSL.cc              |  4 +-
 src/analyzer/protocol/ssl/dtls-analyzer.pac   | 10 ++--
 src/analyzer/protocol/ssl/dtls-protocol.pac   |  6 +--
 .../protocol/ssl/proc-client-hello.pac        |  4 +-
 .../protocol/ssl/proc-server-hello.pac        |  2 +-
 .../protocol/ssl/ssl-dtls-analyzer.pac        |  4 +-
 src/analyzer/protocol/ssl/ssl-protocol.pac    | 10 ++--
 .../protocol/ssl/tls-handshake-analyzer.pac   |  4 +-
 src/analyzer/protocol/tcp/TCP.cc              |  4 +-
 src/analyzer/protocol/tcp/TCP.h               |  2 +-
 src/analyzer/protocol/teredo/Teredo.cc        |  6 +--
 src/analyzer/protocol/teredo/Teredo.h         |  4 +-
 src/analyzer/protocol/vxlan/VXLAN.cc          |  8 +--
 src/analyzer/protocol/xmpp/XMPP.cc            |  2 +-
 src/analyzer/protocol/xmpp/xmpp-analyzer.pac  |  2 +-
 src/event.bif                                 |  6 ++-
 src/packet_analysis/Analyzer.cc               | 39 +++++++++++++++
 src/packet_analysis/Analyzer.h                | 47 +++++++++++++++++
 src/session/Session.cc                        | 14 ++++++
 src/session/Session.h                         | 14 ++++++
 testing/btest/Baseline/plugins.hooks/output   | 12 ++---
 .../all-events-no-args.log                    |  8 +--
 .../all-events.log                            |  8 +--
 .../really-all-events.log                     |  8 +--
 .../btest/bifs/disable_analyzer-early.zeek    |  4 +-
 testing/btest/bifs/disable_analyzer.zeek      |  4 +-
 .../btest/core/tunnels/gtp/non_recursive.test |  2 +-
 96 files changed, 432 insertions(+), 235 deletions(-)

diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek
index e4d740979a..e56833fa75 100644
--- a/scripts/base/frameworks/analyzer/main.zeek
+++ b/scripts/base/frameworks/analyzer/main.zeek
@@ -53,7 +53,7 @@ export {
 	## ports: The set of well-known ports to associate with the analyzer.
 	##
 	## Returns: True if the ports were successfully registered.
-	global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool;
+	global register_for_ports: function(tag: AllAnalyzers::Tag, ports: set[port]) : bool;
 
 	## Registers an individual well-known port for an analyzer. If a future
 	## connection on this port is seen, the analyzer will be automatically
@@ -65,7 +65,7 @@ export {
 	## p: The well-known port to associate with the analyzer.
 	##
 	## Returns: True if the port was successfully registered.
-	global register_for_port: function(tag: Analyzer::Tag, p: port) : bool;
+	global register_for_port: function(tag: AllAnalyzers::Tag, p: port) : bool;
 
 	## Returns a set of all well-known ports currently registered for a
 	## specific analyzer.
@@ -73,13 +73,13 @@ export {
 	## tag: The tag of the analyzer.
 	##
 	## Returns: The set of ports.
-	global registered_ports: function(tag: Analyzer::Tag) : set[port];
+	global registered_ports: function(tag: AllAnalyzers::Tag) : set[port];
 
 	## Returns a table of all ports-to-analyzer mappings currently registered.
 	##
 	## Returns: A table mapping each analyzer to the set of ports
 	##          registered for it.
-	global all_registered_ports: function() : table[Analyzer::Tag] of set[port];
+	global all_registered_ports: function() : table[AllAnalyzers::Tag] of set[port];
 
 	## Translates an analyzer type to a string with the analyzer's name.
 	##
@@ -137,7 +137,7 @@ export {
 
 @load base/bif/analyzer.bif
 
-global ports: table[Analyzer::Tag] of set[port];
+global ports: table[AllAnalyzers::Tag] of set[port];
 
 event zeek_init() &priority=5
 	{
@@ -158,7 +158,7 @@ function disable_analyzer(tag: Analyzer::Tag) : bool
 	return __disable_analyzer(tag);
 	}
 
-function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
+function register_for_ports(tag: AllAnalyzers::Tag, ports: set[port]) : bool
 	{
 	local rc = T;
 
@@ -171,7 +171,7 @@ function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
 	return rc;
 	}
 
-function register_for_port(tag: Analyzer::Tag, p: port) : bool
+function register_for_port(tag: AllAnalyzers::Tag, p: port) : bool
 	{
 	if ( ! __register_for_port(tag, p) )
 		return F;
@@ -183,12 +183,12 @@ function register_for_port(tag: Analyzer::Tag, p: port) : bool
 	return T;
 	}
 
-function registered_ports(tag: Analyzer::Tag) : set[port]
+function registered_ports(tag: AllAnalyzers::Tag) : set[port]
 	{
 	return tag in ports ? ports[tag] : set();
 	}
 
-function all_registered_ports(): table[Analyzer::Tag] of set[port]
+function all_registered_ports(): table[AllAnalyzers::Tag] of set[port]
 	{
 	return ports;
 	}
@@ -230,4 +230,3 @@ function get_bpf(): string
 		}
 	return output;
 	}
-
diff --git a/scripts/base/frameworks/dpd/main.zeek b/scripts/base/frameworks/dpd/main.zeek
index 16e37dafdd..b00a600dc1 100644
--- a/scripts/base/frameworks/dpd/main.zeek
+++ b/scripts/base/frameworks/dpd/main.zeek
@@ -53,7 +53,7 @@ event zeek_init() &priority=5
 	Log::create_stream(DPD::LOG, [$columns=Info, $path="dpd", $policy=log_policy]);
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=10
 	{
 	local analyzer = Analyzer::name(atype);
 
@@ -63,7 +63,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
 	add c$service[analyzer];
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
                          reason: string) &priority=10
 	{
 	local analyzer = Analyzer::name(atype);
@@ -85,7 +85,7 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
 	c$dpd = info;
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string) &priority=5
 	{
 	if ( atype in ignore_violations )
 		return;
@@ -114,8 +114,8 @@ event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason
 		}
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
-				reason: string) &priority=-5
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
+			 reason: string) &priority=-5
 	{
 	if ( c?$dpd )
 		{
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 3ab33fb8eb..401b2496b8 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -5036,14 +5036,14 @@ export {
 
 	## With this set, the Teredo analyzer waits until it sees both sides
 	## of a connection using a valid Teredo encapsulation before issuing
-	## a :zeek:see:`protocol_confirmation`.  If it's false, the first
+	## a :zeek:see:`analyzer_confirmation`.  If it's false, the first
 	## occurrence of a packet with valid Teredo encapsulation causes a
 	## confirmation.
 	const delay_teredo_confirmation = T &redef;
 
 	## With this set, the GTP analyzer waits until the most-recent upflow
 	## and downflow packets are a valid GTPv1 encapsulation before
-	## issuing :zeek:see:`protocol_confirmation`.  If it's false, the
+	## issuing :zeek:see:`analyzer_confirmation`.  If it's false, the
 	## first occurrence of a packet with valid GTPv1 encapsulation causes
 	## confirmation.  Since the same inner connection can be carried
 	## differing outer upflow/downflow connections, setting to false
diff --git a/scripts/base/protocols/conn/inactivity.zeek b/scripts/base/protocols/conn/inactivity.zeek
index 90c51c3909..0d63240407 100644
--- a/scripts/base/protocols/conn/inactivity.zeek
+++ b/scripts/base/protocols/conn/inactivity.zeek
@@ -6,7 +6,7 @@ module Conn;
 export {
 	## Define inactivity timeouts by the service detected being used over
 	## the connection.
-	option analyzer_inactivity_timeouts: table[Analyzer::Tag] of interval = {
+	option analyzer_inactivity_timeouts: table[AllAnalyzers::Tag] of interval = {
 		# For interactive services, allow longer periods of inactivity.
 		[[Analyzer::ANALYZER_SSH, Analyzer::ANALYZER_FTP]] = 1 hrs,
 	};
@@ -18,7 +18,7 @@ export {
 
 }
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	{
 	if ( atype in analyzer_inactivity_timeouts )
 		set_inactivity_timeout(c$id, analyzer_inactivity_timeouts[atype]);
diff --git a/scripts/base/protocols/rdp/main.zeek b/scripts/base/protocols/rdp/main.zeek
index 53cc6ea812..1dd8701ef7 100644
--- a/scripts/base/protocols/rdp/main.zeek
+++ b/scripts/base/protocols/rdp/main.zeek
@@ -265,7 +265,7 @@ event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) &priori
 		}
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=5
 	{
 	if ( atype == Analyzer::ANALYZER_RDP )
 		{
@@ -274,7 +274,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &pr
 		}
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string) &priority=5
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string) &priority=5
 	{
 	# If a protocol violation occurs, then log the record immediately.
 	if ( c?$rdp )
diff --git a/scripts/base/protocols/ssh/main.zeek b/scripts/base/protocols/ssh/main.zeek
index 1dbc1bcfcc..1dcbe80328 100644
--- a/scripts/base/protocols/ssh/main.zeek
+++ b/scripts/base/protocols/ssh/main.zeek
@@ -355,7 +355,7 @@ event ssh_server_host_key(c: connection, hash: string) &priority=5
 	c$ssh$host_key = hash;
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=20
 	{
 	if ( atype == Analyzer::ANALYZER_SSH )
 		{
diff --git a/scripts/base/protocols/ssl/main.zeek b/scripts/base/protocols/ssl/main.zeek
index e3944a0f1e..37a60a1aff 100644
--- a/scripts/base/protocols/ssl/main.zeek
+++ b/scripts/base/protocols/ssl/main.zeek
@@ -474,7 +474,7 @@ hook finalize_ssl(c: connection)
 	finish(c, F);
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=5
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=5
 	{
 	if ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS )
 		{
@@ -494,7 +494,7 @@ event ssl_plaintext_data(c: connection, is_orig: bool, record_version: count, co
 	Weird::weird(wi);
 	}
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
                          reason: string) &priority=5
 	{
 	if ( c?$ssl && ( atype == Analyzer::ANALYZER_SSL || atype == Analyzer::ANALYZER_DTLS ) )
diff --git a/scripts/policy/frameworks/dpd/detect-protocols.zeek b/scripts/policy/frameworks/dpd/detect-protocols.zeek
index 2bd69ba196..f721217147 100644
--- a/scripts/policy/frameworks/dpd/detect-protocols.zeek
+++ b/scripts/policy/frameworks/dpd/detect-protocols.zeek
@@ -22,7 +22,7 @@ export {
 
 	type dir: enum { NONE, INCOMING, OUTGOING, BOTH };
 
-	option valids: table[Analyzer::Tag, addr, port] of dir = {
+	option valids: table[AllAnalyzers::Tag, addr, port] of dir = {
 		# A couple of ports commonly used for benign HTTP servers.
 
 		# For now we want to see everything.
@@ -45,7 +45,7 @@ export {
 	# log files, this also saves memory because for these we don't
 	# need to remember which servers we already have reported, which
 	# for some can be a lot.
-	option suppress_servers: set [Analyzer::Tag] = {
+	option suppress_servers: set [AllAnalyzers::Tag] = {
 		# Analyzer::ANALYZER_HTTP
 	};
 
@@ -61,7 +61,7 @@ export {
 
 	# Entry point for other analyzers to report that they recognized
 	# a certain (sub-)protocol.
-	global found_protocol: function(c: connection, analyzer: Analyzer::Tag,
+	global found_protocol: function(c: connection, analyzer: AllAnalyzers::Tag,
 					protocol: string);
 
 	# Table keeping reported (server, port, analyzer) tuples (and their
@@ -74,7 +74,7 @@ export {
 }
 
 # Table that tracks currently active dynamic analyzers per connection.
-global conns: table[conn_id] of set[Analyzer::Tag];
+global conns: table[conn_id] of set[AllAnalyzers::Tag];
 
 # Table of reports by other analyzers about the protocol used in a connection.
 global protocols: table[conn_id] of set[string];
@@ -84,7 +84,7 @@ type protocol : record {
 	sub: string;	# "sub-protocols" reported by other sources
 };
 
-function get_protocol(c: connection, a: Analyzer::Tag) : protocol
+function get_protocol(c: connection, a: AllAnalyzers::Tag) : protocol
 	{
 	local str = "";
 	if ( c$id in protocols )
@@ -101,7 +101,7 @@ function fmt_protocol(p: protocol) : string
 	return p$sub != "" ? fmt("%s (via %s)", p$sub, p$a) : p$a;
 	}
 
-function do_notice(c: connection, a: Analyzer::Tag, d: dir)
+function do_notice(c: connection, a: AllAnalyzers::Tag, d: dir)
 	{
 	if ( d == BOTH )
 		return;
@@ -198,7 +198,7 @@ hook finalize_protocol_detection(c: connection)
 	report_protocols(c);
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	{
 	# Don't report anything running on a well-known port.
 	if ( c$id$resp_p in Analyzer::registered_ports(atype) )
@@ -219,7 +219,7 @@ event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count)
 		}
 	}
 
-function found_protocol(c: connection, atype: Analyzer::Tag, protocol: string)
+function found_protocol(c: connection, atype: AllAnalyzers::Tag, protocol: string)
 	{
 	# Don't report anything running on a well-known port.
 	if ( c$id$resp_p in Analyzer::registered_ports(atype) )
diff --git a/scripts/policy/frameworks/dpd/packet-segment-logging.zeek b/scripts/policy/frameworks/dpd/packet-segment-logging.zeek
index 7386097551..c624d77bb0 100644
--- a/scripts/policy/frameworks/dpd/packet-segment-logging.zeek
+++ b/scripts/policy/frameworks/dpd/packet-segment-logging.zeek
@@ -11,7 +11,7 @@ module DPD;
 export {
 	redef record Info += {
 		## A chunk of the payload that most likely resulted in the
-		## protocol violation.
+		## analyzer violation.
 		packet_segment: string &optional &log;
 	};
 
@@ -20,7 +20,7 @@ export {
 }
 
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count,
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count,
                          reason: string) &priority=4
 	{
 	if ( ! c?$dpd ) return;
diff --git a/scripts/policy/protocols/conn/known-services.zeek b/scripts/policy/protocols/conn/known-services.zeek
index 336504fcf6..313c49b940 100644
--- a/scripts/policy/protocols/conn/known-services.zeek
+++ b/scripts/policy/protocols/conn/known-services.zeek
@@ -262,7 +262,7 @@ function known_services_done(c: connection)
 		}
 
 	if ( ! has_active_service(c) )
-		# If we're here during a protocol_confirmation, it's still premature
+		# If we're here during a analyzer_confirmation, it's still premature
 		# to declare there's an actual service, so wait for the connection
 		# removal to check again (to get more timely reporting we'd have
 		# schedule some recurring event to poll for handshake/activity).
@@ -293,7 +293,7 @@ function known_services_done(c: connection)
 		event service_info_commit(info);
 	}
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=-5
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=-5
 	{
 	known_services_done(c);
 	}
diff --git a/src/analyzer/Analyzer.cc b/src/analyzer/Analyzer.cc
index 2a98ac0b72..703d378d7d 100644
--- a/src/analyzer/Analyzer.cc
+++ b/src/analyzer/Analyzer.cc
@@ -116,6 +116,7 @@ void Analyzer::CtorInit(const zeek::Tag& arg_tag, Connection* arg_conn)
 	tag = arg_tag;
 	id = ++id_counter;
 	protocol_confirmed = false;
+	analyzer_confirmed = false;
 	timers_canceled = false;
 	skip = false;
 	finished = false;
@@ -226,7 +227,7 @@ void Analyzer::NextPacket(int len, const u_char* data, bool is_orig, uint64_t se
 			}
 		catch ( binpac::Exception const& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
@@ -249,7 +250,7 @@ void Analyzer::NextStream(int len, const u_char* data, bool is_orig)
 			}
 		catch ( binpac::Exception const& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
@@ -272,7 +273,7 @@ void Analyzer::NextUndelivered(uint64_t seq, int len, bool is_orig)
 			}
 		catch ( binpac::Exception const& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
@@ -688,6 +689,10 @@ void Analyzer::ProtocolConfirmation(zeek::Tag arg_tag)
 		return;
 
 	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
+	// Enqueue both of these events. In the base scripts, only the analyzer version is handled.
+	// The protocol remains just for handling scripts that haven't been updated. Once that event
+	// is removed, this method is also removed.
+	event_mgr.Enqueue(analyzer_confirmation, ConnVal(), tval, val_mgr->Count(id));
 	event_mgr.Enqueue(protocol_confirmation, ConnVal(), tval, val_mgr->Count(id));
 	}
 
@@ -709,9 +714,48 @@ void Analyzer::ProtocolViolation(const char* reason, const char* data, int len)
 		r = make_intrusive<StringVal>(reason);
 
 	const auto& tval = tag.AsVal();
+	// Enqueue both of these events. In the base scripts, only the analyzer version is handled.
+	// The protocol remains just for handling scripts that haven't been updated. Once that event
+	// is removed, this method is also removed.
+	event_mgr.Enqueue(analyzer_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
 	event_mgr.Enqueue(protocol_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
 	}
 
+void Analyzer::AnalyzerConfirmation(zeek::Tag arg_tag)
+	{
+	if ( analyzer_confirmed )
+		return;
+
+	analyzer_confirmed = true;
+
+	if ( ! analyzer_confirmation )
+		return;
+
+	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
+	event_mgr.Enqueue(analyzer_confirmation, ConnVal(), tval, val_mgr->Count(id));
+	}
+
+void Analyzer::AnalyzerViolation(const char* reason, const char* data, int len)
+	{
+	if ( ! analyzer_violation )
+		return;
+
+	StringValPtr r;
+
+	if ( data && len )
+		{
+		const char* tmp = util::copy_string(reason);
+		r = make_intrusive<StringVal>(util::fmt(
+			"%s [%s%s]", tmp, util::fmt_bytes(data, min(40, len)), len > 40 ? "..." : ""));
+		delete[] tmp;
+		}
+	else
+		r = make_intrusive<StringVal>(reason);
+
+	const auto& tval = tag.AsVal();
+	event_mgr.Enqueue(analyzer_violation, ConnVal(), tval, val_mgr->Count(id), std::move(r));
+	}
+
 void Analyzer::AddTimer(analyzer_timer_func timer, double t, bool do_expire,
                         zeek::detail::TimerType type)
 	{
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index 06dee27559..7bdfa0fbed 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -533,7 +533,8 @@ public:
 	 * If tag is given, it overrides the analyzer tag passed to the
 	 * scripting layer; the default is the one of the analyzer itself.
 	 */
-	virtual void ProtocolConfirmation(zeek::Tag tag = zeek::Tag());
+	[[deprecated("Remove in v5.1. Use AnalyzerConfirmation.")]] virtual void
+	ProtocolConfirmation(zeek::Tag tag = zeek::Tag());
 
 	/**
 	 * Signals Bro's protocol detection that the analyzer has found a
@@ -550,13 +551,53 @@ public:
 	 *
 	 * @param len If \a data is given, the length of it.
 	 */
-	virtual void ProtocolViolation(const char* reason, const char* data = nullptr, int len = 0);
+	[[deprecated("Remove in v5.1. Use AnalyzerViolation.")]] virtual void
+	ProtocolViolation(const char* reason, const char* data = nullptr, int len = 0);
 
 	/**
 	 * Returns true if ProtocolConfirmation() has been called at least
 	 * once.
 	 */
-	bool ProtocolConfirmed() const { return protocol_confirmed; }
+	[[deprecated("Remove in v5.1. Use AnalyzerConfirmed.")]] bool ProtocolConfirmed() const
+		{
+		return protocol_confirmed;
+		}
+
+	/**
+	 * Signals Zeek's protocol detection that the analyzer has recognized
+	 * the input to indeed conform to the expected protocol. This should
+	 * be called as early as possible during a connection's life-time. It
+	 * may turn into \c analyzer_confirmed event at the script-layer (but
+	 * only once per analyzer for each connection, even if the method is
+	 * called multiple times).
+	 *
+	 * If tag is given, it overrides the analyzer tag passed to the
+	 * scripting layer; the default is the one of the analyzer itself.
+	 */
+	virtual void AnalyzerConfirmation(zeek::Tag tag = zeek::Tag());
+
+	/**
+	 * Signals Bro's protocol detection that the analyzer has found a
+	 * severe protocol violation that could indicate that it's not
+	 * parsing the expected protocol. This turns into \c
+	 * analyzer_violation events at the script-layer (one such event is
+	 * raised for each call to this method so that the script-layer can
+	 * built up a notion of how prevalent protocol violations are; the
+	 * more, the less likely it's the right protocol).
+	 *
+	 * @param reason A textual description of the error encountered.
+	 *
+	 * @param data An optional pointer to the malformed data.
+	 *
+	 * @param len If \a data is given, the length of it.
+	 */
+	virtual void AnalyzerViolation(const char* reason, const char* data = nullptr, int len = 0);
+
+	/**
+	 * Returns true if ProtocolConfirmation() has been called at least
+	 * once.
+	 */
+	bool AnalyzerConfirmed() const { return analyzer_confirmed; }
 
 	/**
 	 * Called whenever the connection value is updated. Per default, this
@@ -729,6 +770,7 @@ private:
 	std::vector<zeek::Tag> prevented;
 
 	bool protocol_confirmed;
+	bool analyzer_confirmed;
 
 	TimerPList timers;
 	bool timers_canceled;
diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc
index 844c76ebe0..8ce18318c1 100644
--- a/src/analyzer/protocol/ayiya/AYIYA.cc
+++ b/src/analyzer/protocol/ayiya/AYIYA.cc
@@ -36,7 +36,7 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 
 	if ( inner_packet_offset <= 0 )
@@ -52,7 +52,7 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 
 	if ( result == 0 )
 		{
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 	std:
 		shared_ptr<EncapsulationStack> e = Conn()->GetEncapsulation();
 		EncapsulatingConn ec(Conn(), BifEnum::Tunnel::AYIYA);
@@ -60,12 +60,12 @@ void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 			run_state::network_time, nullptr, inner, e, ec);
 		}
 	else if ( result == -2 )
-		ProtocolViolation("AYIYA next header internal mismatch",
+		AnalyzerViolation("AYIYA next header internal mismatch",
 		                  reinterpret_cast<const char*>(data), len);
 	else if ( result < 0 )
-		ProtocolViolation("Truncated AYIYA", reinterpret_cast<const char*>(data), len);
+		AnalyzerViolation("Truncated AYIYA", reinterpret_cast<const char*>(data), len);
 	else
-		ProtocolViolation("AYIYA payload length", reinterpret_cast<const char*>(data), len);
+		AnalyzerViolation("AYIYA payload length", reinterpret_cast<const char*>(data), len);
 	}
 
 	} // namespace zeek::analyzer::ayiya
diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
index dc68fd8934..85b4ead410 100644
--- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
+++ b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
@@ -39,7 +39,7 @@ flow AYIYA_Flow
 
 		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    "Truncated AYIYA", (const char*) ${pdu.packet}.data(),
 			    ${pdu.packet}.length());
 			return false;
@@ -50,7 +50,7 @@ flow AYIYA_Flow
 		if ( ( ${pdu.next_header} == IPPROTO_IPV6 && ip->ip_v != 6 ) ||
 		     ( ${pdu.next_header} == IPPROTO_IPV4 && ip->ip_v != 4) )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    "AYIYA next header mismatch", (const char*)${pdu.packet}.data(),
 			     ${pdu.packet}.length());
 			return false;
diff --git a/src/analyzer/protocol/bittorrent/BitTorrent.cc b/src/analyzer/protocol/bittorrent/BitTorrent.cc
index 032eb9019b..74c6ff269f 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrent.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrent.cc
@@ -65,7 +65,7 @@ void BitTorrent_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 				orig);
 			this_stop = true;
 			if ( stop_orig && stop_resp )
-				ProtocolViolation("BitTorrent: content gap and/or protocol violation");
+				AnalyzerViolation("BitTorrent: content gap and/or protocol violation");
 			}
 		}
 	}
@@ -92,7 +92,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	//	DeliverWeird("Stopping BitTorrent analysis: cannot recover from content gap", orig);
 	//	this_stop = true;
 	//	if ( stop_orig && stop_resp )
-	//		ProtocolViolation("BitTorrent: content gap and/or protocol violation");
+	//		AnalyzerViolation("BitTorrent: content gap and/or protocol violation");
 	//	}
 	// else
 	//	{ // fill the gap
@@ -107,7 +107,7 @@ void BitTorrent_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	//		DeliverWeird("Stopping BitTorrent analysis: filling content gap failed", orig);
 	//		this_stop = true;
 	//		if ( stop_orig && stop_resp )
-	//			ProtocolViolation("BitTorrent: content gap and/or protocol violation");
+	//			AnalyzerViolation("BitTorrent: content gap and/or protocol violation");
 	//		}
 	//	}
 	}
diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
index 1e4d6d9278..e2a7f8297c 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@@ -99,7 +99,7 @@ void BitTorrentTracker_Analyzer::ClientRequest(int len, const u_char* data)
 
 	if ( req_buf_len + len > sizeof(req_buf) - 1 )
 		{
-		ProtocolViolation("BitTorrentTracker: request message too long");
+		AnalyzerViolation("BitTorrentTracker: request message too long");
 		stop_orig = true;
 		return;
 		}
@@ -146,7 +146,7 @@ void BitTorrentTracker_Analyzer::ServerReply(int len, const u_char* data)
 
 	if ( res_buf_len + len > sizeof(res_buf) - 1 )
 		{
-		ProtocolViolation("BitTorrentTracker: response message too long");
+		AnalyzerViolation("BitTorrentTracker: response message too long");
 		stop_resp = true;
 		return;
 		}
@@ -201,7 +201,7 @@ void BitTorrentTracker_Analyzer::Undelivered(uint64_t seq, int len, bool orig)
 	{
 	analyzer::tcp::TCP_ApplicationAnalyzer::Undelivered(seq, len, orig);
 
-	ProtocolViolation("BitTorrentTracker: cannot recover from content gap");
+	AnalyzerViolation("BitTorrentTracker: cannot recover from content gap");
 
 	if ( orig )
 		stop_orig = true;
@@ -260,7 +260,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 			regmatch_t match[1];
 			if ( regexec(&r_get, line, 1, match, 0) )
 				{
-				ProtocolViolation("BitTorrentTracker: invalid HTTP GET");
+				AnalyzerViolation("BitTorrentTracker: invalid HTTP GET");
 				stop_orig = true;
 				return false;
 				}
@@ -270,7 +270,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 				{
 				if ( match_end[0].rm_so <= match[0].rm_eo )
 					{
-					ProtocolViolation("BitTorrentTracker: invalid HTTP GET");
+					AnalyzerViolation("BitTorrentTracker: invalid HTTP GET");
 					stop_orig = true;
 					return false;
 					}
@@ -297,7 +297,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 			regmatch_t match[1];
 			if ( regexec(&r_hdr, line, 1, match, 0) )
 				{
-				ProtocolViolation("BitTorrentTracker: invalid HTTP request header");
+				AnalyzerViolation("BitTorrentTracker: invalid HTTP request header");
 				stop_orig = true;
 				return false;
 				}
@@ -331,7 +331,7 @@ void BitTorrentTracker_Analyzer::RequestGet(char* uri)
 
 void BitTorrentTracker_Analyzer::EmitRequest(void)
 	{
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( bt_tracker_request )
 		EnqueueConnEvent(bt_tracker_request, ConnVal(), IntrusivePtr{AdoptRef{}, req_val_uri},
@@ -369,7 +369,7 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 			regmatch_t match[1];
 			if ( regexec(&r_stat, line, 1, match, 0) )
 				{
-				ProtocolViolation("BitTorrentTracker: invalid HTTP status");
+				AnalyzerViolation("BitTorrentTracker: invalid HTTP status");
 				stop_resp = true;
 				return false;
 				}
@@ -402,7 +402,7 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 				regmatch_t match[1];
 				if ( regexec(&r_hdr, line, 1, match, 0) )
 					{
-					ProtocolViolation("BitTorrentTracker: invalid HTTP response header");
+					AnalyzerViolation("BitTorrentTracker: invalid HTTP response header");
 					stop_resp = true;
 					return false;
 					}
@@ -505,7 +505,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
 		{                                                                                          \
 		if ( expr )                                                                                \
 			{                                                                                      \
-			ProtocolViolation(msg);                                                                \
+			AnalyzerViolation(msg);                                                                \
 			stop_resp = true;                                                                      \
 			return -1;                                                                             \
 			}                                                                                      \
@@ -772,7 +772,7 @@ int BitTorrentTracker_Analyzer::ResponseParseBenc(void)
 
 void BitTorrentTracker_Analyzer::EmitResponse(void)
 	{
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( bt_tracker_response )
 		EnqueueConnEvent(bt_tracker_response, ConnVal(), val_mgr->Count(res_status),
diff --git a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
index eb856a3ff8..36a6c50117 100644
--- a/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
+++ b/src/analyzer/protocol/bittorrent/bittorrent-analyzer.pac
@@ -70,7 +70,7 @@ flow BitTorrent_Flow(is_orig: bool) {
 				to_stringval(peer_id));
 			}
 
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc
index b998c5a34e..36678f67ad 100644
--- a/src/analyzer/protocol/dce-rpc/DCE_RPC.cc
+++ b/src/analyzer/protocol/dce-rpc/DCE_RPC.cc
@@ -63,7 +63,7 @@ void DCE_RPC_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
index ab349037e7..a5db169adc 100644
--- a/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
+++ b/src/analyzer/protocol/dce-rpc/dce_rpc-analyzer.pac
@@ -29,7 +29,7 @@ refine connection DCE_RPC_Conn += {
 	function proc_dce_rpc_pdu(pdu: DCE_RPC_PDU): bool
 		%{
 		// If a whole pdu message parsed ok, let's confirm the protocol
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/dhcp/DHCP.cc b/src/analyzer/protocol/dhcp/DHCP.cc
index eda8fb6bef..bce7f0c39b 100644
--- a/src/analyzer/protocol/dhcp/DHCP.cc
+++ b/src/analyzer/protocol/dhcp/DHCP.cc
@@ -32,7 +32,7 @@ void DHCP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
index 39db461742..b8275fe3e2 100644
--- a/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-analyzer.pac
@@ -44,7 +44,7 @@ refine flow DHCP_Flow += {
 		// the message options.
 		if ( ${msg.cookie} != 0x63825363 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie}));
+			connection()->zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("bad cookie (%d)", ${msg.cookie}));
 			return false;
 			}
 
@@ -105,8 +105,8 @@ refine flow DHCP_Flow += {
 		// because it's not uncommon to see a single DHCP message
 		// on a "connection".
 		// The binpac analyzer would have thrown an error before this point
-		// if there was a problem too (and subsequently called ProtocolViolation).
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		// if there was a problem too (and subsequently called AnalyzerViolation).
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/dhcp/dhcp-protocol.pac b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
index b26d163c97..11dc278961 100644
--- a/src/analyzer/protocol/dhcp/dhcp-protocol.pac
+++ b/src/analyzer/protocol/dhcp/dhcp-protocol.pac
@@ -67,7 +67,7 @@ refine flow DHCP_Flow += {
 			}
 
 		if ( type == 0 )
-			connection()->zeek_analyzer()->ProtocolViolation("no DHCP message type option");
+			connection()->zeek_analyzer()->AnalyzerViolation("no DHCP message type option");
 
 		return type;
 		%}
diff --git a/src/analyzer/protocol/dnp3/DNP3.cc b/src/analyzer/protocol/dnp3/DNP3.cc
index 734bc64773..73637a2a0b 100644
--- a/src/analyzer/protocol/dnp3/DNP3.cc
+++ b/src/analyzer/protocol/dnp3/DNP3.cc
@@ -168,12 +168,12 @@ bool DNP3_Base::ProcessData(int len, const u_char* data, bool orig)
 			if ( ! CheckCRC(PSEUDO_LINK_LAYER_LEN, endp->buffer,
 			                endp->buffer + PSEUDO_LINK_LAYER_LEN, "header") )
 				{
-				analyzer->ProtocolViolation("broken_checksum");
+				analyzer->AnalyzerViolation("broken_checksum");
 				return false;
 				}
 
 			// If the checksum works out, we're pretty certainly DNP3.
-			analyzer->ProtocolConfirmation();
+			analyzer->AnalyzerConfirmation();
 
 			// DNP3 packets without transport and application
 			// layers can happen, we ignore them.
diff --git a/src/analyzer/protocol/dns/DNS.cc b/src/analyzer/protocol/dns/DNS.cc
index b87a2a8598..4d8d993610 100644
--- a/src/analyzer/protocol/dns/DNS.cc
+++ b/src/analyzer/protocol/dns/DNS.cc
@@ -59,7 +59,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 	// This should weed out most of it.
 	if ( zeek::detail::dns_max_queries > 0 && msg.qdcount > zeek::detail::dns_max_queries )
 		{
-		analyzer->ProtocolViolation("DNS_Conn_count_too_large");
+		analyzer->AnalyzerViolation("DNS_Conn_count_too_large");
 		analyzer->Weird("DNS_Conn_count_too_large");
 		EndMessage(&msg);
 		return;
@@ -82,7 +82,7 @@ void DNS_Interpreter::ParseMessage(const u_char* data, int len, int is_query)
 		return;
 		}
 
-	analyzer->ProtocolConfirmation();
+	analyzer->AnalyzerConfirmation();
 
 	int skip_auth = zeek::detail::dns_skip_all_auth;
 	int skip_addl = zeek::detail::dns_skip_all_addl;
diff --git a/src/analyzer/protocol/ftp/FTP.cc b/src/analyzer/protocol/ftp/FTP.cc
index 6067438431..c8b3e6f2d7 100644
--- a/src/analyzer/protocol/ftp/FTP.cc
+++ b/src/analyzer/protocol/ftp/FTP.cc
@@ -103,7 +103,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 		};
 
 		f = ftp_request;
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 
 		if ( strncmp((const char*)cmd_str->Bytes(), "AUTH", cmd_len) == 0 )
 			auth_requested = std::string(line, end_of_line - line);
@@ -146,7 +146,7 @@ void FTP_Analyzer::DeliverStream(int length, const u_char* data, bool orig)
 				if ( reply_code > 0 )
 					line += 3;
 				else
-					ProtocolViolation("non-numeric reply code", (const char*)data, length);
+					AnalyzerViolation("non-numeric reply code", (const char*)data, length);
 
 				if ( line < end_of_line )
 					line = util::skip_whitespace(line, end_of_line);
diff --git a/src/analyzer/protocol/geneve/Geneve.cc b/src/analyzer/protocol/geneve/Geneve.cc
index 92c3570e82..edd78af21c 100644
--- a/src/analyzer/protocol/geneve/Geneve.cc
+++ b/src/analyzer/protocol/geneve/Geneve.cc
@@ -29,7 +29,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	if ( len < tunnel_header_len )
 		{
-		ProtocolViolation("Geneve header truncation", reinterpret_cast<const char*>(data), len);
+		AnalyzerViolation("Geneve header truncation", reinterpret_cast<const char*>(data), len);
 		return;
 		}
 
@@ -53,7 +53,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	if ( len < tunnel_header_len + tunnel_opt_len )
 		{
-		ProtocolViolation("Geneve option header truncation", reinterpret_cast<const char*>(data),
+		AnalyzerViolation("Geneve option header truncation", reinterpret_cast<const char*>(data),
 		                  len);
 		return;
 		}
@@ -72,7 +72,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	if ( ! packet_mgr->ProcessInnerPacket(&pkt) )
 		{
-		ProtocolViolation("Geneve invalid inner packet");
+		AnalyzerViolation("Geneve invalid inner packet");
 		return;
 		}
 
@@ -81,7 +81,7 @@ void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 	if ( ! pkt.ip_hdr )
 		return;
 
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( geneve_packet )
 		{
diff --git a/src/analyzer/protocol/gssapi/GSSAPI.cc b/src/analyzer/protocol/gssapi/GSSAPI.cc
index ef6ebf535e..6730e6bafd 100644
--- a/src/analyzer/protocol/gssapi/GSSAPI.cc
+++ b/src/analyzer/protocol/gssapi/GSSAPI.cc
@@ -43,11 +43,11 @@ void GSSAPI_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	try
 		{
 		interp->NewData(orig, data, data + len);
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.cc b/src/analyzer/protocol/gtpv1/GTPv1.cc
index 89a14fea32..64c66f6f1e 100644
--- a/src/analyzer/protocol/gtpv1/GTPv1.cc
+++ b/src/analyzer/protocol/gtpv1/GTPv1.cc
@@ -35,7 +35,7 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 
 	if ( inner_packet_offset <= 0 )
@@ -57,7 +57,7 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 
 		if ( (! BifConst::Tunnel::delay_gtp_confirmation) ||
 		     (interp->valid(true) && interp->valid(false)) )
-			ProtocolConfirmation();
+			AnalyzerConfirmation();
 
 		if ( gtp_hdr_val )
 			BifEvent::enqueue_gtpv1_g_pdu_packet(this, Conn(), std::move(gtp_hdr_val),
@@ -69,12 +69,12 @@ void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 			run_state::network_time, nullptr, inner, e, ec);
 		}
 	else if ( result == -2 )
-		ProtocolViolation("Invalid IP version in wrapped packet",
+		AnalyzerViolation("Invalid IP version in wrapped packet",
 		                  reinterpret_cast<const char*>(odata), olen);
 	else if ( result < 0 )
-		ProtocolViolation("Truncated GTPv1", reinterpret_cast<const char*>(odata), olen);
+		AnalyzerViolation("Truncated GTPv1", reinterpret_cast<const char*>(odata), olen);
 	else
-		ProtocolViolation("GTPv1 payload length", reinterpret_cast<const char*>(odata), olen);
+		AnalyzerViolation("GTPv1 payload length", reinterpret_cast<const char*>(odata), olen);
 	}
 
 	} // namespace zeek::analyzer::gtpv1
diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
index 62f802d7f8..fc91c3dd00 100644
--- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
+++ b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
@@ -640,7 +640,7 @@ flow GTPv1_Flow(is_orig: bool)
 		%{
 		ZeekAnalyzer a = connection()->zeek_analyzer();
 		const_bytestring b = ${pdu.sourcedata};
-		a->ProtocolViolation(r.c_str(), (const char*) b.begin(), b.length());
+		a->AnalyzerViolation(r.c_str(), (const char*) b.begin(), b.length());
 		%}
 
 	function process_gtpv1(pdu: GTPv1_Header): bool
diff --git a/src/analyzer/protocol/http/HTTP.cc b/src/analyzer/protocol/http/HTTP.cc
index e8c7b35a07..3d3b185853 100644
--- a/src/analyzer/protocol/http/HTTP.cc
+++ b/src/analyzer/protocol/http/HTTP.cc
@@ -964,7 +964,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 							Weird("empty_http_request");
 						else
 							{
-							ProtocolViolation("not a http request line");
+							AnalyzerViolation("not a http request line");
 							request_state = EXPECT_REQUEST_NOTHING;
 							}
 						}
@@ -993,7 +993,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 					++num_replies;
 
 					if ( ! unanswered_requests.empty() )
-						ProtocolConfirmation();
+						AnalyzerConfirmation();
 
 					reply_state = EXPECT_REPLY_MESSAGE;
 					reply_ongoing = 1;
@@ -1011,7 +1011,7 @@ void HTTP_Analyzer::DeliverStream(int len, const u_char* data, bool is_orig)
 					{
 					if ( line != end_of_line )
 						{
-						ProtocolViolation("not a http reply line");
+						AnalyzerViolation("not a http reply line");
 						reply_state = EXPECT_REPLY_NOTHING;
 						}
 					}
@@ -1360,7 +1360,7 @@ StringValPtr HTTP_Analyzer::TruncateURI(const StringValPtr& uri)
 
 void HTTP_Analyzer::HTTP_Request()
 	{
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	const char* method = (const char*)request_method->AsString()->Bytes();
 	int method_len = request_method->AsString()->Len();
diff --git a/src/analyzer/protocol/imap/IMAP.cc b/src/analyzer/protocol/imap/IMAP.cc
index 1ded7554d0..3d074de875 100644
--- a/src/analyzer/protocol/imap/IMAP.cc
+++ b/src/analyzer/protocol/imap/IMAP.cc
@@ -63,7 +63,7 @@ void IMAP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/imap/imap-analyzer.pac b/src/analyzer/protocol/imap/imap-analyzer.pac
index f4efdbbdaa..3e6c973022 100644
--- a/src/analyzer/protocol/imap/imap-analyzer.pac
+++ b/src/analyzer/protocol/imap/imap-analyzer.pac
@@ -17,14 +17,14 @@ refine connection IMAP_Conn += {
 		//printf("imap %s %s\n", commands.c_str(), tags.c_str());
 
 		if ( !is_orig && tags == "*" && commands == "ok" )
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( is_orig && ( command == "capability" || commands == "starttls" ) )
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( command == "authenticate" || command == "login" || command == "examine" || command == "create" || command == "list" || command == "fetch" )
 			{
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 			// Handshake has passed the phase where we should see StartTLS. Simply skip from hereon...
 			zeek_analyzer()->SetSkip(true);
 			return true;
diff --git a/src/analyzer/protocol/irc/IRC.cc b/src/analyzer/protocol/irc/IRC.cc
index fbade0eaf0..1d566f113e 100644
--- a/src/analyzer/protocol/irc/IRC.cc
+++ b/src/analyzer/protocol/irc/IRC.cc
@@ -89,7 +89,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		}
 
 	if ( orig )
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 
 	int code = 0;
 	string command = "";
@@ -99,7 +99,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 	if ( myline.length() < 3 )
 		{
 		Weird("irc_invalid_line");
-		ProtocolViolation("line too short");
+		AnalyzerViolation("line too short");
 		return;
 		}
 
@@ -114,7 +114,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		else
 			{
 			Weird("irc_invalid_reply_number");
-			ProtocolViolation("invalid reply number");
+			AnalyzerViolation("invalid reply number");
 			return;
 			}
 		}
@@ -561,7 +561,7 @@ void IRC_Analyzer::DeliverStream(int length, const u_char* line, bool orig)
 		if ( ++invalid_msg_count > invalid_msg_max_count )
 			{
 			Weird("irc_too_many_invalid");
-			ProtocolViolation("too many long lines");
+			AnalyzerViolation("too many long lines");
 			return;
 			}
 		return;
diff --git a/src/analyzer/protocol/krb/KRB.cc b/src/analyzer/protocol/krb/KRB.cc
index 0c3fb3667b..fcfb248ac9 100644
--- a/src/analyzer/protocol/krb/KRB.cc
+++ b/src/analyzer/protocol/krb/KRB.cc
@@ -83,7 +83,7 @@ void KRB_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/krb/KRB_TCP.cc b/src/analyzer/protocol/krb/KRB_TCP.cc
index f7b35f294d..8dd5124eef 100644
--- a/src/analyzer/protocol/krb/KRB_TCP.cc
+++ b/src/analyzer/protocol/krb/KRB_TCP.cc
@@ -55,7 +55,7 @@ void KRB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/krb/krb-analyzer.pac b/src/analyzer/protocol/krb/krb-analyzer.pac
index d5d0e0bd31..91b55c255c 100644
--- a/src/analyzer/protocol/krb/krb-analyzer.pac
+++ b/src/analyzer/protocol/krb/krb-analyzer.pac
@@ -171,7 +171,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_kdc_req_msg(msg: KRB_KDC_REQ): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		auto msg_type = binary_to_int64(${msg.msg_type.data.content});
 
 		if ( msg_type == 10 )
@@ -199,7 +199,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_kdc_rep_msg(msg: KRB_KDC_REP): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		auto msg_type = binary_to_int64(${msg.msg_type.data.content});
 		auto make_arg = [this, msg]() -> zeek::RecordValPtr
 			{
@@ -241,7 +241,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_error_msg(msg: KRB_ERROR_MSG): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_error )
 			{
 			auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::Error_Msg);
@@ -255,7 +255,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_ap_req_msg(msg: KRB_AP_REQ): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_ap_request )
 			{
 			auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::AP_Options);
@@ -279,7 +279,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_ap_rep_msg(msg: KRB_AP_REP): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_ap_response )
 			{
 			zeek::BifEvent::enqueue_krb_ap_response(zeek_analyzer(), zeek_analyzer()->Conn());
@@ -289,7 +289,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_safe_msg(msg: KRB_SAFE_MSG): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_safe )
 			{
 			auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::KRB::SAFE_Msg);
@@ -347,7 +347,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_priv_msg(msg: KRB_PRIV_MSG): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_priv )
 			{
 			zeek::BifEvent::enqueue_krb_priv(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig});
@@ -357,7 +357,7 @@ refine connection KRB_Conn += {
 
 	function proc_krb_cred_msg(msg: KRB_CRED_MSG): bool
 		%{
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		if ( krb_cred )
 			{
 			zeek::BifEvent::enqueue_krb_cred(zeek_analyzer(), zeek_analyzer()->Conn(), ${msg.is_orig},
diff --git a/src/analyzer/protocol/modbus/modbus-analyzer.pac b/src/analyzer/protocol/modbus/modbus-analyzer.pac
index ccadd55a63..80f7ab3977 100644
--- a/src/analyzer/protocol/modbus/modbus-analyzer.pac
+++ b/src/analyzer/protocol/modbus/modbus-analyzer.pac
@@ -106,7 +106,7 @@ refine flow ModbusTCP_Flow += {
 		if ( ! connection()->IsConfirmed() )
 			{
 			connection()->SetConfirmed();
-			connection()->zeek_analyzer()->ProtocolConfirmation();
+			connection()->zeek_analyzer()->AnalyzerConfirmation();
 			}
 
 		return true;
@@ -202,7 +202,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read holding register response byte count %d", ${message.byte_count}));
 			return false;
 			}
@@ -246,7 +246,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read input register response byte count %d", ${message.byte_count}));
 			return false;
 			}
@@ -283,7 +283,7 @@ refine flow ModbusTCP_Flow += {
 				val = 1;
 			else
 				{
-				connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil request %d",
+				connection()->zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid value for modbus write single coil request %d",
 				                                                    ${message.value}));
 				return false;
 				}
@@ -310,7 +310,7 @@ refine flow ModbusTCP_Flow += {
 				val = 1;
 			else
 				{
-				connection()->zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value for modbus write single coil response %d",
+				connection()->zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid value for modbus write single coil response %d",
 				                                                    ${message.value}));
 				return false;
 				}
@@ -390,7 +390,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus write multiple registers request byte count %d", ${message.byte_count}));
 			return false;
 			}
@@ -575,7 +575,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.write_byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read write multiple registers request write byte count %d", ${message.write_byte_count}));
 			return false;
 			}
@@ -607,7 +607,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read write multiple registers response byte count %d", ${message.byte_count}));
 			return false;
 			}
@@ -651,7 +651,7 @@ refine flow ModbusTCP_Flow += {
 		%{
 		if ( ${message.byte_count} % 2 != 0 )
 			{
-			connection()->zeek_analyzer()->ProtocolViolation(
+			connection()->zeek_analyzer()->AnalyzerViolation(
 			    zeek::util::fmt("invalid value for modbus read FIFO queue response byte count %d", ${message.byte_count}));
 			return false;
 			}
diff --git a/src/analyzer/protocol/mqtt/MQTT.cc b/src/analyzer/protocol/mqtt/MQTT.cc
index 114da12c00..cf55b04e34 100644
--- a/src/analyzer/protocol/mqtt/MQTT.cc
+++ b/src/analyzer/protocol/mqtt/MQTT.cc
@@ -45,7 +45,7 @@ void MQTT_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/mqtt/commands/connect.pac b/src/analyzer/protocol/mqtt/commands/connect.pac
index 07da3ea01c..84ec4fb2e9 100644
--- a/src/analyzer/protocol/mqtt/commands/connect.pac
+++ b/src/analyzer/protocol/mqtt/commands/connect.pac
@@ -81,7 +81,7 @@ refine flow MQTT_Flow += {
 			}
 
 		// If a connect message was seen, let's say that confirms it.
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 		return true;
 		%}
 };
diff --git a/src/analyzer/protocol/mqtt/commands/publish.pac b/src/analyzer/protocol/mqtt/commands/publish.pac
index 708327acdb..ad53de484f 100644
--- a/src/analyzer/protocol/mqtt/commands/publish.pac
+++ b/src/analyzer/protocol/mqtt/commands/publish.pac
@@ -50,7 +50,7 @@ refine flow MQTT_Flow += {
 			}
 
 		// If a publish message was seen, let's say that confirms it.
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/mqtt/mqtt-protocol.pac b/src/analyzer/protocol/mqtt/mqtt-protocol.pac
index 814c477d72..dd2582ff9b 100644
--- a/src/analyzer/protocol/mqtt/mqtt-protocol.pac
+++ b/src/analyzer/protocol/mqtt/mqtt-protocol.pac
@@ -46,7 +46,7 @@ refine connection MQTT_Conn += {
 
 		if ( vals->size() > 4 )
 			{
-			this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too many bytes");
+			this->zeek_analyzer()->AnalyzerViolation("malformed MQTT 'remaining length': too many bytes");
 			return 0;
 			}
 
@@ -57,7 +57,7 @@ refine connection MQTT_Conn += {
 			if ( multiplier > 128*128*128 )
 				{
 				// This is definitely a protocol violation
-				this->zeek_analyzer()->ProtocolViolation("malformed MQTT 'remaining length': too large");
+				this->zeek_analyzer()->AnalyzerViolation("malformed MQTT 'remaining length': too large");
 				return 0;
 				}
 			}
diff --git a/src/analyzer/protocol/mysql/MySQL.cc b/src/analyzer/protocol/mysql/MySQL.cc
index 7f6b88a51b..1d4c54a2a2 100644
--- a/src/analyzer/protocol/mysql/MySQL.cc
+++ b/src/analyzer/protocol/mysql/MySQL.cc
@@ -54,7 +54,7 @@ void MySQL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/mysql/mysql-analyzer.pac b/src/analyzer/protocol/mysql/mysql-analyzer.pac
index 8903c3eaa9..2e82bbc63c 100644
--- a/src/analyzer/protocol/mysql/mysql-analyzer.pac
+++ b/src/analyzer/protocol/mysql/mysql-analyzer.pac
@@ -20,7 +20,7 @@ refine flow MySQL_Flow += {
 	function proc_mysql_handshake_response_packet(msg: Handshake_Response_Packet): bool
 		%{
 		if ( ${msg.version} == 9 || ${msg.version == 10} )
-			connection()->zeek_analyzer()->ProtocolConfirmation();
+			connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( mysql_handshake )
 			{
diff --git a/src/analyzer/protocol/ncp/NCP.cc b/src/analyzer/protocol/ncp/NCP.cc
index 89b961883d..8d275168bc 100644
--- a/src/analyzer/protocol/ncp/NCP.cc
+++ b/src/analyzer/protocol/ncp/NCP.cc
@@ -40,7 +40,7 @@ void NCP_Session::Deliver(bool is_orig, int len, const u_char* data)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		analyzer->ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		analyzer->AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/ntlm/NTLM.cc b/src/analyzer/protocol/ntlm/NTLM.cc
index 3118a5fe50..8f623c1230 100644
--- a/src/analyzer/protocol/ntlm/NTLM.cc
+++ b/src/analyzer/protocol/ntlm/NTLM.cc
@@ -42,11 +42,11 @@ void NTLM_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 	try
 		{
 		interp->NewData(orig, data, data + len);
-		ProtocolConfirmation();
+		AnalyzerConfirmation();
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
index d5d5a5ed9f..3ea5d8a9bb 100644
--- a/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
+++ b/src/analyzer/protocol/ntlm/ntlm-analyzer.pac
@@ -71,7 +71,7 @@ refine connection NTLM_Conn += {
 					// According to spec, the TargetInfo MUST be a sequence of
 					// AV_PAIRs and terminated by the null AV_PAIR when the
 					// TargetInfoLen is non-zero, so this is in violation.
-					zeek_analyzer()->ProtocolViolation("NTLM AV Pair loop underflow");
+					zeek_analyzer()->AnalyzerViolation("NTLM AV Pair loop underflow");
 
 				return result;
 				}
diff --git a/src/analyzer/protocol/ntp/NTP.cc b/src/analyzer/protocol/ntp/NTP.cc
index d7f030e260..45c297a4da 100644
--- a/src/analyzer/protocol/ntp/NTP.cc
+++ b/src/analyzer/protocol/ntp/NTP.cc
@@ -33,7 +33,7 @@ void NTP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/ntp/ntp-analyzer.pac b/src/analyzer/protocol/ntp/ntp-analyzer.pac
index 705be24083..f2d4b6fe2f 100644
--- a/src/analyzer/protocol/ntp/ntp-analyzer.pac
+++ b/src/analyzer/protocol/ntp/ntp-analyzer.pac
@@ -133,7 +133,7 @@ refine flow NTP_Flow += {
 
 	function proc_ntp_message(msg: NTP_PDU): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( ! ntp_message )
 			return false;
diff --git a/src/analyzer/protocol/pop3/POP3.cc b/src/analyzer/protocol/pop3/POP3.cc
index 3d13701933..6bf3f64fb3 100644
--- a/src/analyzer/protocol/pop3/POP3.cc
+++ b/src/analyzer/protocol/pop3/POP3.cc
@@ -625,7 +625,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 		{
 		if ( ! waitingForAuthentication )
 			{
-			ProtocolViolation(util::fmt("unknown server command (%s)",
+			AnalyzerViolation(util::fmt("unknown server command (%s)",
 			                            (tokens.size() > 0 ? tokens[0].c_str() : "???")),
 			                  line, length);
 
@@ -664,7 +664,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 				case detail::USER:
 					state = detail::USER;
 					masterState = detail::POP3_AUTHORIZATION;
-					ProtocolConfirmation();
+					AnalyzerConfirmation();
 					break;
 
 				case detail::PASS:
@@ -706,7 +706,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 					}
 
 				case detail::CAPA:
-					ProtocolConfirmation();
+					AnalyzerConfirmation();
 					// Fall-through.
 
 				case detail::UIDL:
@@ -716,7 +716,7 @@ void POP3_Analyzer::ProcessReply(int length, const char* line)
 					break;
 
 				case detail::STLS:
-					ProtocolConfirmation();
+					AnalyzerConfirmation();
 					tls = true;
 					StartTLS();
 					return;
diff --git a/src/analyzer/protocol/radius/RADIUS.cc b/src/analyzer/protocol/radius/RADIUS.cc
index d172fccd44..c410118a4c 100644
--- a/src/analyzer/protocol/radius/RADIUS.cc
+++ b/src/analyzer/protocol/radius/RADIUS.cc
@@ -32,7 +32,7 @@ void RADIUS_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/radius/radius-analyzer.pac b/src/analyzer/protocol/radius/radius-analyzer.pac
index 59dc4a64ff..a998aafc71 100644
--- a/src/analyzer/protocol/radius/radius-analyzer.pac
+++ b/src/analyzer/protocol/radius/radius-analyzer.pac
@@ -2,7 +2,7 @@
 refine flow RADIUS_Flow += {
 	function proc_radius_message(msg: RADIUS_PDU): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( ! radius_message )
 			return false;
diff --git a/src/analyzer/protocol/rdp/RDP.cc b/src/analyzer/protocol/rdp/RDP.cc
index 45a283b87a..e1531e04ba 100644
--- a/src/analyzer/protocol/rdp/RDP.cc
+++ b/src/analyzer/protocol/rdp/RDP.cc
@@ -87,7 +87,7 @@ void RDP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			}
 		catch ( const binpac::Exception& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
diff --git a/src/analyzer/protocol/rdp/RDPEUDP.cc b/src/analyzer/protocol/rdp/RDPEUDP.cc
index 255c124dbd..a612f77793 100644
--- a/src/analyzer/protocol/rdp/RDPEUDP.cc
+++ b/src/analyzer/protocol/rdp/RDPEUDP.cc
@@ -33,7 +33,7 @@ void RDP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/rdp/rdp-analyzer.pac b/src/analyzer/protocol/rdp/rdp-analyzer.pac
index c540d44d0c..59f33a625b 100644
--- a/src/analyzer/protocol/rdp/rdp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdp-analyzer.pac
@@ -48,7 +48,7 @@ refine flow RDP_Flow += {
 
 	function proc_rdp_gcc_server_create_response(gcc_response: GCC_Server_Create_Response): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( rdp_gcc_server_create_response )
 			zeek::BifEvent::enqueue_rdp_gcc_server_create_response(connection()->zeek_analyzer(),
@@ -61,7 +61,7 @@ refine flow RDP_Flow += {
 
 	function proc_rdp_client_core_data(ccore: Client_Core_Data): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( rdp_client_core_data )
 			{
@@ -181,7 +181,7 @@ refine flow RDP_Flow += {
 
 	function proc_rdp_server_security(ssd: Server_Security_Data): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( rdp_server_security )
 			zeek::BifEvent::enqueue_rdp_server_security(connection()->zeek_analyzer(),
diff --git a/src/analyzer/protocol/rdp/rdpeudp-analyzer.pac b/src/analyzer/protocol/rdp/rdpeudp-analyzer.pac
index a150361bba..541653e17f 100644
--- a/src/analyzer/protocol/rdp/rdpeudp-analyzer.pac
+++ b/src/analyzer/protocol/rdp/rdpeudp-analyzer.pac
@@ -62,7 +62,7 @@ refine connection RDPEUDP_Conn += {
 		if ( rdpeudp_synack )
 			zeek::BifEvent::enqueue_rdpeudp_synack(zeek_analyzer(), zeek_analyzer()->Conn());
 
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		state_ = NEED_ACK;
 		resp_synex_flags_ = uUdpVer;
 
diff --git a/src/analyzer/protocol/rfb/RFB.cc b/src/analyzer/protocol/rfb/RFB.cc
index 53937511b5..af52b7f4d8 100644
--- a/src/analyzer/protocol/rfb/RFB.cc
+++ b/src/analyzer/protocol/rfb/RFB.cc
@@ -60,7 +60,7 @@ void RFB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		invalid = true;
 		}
 	}
diff --git a/src/analyzer/protocol/rfb/rfb-analyzer.pac b/src/analyzer/protocol/rfb/rfb-analyzer.pac
index 513958af54..a9bf3ce352 100644
--- a/src/analyzer/protocol/rfb/rfb-analyzer.pac
+++ b/src/analyzer/protocol/rfb/rfb-analyzer.pac
@@ -9,7 +9,7 @@ refine flow RFB_Flow += {
 				                                     to_stringval(major),
 				                                     to_stringval(minor));
 
-			connection()->zeek_analyzer()->ProtocolConfirmation();
+			connection()->zeek_analyzer()->AnalyzerConfirmation();
 			}
 		else
 			{
@@ -181,7 +181,7 @@ refine connection RFB_Conn += {
 		else
 			{
 			// Shouldn't be a possible.
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype()));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid RFB security type %u", msg->sectype()));
 			}
 
 		return true;
@@ -235,7 +235,7 @@ refine connection RFB_Conn += {
 			}
 		else
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type}));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unknown RFB auth selection: %u", ${msg.type}));
 			}
 
 		return true;
@@ -277,7 +277,7 @@ refine connection RFB_Conn += {
 			// Failed
 			server_state = SERVER_AUTH_FAILURE;
 		else
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result}));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid RFB auth result: %u", ${msg.result}));
 
 		return true;
 		%}
diff --git a/src/analyzer/protocol/sip/SIP.cc b/src/analyzer/protocol/sip/SIP.cc
index 7fff71a941..9b414088f2 100644
--- a/src/analyzer/protocol/sip/SIP.cc
+++ b/src/analyzer/protocol/sip/SIP.cc
@@ -39,7 +39,7 @@ void SIP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/sip/SIP_TCP.cc b/src/analyzer/protocol/sip/SIP_TCP.cc
index 7353796f66..d02e0f2252 100644
--- a/src/analyzer/protocol/sip/SIP_TCP.cc
+++ b/src/analyzer/protocol/sip/SIP_TCP.cc
@@ -57,7 +57,7 @@ void SIP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/sip/sip-analyzer.pac b/src/analyzer/protocol/sip/sip-analyzer.pac
index 11b56e6f52..4875838f78 100644
--- a/src/analyzer/protocol/sip/sip-analyzer.pac
+++ b/src/analyzer/protocol/sip/sip-analyzer.pac
@@ -44,7 +44,7 @@ refine flow SIP_Flow += {
 
 	function proc_sip_reply(vers: SIP_Version, code: int, reason: bytestring): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 		if ( sip_reply )
 			{
 			zeek::BifEvent::enqueue_sip_reply(connection()->zeek_analyzer(), connection()->zeek_analyzer()->Conn(),
diff --git a/src/analyzer/protocol/smb/SMB.cc b/src/analyzer/protocol/smb/SMB.cc
index f41b743cfe..be27fa60ce 100644
--- a/src/analyzer/protocol/smb/SMB.cc
+++ b/src/analyzer/protocol/smb/SMB.cc
@@ -77,11 +77,11 @@ void SMB_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		// Let's assume that if there are no binpac exceptions after
 		// 3 data chunks that this is probably actually SMB.
 		if ( ++chunks == 3 )
-			ProtocolConfirmation();
+			AnalyzerConfirmation();
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		NeedResync();
 		}
 	}
diff --git a/src/analyzer/protocol/smtp/SMTP.cc b/src/analyzer/protocol/smtp/SMTP.cc
index 2d1d9a7fe6..d7d5b73870 100644
--- a/src/analyzer/protocol/smtp/SMTP.cc
+++ b/src/analyzer/protocol/smtp/SMTP.cc
@@ -289,7 +289,7 @@ void SMTP_Analyzer::ProcessLine(int length, const char* line, bool orig)
 			{
 			reply_code = -1;
 			Unexpected(is_sender, "reply code out of range", length, line);
-			ProtocolViolation(util::fmt("reply code %d out of range", reply_code), line, length);
+			AnalyzerViolation(util::fmt("reply code %d out of range", reply_code), line, length);
 			}
 
 		else
@@ -848,7 +848,7 @@ int SMTP_Analyzer::ParseCmd(int cmd_len, const char* cmd)
 
 void SMTP_Analyzer::RequestEvent(int cmd_len, const char* cmd, int arg_len, const char* arg)
 	{
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( smtp_request )
 		{
diff --git a/src/analyzer/protocol/snmp/SNMP.cc b/src/analyzer/protocol/snmp/SNMP.cc
index 9988914a62..64923159ff 100644
--- a/src/analyzer/protocol/snmp/SNMP.cc
+++ b/src/analyzer/protocol/snmp/SNMP.cc
@@ -37,7 +37,7 @@ void SNMP_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/snmp/snmp-analyzer.pac b/src/analyzer/protocol/snmp/snmp-analyzer.pac
index f59a4de912..334c4242e9 100644
--- a/src/analyzer/protocol/snmp/snmp-analyzer.pac
+++ b/src/analyzer/protocol/snmp/snmp-analyzer.pac
@@ -372,7 +372,7 @@ refine connection SNMP_Conn += {
 	function proc_header(rec: Header): bool
 		%{
 		if ( ! ${rec.is_orig} )
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( rec->unknown() )
 			return false;
@@ -385,7 +385,7 @@ refine connection SNMP_Conn += {
 		if ( rec->flags()->encoding()->content().length() == 1 )
 			return true;
 
-		zeek_analyzer()->ProtocolViolation("Invalid v3 HeaderData msgFlags");
+		zeek_analyzer()->AnalyzerViolation("Invalid v3 HeaderData msgFlags");
 		return false;
 		%}
 
@@ -396,7 +396,7 @@ refine connection SNMP_Conn += {
 
 		// Unwind now to stop parsing because it's definitely the
 		// wrong protocol and parsing further could be expensive.
-		// Upper layer of analyzer will catch and call ProtocolViolation().
+		// Upper layer of analyzer will catch and call AnalyzerViolation().
 		throw binpac::Exception(zeek::util::fmt("Got ASN.1 tag %d, expect %d",
 		                        rec->tag(), expect));
 		return false;
diff --git a/src/analyzer/protocol/socks/SOCKS.cc b/src/analyzer/protocol/socks/SOCKS.cc
index 6a26a99f39..cace5115dd 100644
--- a/src/analyzer/protocol/socks/SOCKS.cc
+++ b/src/analyzer/protocol/socks/SOCKS.cc
@@ -81,7 +81,7 @@ void SOCKS_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 			}
 		catch ( const binpac::Exception& e )
 			{
-			ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+			AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 			}
 		}
 	}
diff --git a/src/analyzer/protocol/socks/socks-analyzer.pac b/src/analyzer/protocol/socks/socks-analyzer.pac
index ec633341de..eeeb253c59 100644
--- a/src/analyzer/protocol/socks/socks-analyzer.pac
+++ b/src/analyzer/protocol/socks/socks-analyzer.pac
@@ -61,7 +61,7 @@ refine connection SOCKS_Conn += {
 			                              zeek::val_mgr->Port(${reply.port}, TRANSPORT_TCP));
 			}
 
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		static_cast<zeek::analyzer::socks::SOCKS_Analyzer*>(zeek_analyzer())->EndpointDone(false);
 		return true;
 		%}
@@ -70,14 +70,14 @@ refine connection SOCKS_Conn += {
 		%{
 		if ( ${request.reserved} != 0 )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid value in reserved field: %d", ${request.reserved}));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid value in reserved field: %d", ${request.reserved}));
 			zeek_analyzer()->SetSkip(true);
 			return false;
 			}
 
 		if ( (${request.command} == 0) || (${request.command} > 3) )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("undefined value in command field: %d", ${request.command}));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("undefined value in command field: %d", ${request.command}));
 			zeek_analyzer()->SetSkip(true);
 			return false;
 			}
@@ -102,7 +102,7 @@ refine connection SOCKS_Conn += {
 				break;
 
 			default:
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${request.remote_name.addr_type}));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${request.remote_name.addr_type}));
 				return false;
 			}
 
@@ -142,7 +142,7 @@ refine connection SOCKS_Conn += {
 				break;
 
 			default:
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${reply.bound.addr_type}));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("invalid SOCKSv5 addr type: %d", ${reply.bound.addr_type}));
 				return false;
 			}
 
@@ -154,7 +154,7 @@ refine connection SOCKS_Conn += {
 			                              std::move(sa),
 			                              zeek::val_mgr->Port(${reply.port}, TRANSPORT_TCP));
 
-		zeek_analyzer()->ProtocolConfirmation();
+		zeek_analyzer()->AnalyzerConfirmation();
 		static_cast<zeek::analyzer::socks::SOCKS_Analyzer*>(zeek_analyzer())->EndpointDone(false);
 		return true;
 		%}
@@ -196,7 +196,7 @@ refine connection SOCKS_Conn += {
 
 	function version_error(version: uint8): bool
 		%{
-		zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported/unknown SOCKS version %d", version));
+		zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unsupported/unknown SOCKS version %d", version));
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/ssh/SSH.cc b/src/analyzer/protocol/ssh/SSH.cc
index cdecf6b297..e62601a858 100644
--- a/src/analyzer/protocol/ssh/SSH.cc
+++ b/src/analyzer/protocol/ssh/SSH.cc
@@ -67,7 +67,7 @@ void SSH_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 
 	auto encrypted_len = interp->get_encrypted_bytes_in_current_segment();
diff --git a/src/analyzer/protocol/ssh/ssh-analyzer.pac b/src/analyzer/protocol/ssh/ssh-analyzer.pac
index 1f0683f44a..dc1eba0b46 100644
--- a/src/analyzer/protocol/ssh/ssh-analyzer.pac
+++ b/src/analyzer/protocol/ssh/ssh-analyzer.pac
@@ -206,7 +206,7 @@ refine flow SSH_Flow += {
 
 	function proc_newkeys(): bool
 		%{
-		connection()->zeek_analyzer()->ProtocolConfirmation();
+		connection()->zeek_analyzer()->AnalyzerConfirmation();
 		return true;
 		%}
 
diff --git a/src/analyzer/protocol/ssl/DTLS.cc b/src/analyzer/protocol/ssl/DTLS.cc
index 5dddcbc94e..9fe8cbbaa0 100644
--- a/src/analyzer/protocol/ssl/DTLS.cc
+++ b/src/analyzer/protocol/ssl/DTLS.cc
@@ -72,7 +72,7 @@ void DTLS_Analyzer::SendHandshake(uint16_t raw_tls_version, uint8_t msg_type, ui
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/ssl/SSL.cc b/src/analyzer/protocol/ssl/SSL.cc
index c0c9091637..d6e07e7b2a 100644
--- a/src/analyzer/protocol/ssl/SSL.cc
+++ b/src/analyzer/protocol/ssl/SSL.cc
@@ -73,7 +73,7 @@ void SSL_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
@@ -87,7 +87,7 @@ void SSL_Analyzer::SendHandshake(uint16_t raw_tls_version, const u_char* begin,
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/ssl/dtls-analyzer.pac b/src/analyzer/protocol/ssl/dtls-analyzer.pac
index 0fa6fbceba..3c9f10fc54 100644
--- a/src/analyzer/protocol/ssl/dtls-analyzer.pac
+++ b/src/analyzer/protocol/ssl/dtls-analyzer.pac
@@ -55,7 +55,7 @@ refine connection SSL_Conn += {
 
 		if ( length > MAX_DTLS_HANDSHAKE_RECORD )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS record length %" PRId64 " larger than allowed maximum.", length));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("DTLS record length %" PRId64 " larger than allowed maximum.", length));
 			return true;
 			}
 
@@ -77,7 +77,7 @@ refine connection SSL_Conn += {
 			{
 			if ( i->first_sequence_seen )
 				{
-				zeek_analyzer()->ProtocolViolation("Saw second and different first message fragment for handshake.");
+				zeek_analyzer()->AnalyzerViolation("Saw second and different first message fragment for handshake.");
 				return true;
 				}
 			// first sequence number was incorrect, let's fix that.
@@ -97,13 +97,13 @@ refine connection SSL_Conn += {
 		// copy data from fragment to buffer
 		if ( ${rec.data}.length() != flength )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS handshake record length does not match packet length"));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("DTLS handshake record length does not match packet length"));
 			return true;
 			}
 
 		if ( foffset + flength > length )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS handshake fragment trying to write past end of buffer"));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("DTLS handshake fragment trying to write past end of buffer"));
 			return true;
 			}
 
@@ -124,7 +124,7 @@ refine connection SSL_Conn += {
 			uint64 total_length = i->message_last_sequence - i->message_first_sequence;
 			if ( total_length > 30 )
 				{
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("DTLS Message fragmented over more than 30 pieces. Cannot reassemble."));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("DTLS Message fragmented over more than 30 pieces. Cannot reassemble."));
 				return true;
 				}
 
diff --git a/src/analyzer/protocol/ssl/dtls-protocol.pac b/src/analyzer/protocol/ssl/dtls-protocol.pac
index e81ef4484f..760a0bc4e4 100644
--- a/src/analyzer/protocol/ssl/dtls-protocol.pac
+++ b/src/analyzer/protocol/ssl/dtls-protocol.pac
@@ -63,18 +63,18 @@ refine connection SSL_Conn += {
 			// Reset only to 0 once we have seen a client hello.
 			// This means the connection gets a limited amount of valid/invalid
 			// packets before a client hello has to be seen - which seems reasonable.
-			if ( zeek_analyzer()->ProtocolConfirmed() )
+			if ( zeek_analyzer()->AnalyzerConfirmed() )
 				invalid_version_count_ = 0;
 			return true;
 
 		default:
 			invalid_version_count_++;
 
-			if ( zeek_analyzer()->ProtocolConfirmed() )
+			if ( zeek_analyzer()->AnalyzerConfirmed() )
 				{
 				reported_errors_++;
 				if ( reported_errors_ <= zeek::BifConst::SSL::dtls_max_reported_version_errors )
-					zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in DTLS connection. Packet reported version: %d", version));
+					zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version in DTLS connection. Packet reported version: %d", version));
 				}
 
 			if ( invalid_version_count_ > zeek::BifConst::SSL::dtls_max_version_errors )
diff --git a/src/analyzer/protocol/ssl/proc-client-hello.pac b/src/analyzer/protocol/ssl/proc-client-hello.pac
index ae3774ed9a..7a0b3a9461 100644
--- a/src/analyzer/protocol/ssl/proc-client-hello.pac
+++ b/src/analyzer/protocol/ssl/proc-client-hello.pac
@@ -8,11 +8,11 @@
 		%{
 		if ( ! version_ok(version) )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported client SSL version 0x%04x", version));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unsupported client SSL version 0x%04x", version));
 			zeek_analyzer()->SetSkip(true);
 			}
 		else
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( ssl_client_hello )
 			{
diff --git a/src/analyzer/protocol/ssl/proc-server-hello.pac b/src/analyzer/protocol/ssl/proc-server-hello.pac
index 30356508c6..9e44dfad36 100644
--- a/src/analyzer/protocol/ssl/proc-server-hello.pac
+++ b/src/analyzer/protocol/ssl/proc-server-hello.pac
@@ -8,7 +8,7 @@
 		%{
 		if ( ! version_ok(version) )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unsupported server SSL version 0x%04x", version));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unsupported server SSL version 0x%04x", version));
 			zeek_analyzer()->SetSkip(true);
 			}
 
diff --git a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
index f086fae609..4c28970698 100644
--- a/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-dtls-analyzer.pac
@@ -37,7 +37,7 @@ refine connection SSL_Conn += {
 		%}
 	function proc_unknown_record(rec: SSLRecord) : bool
 		%{
-		zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown SSL record type (%d) from %s",
+		zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unknown SSL record type (%d) from %s",
 				${rec.content_type},
 				orig_label(${rec.is_orig}).c_str()));
 		return true;
@@ -90,7 +90,7 @@ refine connection SSL_Conn += {
 		%{
 		if ( version != SSLv20 )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in SSL server hello. Version: %d", version));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version in SSL server hello. Version: %d", version));
 			zeek_analyzer()->SetSkip(true);
 			return false;
 			}
diff --git a/src/analyzer/protocol/ssl/ssl-protocol.pac b/src/analyzer/protocol/ssl/ssl-protocol.pac
index 57b7f192c6..195c614d1d 100644
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@@ -197,7 +197,7 @@ refine connection SSL_Conn += {
 			if ( version != SSLv30 && version != TLSv10 &&
 			     version != TLSv11 && version != TLSv12 )
 				{
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version late in TLS connection. Packet reported version: %d", version));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version late in TLS connection. Packet reported version: %d", version));
 				zeek_analyzer()->SetSkip(true);
 				return UNKNOWN_VERSION;
 				}
@@ -214,7 +214,7 @@ refine connection SSL_Conn += {
 				if ( version != SSLv20 && version != SSLv30 && version != TLSv10 &&
 				     version != TLSv11 && version != TLSv12 )
 					{
-					zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in SSL client hello. Version: %d", version));
+					zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version in SSL client hello. Version: %d", version));
 					zeek_analyzer()->SetSkip(true);
 					return UNKNOWN_VERSION;
 					}
@@ -231,7 +231,7 @@ refine connection SSL_Conn += {
 
 			else // this is not SSL or TLS.
 				{
-				zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3));
+				zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid headers in SSL connection. Head1: %d, head2: %d, head3: %d", head1, head2, head3));
 				zeek_analyzer()->SetSkip(true);
 				return UNKNOWN_VERSION;
 				}
@@ -241,7 +241,7 @@ refine connection SSL_Conn += {
 		if ( version != SSLv30 && version != TLSv10 &&
 		     version != TLSv11 && version != TLSv12 )
 			{
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid version in TLS connection. Version: %d", version));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid version in TLS connection. Version: %d", version));
 			zeek_analyzer()->SetSkip(true);
 			return UNKNOWN_VERSION;
 			}
@@ -252,7 +252,7 @@ refine connection SSL_Conn += {
 			return version;
 			}
 
-		zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0));
+		zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Invalid type in TLS connection. Version: %d, Type: %d", version, head0));
 		zeek_analyzer()->SetSkip(true);
 		return UNKNOWN_VERSION;
 		%}
diff --git a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
index 961eb8eaf3..33e0af5924 100644
--- a/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
+++ b/src/analyzer/protocol/ssl/tls-handshake-analyzer.pac
@@ -54,7 +54,7 @@ refine connection Handshake_Conn += {
 			{
 			// This should be impossible due to the binpac parser
 			// and protocol description
-			zeek_analyzer()->ProtocolViolation(zeek::util::fmt("Impossible extension length: %zu", length));
+			zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("Impossible extension length: %zu", length));
 			zeek_analyzer()->SetSkip(true);
 			return true;
 			}
@@ -287,7 +287,7 @@ refine connection Handshake_Conn += {
 
 	function proc_unknown_handshake(hs: HandshakeRecord, is_orig: bool) : bool
 		%{
-		zeek_analyzer()->ProtocolViolation(zeek::util::fmt("unknown handshake message (%d) from %s",
+		zeek_analyzer()->AnalyzerViolation(zeek::util::fmt("unknown handshake message (%d) from %s",
 			${hs.msg_type}, orig_label(is_orig).c_str()));
 		return true;
 		%}
diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc
index d7baa4166f..2ac794dff3 100644
--- a/src/analyzer/protocol/tcp/TCP.cc
+++ b/src/analyzer/protocol/tcp/TCP.cc
@@ -34,7 +34,7 @@ void TCP_ApplicationAnalyzer::Init()
 		SetTCP(static_cast<packet_analysis::TCP::TCPSessionAdapter*>(Parent()));
 	}
 
-void TCP_ApplicationAnalyzer::ProtocolViolation(const char* reason, const char* data, int len)
+void TCP_ApplicationAnalyzer::AnalyzerViolation(const char* reason, const char* data, int len)
 	{
 	auto* tcp = TCP();
 
@@ -43,7 +43,7 @@ void TCP_ApplicationAnalyzer::ProtocolViolation(const char* reason, const char*
 		// too unreliable.
 		return;
 
-	Analyzer::ProtocolViolation(reason, data, len);
+	Analyzer::AnalyzerViolation(reason, data, len);
 	}
 
 void TCP_ApplicationAnalyzer::DeliverPacket(int len, const u_char* data, bool is_orig, uint64_t seq,
diff --git a/src/analyzer/protocol/tcp/TCP.h b/src/analyzer/protocol/tcp/TCP.h
index c5eb7851c8..b979001aae 100644
--- a/src/analyzer/protocol/tcp/TCP.h
+++ b/src/analyzer/protocol/tcp/TCP.h
@@ -68,7 +68,7 @@ public:
 
 	// This suppresses violations if the TCP connection wasn't
 	// fully established.
-	void ProtocolViolation(const char* reason, const char* data = nullptr, int len = 0) override;
+	void AnalyzerViolation(const char* reason, const char* data = nullptr, int len = 0) override;
 
 	// "name" and "val" both now belong to this object, which needs to
 	//  delete them when done with them.
diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc
index 20787e41e6..32d123c4e3 100644
--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ b/src/analyzer/protocol/teredo/Teredo.cc
@@ -152,7 +152,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	if ( ! te.Parse(data, len) )
 		{
-		ProtocolViolation("Bad Teredo encapsulation", (const char*)data, len);
+		AnalyzerViolation("Bad Teredo encapsulation", (const char*)data, len);
 		return;
 		}
 
@@ -175,7 +175,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 			Weird("Teredo_bubble_with_payload", true);
 		else
 			{
-			ProtocolViolation("Teredo payload length", (const char*)data, len);
+			AnalyzerViolation("Teredo payload length", (const char*)data, len);
 			return;
 			}
 		}
@@ -192,7 +192,7 @@ void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint
 
 	else
 		{
-		ProtocolViolation("Truncated Teredo or invalid inner IP version", (const char*)data, len);
+		AnalyzerViolation("Truncated Teredo or invalid inner IP version", (const char*)data, len);
 		return;
 		}
 
diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h
index a37ad61505..ecd6c1f4ff 100644
--- a/src/analyzer/protocol/teredo/Teredo.h
+++ b/src/analyzer/protocol/teredo/Teredo.h
@@ -33,7 +33,7 @@ public:
 	 */
 	void Weird(const char* name, bool force = false) const
 		{
-		if ( ProtocolConfirmed() || force )
+		if ( AnalyzerConfirmed() || force )
 			reporter->Weird(Conn(), name, "", GetAnalyzerName());
 		}
 
@@ -44,7 +44,7 @@ public:
 	void Confirm()
 		{
 		if ( ! BifConst::Tunnel::delay_teredo_confirmation || (valid_orig && valid_resp) )
-			ProtocolConfirmation();
+			AnalyzerConfirmation();
 		}
 
 protected:
diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc
index 974a033b0a..4eeb409f4b 100644
--- a/src/analyzer/protocol/vxlan/VXLAN.cc
+++ b/src/analyzer/protocol/vxlan/VXLAN.cc
@@ -37,13 +37,13 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 
 	if ( len < vxlan_len )
 		{
-		ProtocolViolation("VXLAN header truncation", (const char*)data, len);
+		AnalyzerViolation("VXLAN header truncation", (const char*)data, len);
 		return;
 		}
 
 	if ( (data[0] & 0x08) == 0 )
 		{
-		ProtocolViolation("VXLAN 'I' flag not set", (const char*)data, len);
+		AnalyzerViolation("VXLAN 'I' flag not set", (const char*)data, len);
 		return;
 		}
 
@@ -77,7 +77,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 
 	if ( ! packet_mgr->ProcessInnerPacket(&pkt) )
 		{
-		ProtocolViolation("VXLAN invalid inner packet");
+		AnalyzerViolation("VXLAN invalid inner packet");
 		return;
 		}
 
@@ -86,7 +86,7 @@ void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint6
 	if ( ! pkt.ip_hdr )
 		return;
 
-	ProtocolConfirmation();
+	AnalyzerConfirmation();
 
 	if ( vxlan_packet )
 		{
diff --git a/src/analyzer/protocol/xmpp/XMPP.cc b/src/analyzer/protocol/xmpp/XMPP.cc
index e7546c9dbc..f2a007dfed 100644
--- a/src/analyzer/protocol/xmpp/XMPP.cc
+++ b/src/analyzer/protocol/xmpp/XMPP.cc
@@ -60,7 +60,7 @@ void XMPP_Analyzer::DeliverStream(int len, const u_char* data, bool orig)
 		}
 	catch ( const binpac::Exception& e )
 		{
-		ProtocolViolation(util::fmt("Binpac exception: %s", e.c_msg()));
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
 		}
 	}
 
diff --git a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
index 7c0bfa9701..3b3dcbd37e 100644
--- a/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
+++ b/src/analyzer/protocol/xmpp/xmpp-analyzer.pac
@@ -19,7 +19,7 @@ refine connection XMPP_Conn += {
 
 		if ( is_orig && token == "stream:stream" )
 			// Yup, looks like xmpp...
-			zeek_analyzer()->ProtocolConfirmation();
+			zeek_analyzer()->AnalyzerConfirmation();
 
 		if ( token == "success" || token == "message" || token == "db:result"
 		     || token == "db:verify" || token == "presence" )
diff --git a/src/event.bif b/src/event.bif
index 135cb10680..413be2933c 100644
--- a/src/event.bif
+++ b/src/event.bif
@@ -379,7 +379,8 @@ event content_gap%(c: connection, is_orig: bool, seq: count, length: count%);
 ##    Zeek's default scripts use this event to determine the ``service`` column
 ##    of :zeek:type:`Conn::Info`: once confirmed, the protocol will be listed
 ##    there (and thus in ``conn.log``).
-event protocol_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
+event analyzer_confirmation%(c: connection, atype: Analyzer::Tag, aid: count%);
+event protocol_confirmation%(c: connection, atype: AllAnalyzers::Tag, aid: count%) &deprecated="Remove in v5.1. Use analyzer_confirmation.";
 
 ## Generated if a DPD signature matched but the DPD buffer is already exhausted
 ## and thus the analyzer could not be attached. While this does not confirm
@@ -424,7 +425,8 @@ event protocol_late_match%(c: connection, atype: Analyzer::Tag%);
 ##    :zeek:id:`disable_analyzer` if it's parsing the wrong protocol. That's
 ##    however a script-level decision and not done automatically by the event
 ##    engine.
-event protocol_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
+event analyzer_violation%(c: connection, atype: Analyzer::Tag, aid: count, reason: string%);
+event protocol_violation%(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string%) &deprecated="Remove in v.5.1. Use analyzer_violation.";
 
 ## Generated when a TCP connection terminated, passing on statistics about the
 ## two endpoints. This event is always generated when Zeek flushes the internal
diff --git a/src/packet_analysis/Analyzer.cc b/src/packet_analysis/Analyzer.cc
index 3e756d5da7..f55e948fed 100644
--- a/src/packet_analysis/Analyzer.cc
+++ b/src/packet_analysis/Analyzer.cc
@@ -4,6 +4,7 @@
 
 #include "zeek/DebugLogger.h"
 #include "zeek/Dict.h"
+#include "zeek/Event.h"
 #include "zeek/RunState.h"
 #include "zeek/session/Manager.h"
 #include "zeek/util.h"
@@ -166,4 +167,42 @@ void Analyzer::Weird(const char* name, Packet* packet, const char* addl) const
 	session_mgr->Weird(name, packet, addl, GetAnalyzerName());
 	}
 
+void Analyzer::AnalyzerConfirmation(session::Session* session, zeek::Tag arg_tag)
+	{
+	if ( session->AnalyzerState(arg_tag) == session::AnalyzerConfirmationState::CONFIRMED )
+		return;
+
+	session->SetAnalyzerState(GetAnalyzerTag(), session::AnalyzerConfirmationState::CONFIRMED);
+
+	if ( ! analyzer_confirmation )
+		return;
+
+	const auto& tval = arg_tag ? arg_tag.AsVal() : tag.AsVal();
+	event_mgr.Enqueue(analyzer_confirmation, session->GetVal(), tval, val_mgr->Count(0));
+	}
+
+void Analyzer::AnalyzerViolation(const char* reason, session::Session* session, const char* data,
+                                 int len)
+	{
+	if ( ! analyzer_violation )
+		return;
+
+	session->SetAnalyzerState(GetAnalyzerTag(), session::AnalyzerConfirmationState::VIOLATED);
+
+	StringValPtr r;
+
+	if ( data && len )
+		{
+		const char* tmp = util::copy_string(reason);
+		r = make_intrusive<StringVal>(util::fmt(
+			"%s [%s%s]", tmp, util::fmt_bytes(data, std::min(40, len)), len > 40 ? "..." : ""));
+		delete[] tmp;
+		}
+	else
+		r = make_intrusive<StringVal>(reason);
+
+	const auto& tval = tag.AsVal();
+	event_mgr.Enqueue(analyzer_violation, session->GetVal(), tval, val_mgr->Count(0), std::move(r));
+	}
+
 	} // namespace zeek::packet_analysis
diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h
index 3e61bd4428..fd11ba484e 100644
--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@@ -6,6 +6,7 @@
 #include "zeek/Tag.h"
 #include "zeek/iosource/Packet.h"
 #include "zeek/packet_analysis/Manager.h"
+#include "zeek/session/Session.h"
 
 namespace zeek::packet_analysis
 	{
@@ -126,6 +127,52 @@ public:
 	 */
 	virtual bool DetectProtocol(size_t len, const uint8_t* data, Packet* packet) { return false; }
 
+	/**
+	 * Signals Zeek's protocol detection that the analyzer has recognized
+	 * the input to indeed conform to the expected protocol. This should
+	 * be called as early as possible during a connection's life-time. It
+	 * may turn into \c analyzer_confirmed event at the script-layer (but
+	 * only once per analyzer for each connection, even if the method is
+	 * called multiple times).
+	 *
+	 * If tag is given, it overrides the analyzer tag passed to the
+	 * scripting layer; the default is the one of the analyzer itself.
+	 */
+	virtual void AnalyzerConfirmation(session::Session* session, zeek::Tag tag = zeek::Tag());
+
+	/**
+	 * Signals Bro's protocol detection that the analyzer has found a
+	 * severe protocol violation that could indicate that it's not
+	 * parsing the expected protocol. This turns into \c
+	 * analyzer_violation events at the script-layer (one such event is
+	 * raised for each call to this method so that the script-layer can
+	 * built up a notion of how prevalent protocol violations are; the
+	 * more, the less likely it's the right protocol).
+	 *
+	 * @param reason A textual description of the error encountered.
+	 *
+	 * @param data An optional pointer to the malformed data.
+	 *
+	 * @param len If \a data is given, the length of it.
+	 */
+	virtual void AnalyzerViolation(const char* reason, session::Session* session,
+	                               const char* data = nullptr, int len = 0);
+
+	/**
+	 * Returns true if ProtocolConfirmation() has been called at least
+	 * once.
+	 */
+	bool AnalyzerConfirmed(session::Session* session) const
+		{
+		return session->AnalyzerState(GetAnalyzerTag()) ==
+		       session::AnalyzerConfirmationState::CONFIRMED;
+		}
+	bool AnalyzerViolated(session::Session* session) const
+		{
+		return session->AnalyzerState(GetAnalyzerTag()) ==
+		       session::AnalyzerConfirmationState::VIOLATED;
+		}
+
 protected:
 	friend class Manager;
 
diff --git a/src/session/Session.cc b/src/session/Session.cc
index ce0d3b2878..2e267ea7fb 100644
--- a/src/session/Session.cc
+++ b/src/session/Session.cc
@@ -205,4 +205,18 @@ void Session::RemoveConnectionTimer(double t)
 	session_mgr->Remove(this);
 	}
 
+AnalyzerConfirmationState Session::AnalyzerState(const zeek::Tag& tag) const
+	{
+	auto it = analyzer_confirmations.find(tag);
+	if ( it == analyzer_confirmations.end() )
+		return AnalyzerConfirmationState::UNKNOWN;
+
+	return it->second;
+	}
+
+void Session::SetAnalyzerState(const zeek::Tag& tag, AnalyzerConfirmationState value)
+	{
+	analyzer_confirmations.insert_or_assign(tag, value);
+	}
+
 	} // namespace zeek::session
diff --git a/src/session/Session.h b/src/session/Session.h
index 119b17e82c..de4877aade 100644
--- a/src/session/Session.h
+++ b/src/session/Session.h
@@ -2,11 +2,13 @@
 
 #pragma once
 
+#include <map>
 #include <memory>
 
 #include "zeek/EventHandler.h"
 #include "zeek/Hash.h"
 #include "zeek/Obj.h"
+#include "zeek/Tag.h"
 #include "zeek/Timer.h"
 #include "zeek/session/Key.h"
 
@@ -31,6 +33,13 @@ class Timer;
 class Session;
 using timer_func = void (Session::*)(double t);
 
+enum class AnalyzerConfirmationState
+	{
+	UNKNOWN,
+	VIOLATED,
+	CONFIRMED
+	};
+
 class Session : public Obj
 	{
 public:
@@ -214,6 +223,9 @@ public:
 	 */
 	virtual std::string TransportIdentifier() const = 0;
 
+	AnalyzerConfirmationState AnalyzerState(const zeek::Tag& tag) const;
+	void SetAnalyzerState(const zeek::Tag& tag, AnalyzerConfirmationState);
+
 protected:
 	friend class detail::Timer;
 
@@ -261,6 +273,8 @@ protected:
 	unsigned int record_packets : 1, record_contents : 1;
 	unsigned int record_current_packet : 1, record_current_content : 1;
 	bool in_session_table;
+
+	std::map<zeek::Tag, AnalyzerConfirmationState> analyzer_confirmations;
 	};
 
 namespace detail
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 898f73cb3b..1fa1a829a4 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -4333,6 +4333,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[o
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(analyzer_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
@@ -4347,10 +4348,10 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(split_string1, <frame>, (bro.org, /^?(:)$?/)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
+XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
@@ -4360,7 +4361,6 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
@@ -4373,6 +4373,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[o
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(analyzer_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
@@ -4387,10 +4388,10 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(network_time, <frame>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(split_string1, <frame>, (bro.org, /^?(:)$?/))
 XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
+XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
@@ -4400,7 +4401,6 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0)))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
 XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
@@ -4414,6 +4414,7 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5,
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+XXXXXXXXXX.XXXXXX | HookCallFunction analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)
 XXXXXXXXXX.XXXXXX | HookCallFunction fmt(-%s, HTTP)
@@ -4428,10 +4429,10 @@ XXXXXXXXXX.XXXXXX | HookCallFunction http_message_done([id=[orig_h=141.142.228.5
 XXXXXXXXXX.XXXXXX | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)
 XXXXXXXXXX.XXXXXX | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
 XXXXXXXXXX.XXXXXX | HookCallFunction network_time()
-XXXXXXXXXX.XXXXXX | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction split_string1(bro.org, /^?(:)$?/)
 XXXXXXXXXX.XXXXXX | HookDrainEvents
+XXXXXXXXXX.XXXXXX | HookQueueEvent analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
@@ -4441,7 +4442,6 @@ XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)
-XXXXXXXXXX.XXXXXX | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
index 87f9a35705..2edb3e62f8 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events-no-args.log
@@ -8,7 +8,7 @@ XXXXXXXXXX.XXXXXX filter_change_tracking
 XXXXXXXXXX.XXXXXX new_connection
 XXXXXXXXXX.XXXXXX dns_message
 XXXXXXXXXX.XXXXXX dns_request
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
 XXXXXXXXXX.XXXXXX dns_end
 XXXXXXXXXX.XXXXXX dns_message
 XXXXXXXXXX.XXXXXX dns_CNAME_reply
@@ -19,7 +19,7 @@ XXXXXXXXXX.XXXXXX connection_established
 XXXXXXXXXX.XXXXXX smtp_reply
 XXXXXXXXXX.XXXXXX smtp_reply
 XXXXXXXXXX.XXXXXX smtp_reply
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
 XXXXXXXXXX.XXXXXX smtp_request
 XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX smtp_reply
@@ -120,7 +120,7 @@ XXXXXXXXXX.XXXXXX Broker::log_flush
 XXXXXXXXXX.XXXXXX new_connection
 XXXXXXXXXX.XXXXXX connection_established
 XXXXXXXXXX.XXXXXX smtp_reply
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
 XXXXXXXXXX.XXXXXX smtp_request
 XXXXXXXXXX.XXXXXX smtp_reply
 XXXXXXXXXX.XXXXXX smtp_reply
@@ -173,7 +173,7 @@ XXXXXXXXXX.XXXXXX ssl_extension
 XXXXXXXXXX.XXXXXX ssl_extension
 XXXXXXXXXX.XXXXXX ssl_extension
 XXXXXXXXXX.XXXXXX ssl_extension
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
 XXXXXXXXXX.XXXXXX ssl_client_hello
 XXXXXXXXXX.XXXXXX ssl_handshake_message
 XXXXXXXXXX.XXXXXX ssl_plaintext_data
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
index c05aab1097..a1acbce4f8 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/all-events.log
@@ -22,7 +22,7 @@ XXXXXXXXXX.XXXXXX dns_request
                   [4] qclass: count      = 1
                   [5] original_query: string = mail.patriots.in
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (!DNS::c?$dns_state) \x0a\x09\x09return ;\x0a\x0a\x09if (DNS::c$dns_state?$pending_query) \x0a\x09\x09Log::write(DNS::LOG, to_any_coerceDNS::c$dns_state$pending_query);\x0a\x0a\x09if (DNS::c$dns_state?$pending_queries) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_queries);\x0a\x0a\x09if (DNS::c$dns_state?$pending_replies) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_replies);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_DNS
                   [2] aid: count         = 3
@@ -83,7 +83,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [4] msg: string        = and/or bulk e-mail.
                   [5] cont_resp: bool    = F
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=695.0 msecs 762.872696 usecs, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
@@ -529,7 +529,7 @@ XXXXXXXXXX.XXXXXX smtp_reply
                   [4] msg: string        = uprise ESMTP SubEthaSMTP null
                   [5] cont_resp: bool    = F
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 411.056519 usecs, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 21
@@ -799,7 +799,7 @@ XXXXXXXXXX.XXXXXX ssl_extension
                   [2] code: count        = 13172
                   [3] val: string        = 
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SSL
                   [2] aid: count         = 35
diff --git a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
index ddceeae2e6..b24bb8e6dd 100644
--- a/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
+++ b/testing/btest/Baseline/scripts.policy.misc.dump-events/really-all-events.log
@@ -36,7 +36,7 @@ XXXXXXXXXX.XXXXXX dns_request
                   [4] qclass: count      = 1
                   [5] original_query: string = mail.patriots.in
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], orig=[size=34, state=1, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={\x0a\x0a}, history=D, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09DNS::finalize_dns\x0a\x09{ \x0a\x09if (!DNS::c?$dns_state) \x0a\x09\x09return ;\x0a\x0a\x09if (DNS::c$dns_state?$pending_query) \x0a\x09\x09Log::write(DNS::LOG, to_any_coerceDNS::c$dns_state$pending_query);\x0a\x0a\x09if (DNS::c$dns_state?$pending_queries) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_queries);\x0a\x0a\x09if (DNS::c$dns_state?$pending_replies) \x0a\x09\x09DNS::log_unmatched_msgs(DNS::c$dns_state$pending_replies);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], dns_state=[pending_query=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=10.10.1.4, orig_p=56166/udp, resp_h=10.10.1.1, resp_p=53/udp], proto=udp, trans_id=31062, rtt=<uninitialized>, query=mail.patriots.in, qclass=1, qclass_name=C_INTERNET, qtype=1, qtype_name=A, rcode=<uninitialized>, rcode_name=<uninitialized>, AA=F, TC=F, RD=T, RA=F, Z=0, answers=<uninitialized>, TTLs=<uninitialized>, rejected=F, total_answers=<uninitialized>, total_replies=<uninitialized>, saw_query=F, saw_reply=F], pending_queries=<uninitialized>, pending_replies=<uninitialized>], ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_DNS
                   [2] aid: count         = 3
@@ -297,7 +297,7 @@ XXXXXXXXXX.XXXXXX tcp_packet
                   [5] len: count         = 9
                   [6] payload: string    = EHLO GP\x0d\x0a
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], orig=[size=9, state=4, num_pkts=2, num_bytes_ip=88, flow_label=0, l2_addr=00:e0:1c:3c:17:c2], resp=[size=181, state=4, num_pkts=2, num_bytes_ip=269, flow_label=0, l2_addr=00:1f:33:d9:81:60], start_time=XXXXXXXXXX.XXXXXX, duration=695.0 msecs 762.872696 usecs, service={\x0a\x0a}, history=ShAdD, uid=ClEkJM2Vm5giqnMf4h, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=ClEkJM2Vm5giqnMf4h, id=[orig_h=10.10.1.4, orig_p=1470/tcp, resp_h=74.53.140.153, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 and/or bulk e-mail., path=[74.53.140.153, 10.10.1.4], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 7
@@ -6720,7 +6720,7 @@ XXXXXXXXXX.XXXXXX tcp_options
                   [1] is_orig: bool      = T
                   [2] options: vector of TCP::Option = [[kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>], [kind=1, length=1, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=<uninitialized>, echo_timestamp=<uninitialized>], [kind=8, length=10, data=<uninitialized>, mss=<uninitialized>, window_scale=<uninitialized>, sack=<uninitialized>, send_timestamp=403034638, echo_timestamp=84165]]
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], orig=[size=24, state=4, num_pkts=3, num_bytes_ip=168, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=35, state=4, num_pkts=2, num_bytes_ip=147, flow_label=0, l2_addr=00:08:ca:cc:ad:4c], start_time=XXXXXXXXXX.XXXXXX, duration=26.0 msecs 411.056519 usecs, service={\x0a\x0a}, history=ShAdD, uid=CmES5u32sYpV7JYN, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SMTP::finalize_smtp\x0a\x09{ \x0a\x09if (SMTP::c?$smtp) \x0a\x09\x09SMTP::smtp_message(SMTP::c);\x0a\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=[ts=XXXXXXXXXX.XXXXXX, uid=CmES5u32sYpV7JYN, id=[orig_h=192.168.133.100, orig_p=49648/tcp, resp_h=192.168.133.102, resp_p=25/tcp], trans_depth=1, helo=<uninitialized>, mailfrom=<uninitialized>, rcptto=<uninitialized>, date=<uninitialized>, from=<uninitialized>, to=<uninitialized>, cc=<uninitialized>, reply_to=<uninitialized>, msg_id=<uninitialized>, in_reply_to=<uninitialized>, subject=<uninitialized>, x_originating_ip=<uninitialized>, first_received=<uninitialized>, second_received=<uninitialized>, last_reply=220 uprise ESMTP SubEthaSMTP null, path=[192.168.133.102, 192.168.133.100], user_agent=<uninitialized>, tls=F, process_received_from=T, has_client_activity=F, process_smtp_headers=T, entity_count=0, entity=<uninitialized>, fuids=[]], smtp_state=[helo=<uninitialized>, messages_transferred=0, pending_messages=<uninitialized>, mime_depth=0], socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SMTP
                   [2] aid: count         = 21
@@ -8666,7 +8666,7 @@ XXXXXXXXXX.XXXXXX ssl_extension
                   [2] code: count        = 13172
                   [3] val: string        = 
 
-XXXXXXXXXX.XXXXXX protocol_confirmation
+XXXXXXXXXX.XXXXXX analyzer_confirmation
                   [0] c: connection      = [id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], orig=[size=201, state=4, num_pkts=2, num_bytes_ip=104, flow_label=0, l2_addr=58:b0:35:86:54:8d], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=52, flow_label=0, l2_addr=cc:b2:55:f4:62:92], start_time=XXXXXXXXXX.XXXXXX, duration=150.0 msecs 611.877441 usecs, service={\x0a\x0a}, history=ShAD, uid=C3eiCBGOLw3VtHfOj, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={\x0a\x09SSL::finalize_ssl\x0a\x09{ \x0a\x09if (!SSL::c?$ssl) \x0a\x09\x09return ;\x0a\x0a\x09if (!SSL::c$ssl$logged) \x0a\x09\x09SSL::ssl_finishing(SSL::c);\x0a\x0a\x09SSL::finish(SSL::c, F);\x0a\x09}\x0a}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=[ts=XXXXXXXXXX.XXXXXX, uid=C3eiCBGOLw3VtHfOj, id=[orig_h=192.168.133.100, orig_p=49655/tcp, resp_h=17.167.150.73, resp_p=443/tcp], version_num=<uninitialized>, version=<uninitialized>, cipher=<uninitialized>, curve=<uninitialized>, server_name=p31-keyvalueservice.icloud.com, session_id=<uninitialized>, resumed=F, client_ticket_empty_session_seen=F, client_key_exchange_seen=F, client_psk_seen=F, last_alert=<uninitialized>, next_protocol=<uninitialized>, analyzer_id=<uninitialized>, established=F, logged=F, ssl_history=, delay_tokens=<uninitialized>, cert_chain=<uninitialized>, cert_chain_fps=<uninitialized>, client_cert_chain=<uninitialized>, client_cert_chain_fps=<uninitialized>, subject=<uninitialized>, issuer=<uninitialized>, client_subject=<uninitialized>, client_issuer=<uninitialized>, sni_matches_cert=<uninitialized>, server_depth=0, client_depth=0], http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]
                   [1] atype: enum        = Analyzer::ANALYZER_SSL
                   [2] aid: count         = 35
diff --git a/testing/btest/bifs/disable_analyzer-early.zeek b/testing/btest/bifs/disable_analyzer-early.zeek
index bab832a489..96e2fc8914 100644
--- a/testing/btest/bifs/disable_analyzer-early.zeek
+++ b/testing/btest/bifs/disable_analyzer-early.zeek
@@ -5,7 +5,7 @@
 
 global msg_count: table[conn_id] of count &default=0;
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
+event analyzer_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
 	{
 	if ( atype != Analyzer::ANALYZER_HTTP )
 		return;
@@ -30,5 +30,3 @@ event zeek_done()
 	{
 	print "total http messages", msg_count;
 	}
-
-
diff --git a/testing/btest/bifs/disable_analyzer.zeek b/testing/btest/bifs/disable_analyzer.zeek
index d3abbe893e..03475a8dbc 100644
--- a/testing/btest/bifs/disable_analyzer.zeek
+++ b/testing/btest/bifs/disable_analyzer.zeek
@@ -5,7 +5,7 @@
 
 global msg_count: table[conn_id] of count &default=0;
 
-event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=10
+event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=10
 	{
 	if ( atype != Analyzer::ANALYZER_HTTP )
 		return;
@@ -30,5 +30,3 @@ event zeek_done()
 	{
 	print "total http messages", msg_count;
 	}
-
-
diff --git a/testing/btest/core/tunnels/gtp/non_recursive.test b/testing/btest/core/tunnels/gtp/non_recursive.test
index 6f5e6f3c62..5b87cc5071 100644
--- a/testing/btest/core/tunnels/gtp/non_recursive.test
+++ b/testing/btest/core/tunnels/gtp/non_recursive.test
@@ -5,7 +5,7 @@
 # So if we find inside a GTP tunnel anohter IP/UDP packet with port 2152,
 # it is just a UDP packet, but not another GTP tunnel.
 
-event protocol_violation(c: connection, atype: Analyzer::Tag, aid: count, reason: string)
+event analyzer_violation(c: connection, atype: AllAnalyzers::Tag, aid: count, reason: string)
     {
     print "protocol_violation", c$id, reason;
     }

From 44e0760e96440700c087944c9f1e296d6dd891fc Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 8 Nov 2021 16:13:47 -0700
Subject: [PATCH 096/210] Add PacketAnalyzer::register_for_port(s) functions

These allow packet analyzers to register ports as identifiers to forward from
parent analyzers, while also adding those ports to the now-global
Analyzer::ports table at the same time.
---
 scripts/base/frameworks/analyzer/main.zeek    | 12 ++--
 scripts/base/packet-protocols/__load__.zeek   |  2 +
 scripts/base/packet-protocols/main.zeek       | 61 +++++++++++++++++++
 .../canonified_loaded_scripts.log             |  7 ++-
 .../canonified_loaded_scripts.log             |  7 ++-
 testing/btest/Baseline/plugins.hooks/output   |  6 ++
 6 files changed, 85 insertions(+), 10 deletions(-)
 create mode 100644 scripts/base/packet-protocols/main.zeek

diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek
index e56833fa75..20c4bcad10 100644
--- a/scripts/base/frameworks/analyzer/main.zeek
+++ b/scripts/base/frameworks/analyzer/main.zeek
@@ -133,12 +133,16 @@ export {
 	global disabled_analyzers: set[Analyzer::Tag] = {
 		ANALYZER_TCPSTATS,
 	} &redef;
+
+	## A table of ports mapped to analyzers that handle those ports. This is
+	## used by BPF filtering and DPD. Session analyzers can add to this using
+	## Analyzer::register_for_port(s) and packet analyzers can add to this
+	## using PacketAnalyzer::register_for_port(s).
+	global ports: table[AllAnalyzers::Tag] of set[port];
 }
 
 @load base/bif/analyzer.bif
 
-global ports: table[AllAnalyzers::Tag] of set[port];
-
 event zeek_init() &priority=5
 	{
 	if ( disable_all )
@@ -158,7 +162,7 @@ function disable_analyzer(tag: Analyzer::Tag) : bool
 	return __disable_analyzer(tag);
 	}
 
-function register_for_ports(tag: AllAnalyzers::Tag, ports: set[port]) : bool
+function register_for_ports(tag: Analyzer::Tag, ports: set[port]) : bool
 	{
 	local rc = T;
 
@@ -171,7 +175,7 @@ function register_for_ports(tag: AllAnalyzers::Tag, ports: set[port]) : bool
 	return rc;
 	}
 
-function register_for_port(tag: AllAnalyzers::Tag, p: port) : bool
+function register_for_port(tag: Analyzer::Tag, p: port) : bool
 	{
 	if ( ! __register_for_port(tag, p) )
 		return F;
diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek
index 3a4d9209cb..15cdb63131 100644
--- a/scripts/base/packet-protocols/__load__.zeek
+++ b/scripts/base/packet-protocols/__load__.zeek
@@ -1,3 +1,5 @@
+@load ./main.zeek
+
 @load base/packet-protocols/root
 @load base/packet-protocols/ip
 @load base/packet-protocols/skip
diff --git a/scripts/base/packet-protocols/main.zeek b/scripts/base/packet-protocols/main.zeek
new file mode 100644
index 0000000000..e696da2556
--- /dev/null
+++ b/scripts/base/packet-protocols/main.zeek
@@ -0,0 +1,61 @@
+module PacketAnalyzer;
+
+@load base/frameworks/analyzer/main.zeek
+
+export {
+	## Registers a set of well-known ports for an analyzer. If a future
+	## connection on one of these ports is seen, the analyzer will be
+	## automatically assigned to parsing it. The function *adds* to all ports
+	## already registered, it doesn't replace them.
+	##
+	## tag: The tag of the analyzer.
+	##
+	## ports: The set of well-known ports to associate with the analyzer.
+	##
+	## Returns: True if the ports were successfully registered.
+	global register_for_ports: function(parent: PacketAnalyzer::Tag,
+	                                    child: PacketAnalyzer::Tag,
+	                                    ports: set[port]) : bool;
+
+	## Registers an individual well-known port for an analyzer. If a future
+	## connection on this port is seen, the analyzer will be automatically
+	## assigned to parsing it. The function *adds* to all ports already
+	## registered, it doesn't replace them.
+	##
+	## tag: The tag of the analyzer.
+	##
+	## p: The well-known port to associate with the analyzer.
+	##
+	## Returns: True if the port was successfully registered.
+	global register_for_port: function(parent: PacketAnalyzer::Tag,
+	                                   child: PacketAnalyzer::Tag,
+	                                   p: port) : bool;
+}
+
+function register_for_ports(parent: PacketAnalyzer::Tag,
+                            child: PacketAnalyzer::Tag,
+                            ports: set[port]) : bool
+	{
+	local rc = T;
+
+	for ( p in ports )
+		{
+		if ( ! register_for_port(parent, child, p) )
+			rc = F;
+		}
+
+	return rc;
+	}
+
+function register_for_port(parent: PacketAnalyzer::Tag,
+                           child: PacketAnalyzer::Tag,
+                           p: port) : bool
+	{
+	register_packet_analyzer(parent, port_to_count(p), child);
+
+	if ( child !in Analyzer::ports )
+		Analyzer::ports[child] = set();
+
+	add Analyzer::ports[child][p];
+	return T;
+	}
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 59555f5f80..8e3c6968ad 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -23,6 +23,10 @@ scripts/base/init-bare.zeek
   build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
   build/scripts/base/bif/event.bif.zeek
   scripts/base/packet-protocols/__load__.zeek
+    scripts/base/packet-protocols/main.zeek
+      scripts/base/frameworks/analyzer/main.zeek
+        scripts/base/frameworks/packet-filter/utils.zeek
+        build/scripts/base/bif/analyzer.bif.zeek
     scripts/base/packet-protocols/root/__load__.zeek
       scripts/base/packet-protocols/root/main.zeek
     scripts/base/packet-protocols/ip/__load__.zeek
@@ -94,9 +98,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     scripts/base/frameworks/input/readers/config.zeek
     scripts/base/frameworks/input/readers/sqlite.zeek
   scripts/base/frameworks/analyzer/__load__.zeek
-    scripts/base/frameworks/analyzer/main.zeek
-      scripts/base/frameworks/packet-filter/utils.zeek
-      build/scripts/base/bif/analyzer.bif.zeek
   scripts/base/frameworks/files/__load__.zeek
     scripts/base/frameworks/files/main.zeek
       build/scripts/base/bif/file_analysis.bif.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 5ffcea63e8..8608d393c8 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -23,6 +23,10 @@ scripts/base/init-bare.zeek
   build/scripts/base/bif/plugins/Zeek_KRB.types.bif.zeek
   build/scripts/base/bif/event.bif.zeek
   scripts/base/packet-protocols/__load__.zeek
+    scripts/base/packet-protocols/main.zeek
+      scripts/base/frameworks/analyzer/main.zeek
+        scripts/base/frameworks/packet-filter/utils.zeek
+        build/scripts/base/bif/analyzer.bif.zeek
     scripts/base/packet-protocols/root/__load__.zeek
       scripts/base/packet-protocols/root/main.zeek
     scripts/base/packet-protocols/ip/__load__.zeek
@@ -94,9 +98,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     scripts/base/frameworks/input/readers/config.zeek
     scripts/base/frameworks/input/readers/sqlite.zeek
   scripts/base/frameworks/analyzer/__load__.zeek
-    scripts/base/frameworks/analyzer/main.zeek
-      scripts/base/frameworks/packet-filter/utils.zeek
-      build/scripts/base/bif/analyzer.bif.zeek
   scripts/base/frameworks/files/__load__.zeek
     scripts/base/frameworks/files/main.zeek
       build/scripts/base/bif/file_analysis.bif.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 1fa1a829a4..6c0d0635d1 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -845,6 +845,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./magic, <...>/magic) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./main, <...>/main.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./main.zeek, <...>/main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./max, <...>/max.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./min, <...>/min.zeek) -> -1
@@ -967,6 +968,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging, <...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/main.zeek, <...>/main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/modbus, <...>/modbus) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/mpls, <...>/mpls) -> -1
@@ -2265,6 +2267,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./magic, <...>/magic)
 0.000000   MetaHookPre   LoadFile(0, ./main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./main.zeek, <...>/main.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./max, <...>/max.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./min, <...>/min.zeek)
@@ -2387,6 +2390,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/main.zeek, <...>/main.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/modbus, <...>/modbus)
 0.000000   MetaHookPre   LoadFile(0, base<...>/mpls, <...>/mpls)
@@ -3693,6 +3697,7 @@
 0.000000 | HookLoadFile  ./logging.bif.zeek <...>/logging.bif.zeek
 0.000000 | HookLoadFile  ./magic <...>/magic
 0.000000 | HookLoadFile  ./main <...>/main.zeek
+0.000000 | HookLoadFile  ./main.zeek <...>/main.zeek
 0.000000 | HookLoadFile  ./max <...>/max.zeek
 0.000000 | HookLoadFile  ./messaging.bif.zeek <...>/messaging.bif.zeek
 0.000000 | HookLoadFile  ./min <...>/min.zeek
@@ -3818,6 +3823,7 @@
 0.000000 | HookLoadFile  base<...>/logging <...>/logging
 0.000000 | HookLoadFile  base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFile  base<...>/main <...>/main.zeek
+0.000000 | HookLoadFile  base<...>/main.zeek <...>/main.zeek
 0.000000 | HookLoadFile  base<...>/messaging.bif <...>/messaging.bif.zeek
 0.000000 | HookLoadFile  base<...>/modbus <...>/modbus
 0.000000 | HookLoadFile  base<...>/mpls <...>/mpls

From 7e40094f2cbd3ca78afe1b1c648d9e9658119893 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 26 Aug 2021 11:28:51 -0700
Subject: [PATCH 097/210] Add AYIYA packet analyzer, disable old analyzer

---
 scripts/base/frameworks/tunnels/main.zeek     |  4 +-
 scripts/base/packet-protocols/__load__.zeek   |  6 +-
 .../base/packet-protocols/ayiya/__load__.zeek |  1 +
 scripts/base/packet-protocols/ayiya/main.zeek | 19 +++++
 scripts/base/protocols/tunnels/dpd.sig        |  6 --
 src/analyzer/protocol/CMakeLists.txt          |  3 +-
 src/packet_analysis/protocol/CMakeLists.txt   |  4 +-
 src/packet_analysis/protocol/ayiya/AYIYA.cc   | 77 +++++++++++++++++++
 src/packet_analysis/protocol/ayiya/AYIYA.h    | 27 +++++++
 .../protocol/ayiya/CMakeLists.txt             |  5 ++
 src/packet_analysis/protocol/ayiya/Plugin.cc  | 27 +++++++
 .../canonified_loaded_scripts.log             | 10 ++-
 .../canonified_loaded_scripts.log             | 10 ++-
 testing/btest/Baseline/plugins.hooks/output   | 42 +++++++---
 .../Baseline/signatures.dpd/dpd-ipv4.out      |  2 +-
 .../Baseline/signatures.dpd/dpd-ipv6.out      |  2 +-
 .../Baseline/signatures.dpd/nosig-ipv4.out    |  2 +-
 .../Baseline/signatures.dpd/nosig-ipv6.out    |  2 +-
 18 files changed, 214 insertions(+), 35 deletions(-)
 create mode 100644 scripts/base/packet-protocols/ayiya/__load__.zeek
 create mode 100644 scripts/base/packet-protocols/ayiya/main.zeek
 create mode 100644 src/packet_analysis/protocol/ayiya/AYIYA.cc
 create mode 100644 src/packet_analysis/protocol/ayiya/AYIYA.h
 create mode 100644 src/packet_analysis/protocol/ayiya/CMakeLists.txt
 create mode 100644 src/packet_analysis/protocol/ayiya/Plugin.cc

diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek
index 688d1d7f67..2afa55f9fb 100644
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@@ -90,16 +90,14 @@ export {
 	global finalize_tunnel: Conn::RemovalHook;
 }
 
-const ayiya_ports = { 5072/udp };
 const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { ayiya_ports, teredo_ports, gtpv1_ports, vxlan_ports, geneve_ports };
+redef likely_server_ports += { teredo_ports, gtpv1_ports, vxlan_ports, geneve_ports };
 
 event zeek_init() &priority=5
 	{
 	Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
 
-	Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, ayiya_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek
index 15cdb63131..23c8a6d5c0 100644
--- a/scripts/base/packet-protocols/__load__.zeek
+++ b/scripts/base/packet-protocols/__load__.zeek
@@ -14,9 +14,11 @@
 @load base/packet-protocols/pppoe
 @load base/packet-protocols/vlan
 @load base/packet-protocols/mpls
-@load base/packet-protocols/gre
-@load base/packet-protocols/iptunnel
 @load base/packet-protocols/vntag
 @load base/packet-protocols/udp
 @load base/packet-protocols/tcp
 @load base/packet-protocols/icmp
+
+@load base/packet-protocols/gre
+@load base/packet-protocols/iptunnel
+@load base/packet-protocols/ayiya
diff --git a/scripts/base/packet-protocols/ayiya/__load__.zeek b/scripts/base/packet-protocols/ayiya/__load__.zeek
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/packet-protocols/ayiya/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/ayiya/main.zeek b/scripts/base/packet-protocols/ayiya/main.zeek
new file mode 100644
index 0000000000..d6fab5a44b
--- /dev/null
+++ b/scripts/base/packet-protocols/ayiya/main.zeek
@@ -0,0 +1,19 @@
+module PacketAnalyzer::AYIYA;
+
+# Needed for port registration for BPF
+@load base/frameworks/analyzer/main
+
+const IPPROTO_IPV4 : count = 4;
+const IPPROTO_IPV6 : count = 41;
+
+const ayiya_ports = { 5072/udp };
+redef likely_server_ports += { ayiya_ports };
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, IPPROTO_IPV4, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, IPPROTO_IPV6, PacketAnalyzer::ANALYZER_IP);
+
+	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, ayiya_ports);
+	}
diff --git a/scripts/base/protocols/tunnels/dpd.sig b/scripts/base/protocols/tunnels/dpd.sig
index 9c4bddeffd..552e0c9170 100644
--- a/scripts/base/protocols/tunnels/dpd.sig
+++ b/scripts/base/protocols/tunnels/dpd.sig
@@ -1,12 +1,6 @@
 # Provide DPD signatures for tunneling protocols that otherwise
 # wouldn't be detected at all.
 
-signature dpd_ayiya {
-  ip-proto = udp
-  payload /^..\x11\x29/
-  enable "ayiya"
-}
-
 signature dpd_teredo {
   ip-proto = udp
   payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 6bf668c4a1..1d41a72dc3 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -1,5 +1,4 @@
-
-add_subdirectory(ayiya)
+#add_subdirectory(ayiya)
 add_subdirectory(bittorrent)
 add_subdirectory(conn-size)
 add_subdirectory(dce-rpc)
diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt
index 9468bf2625..f9a84170bd 100644
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@@ -18,6 +18,8 @@ add_subdirectory(ip)
 add_subdirectory(udp)
 add_subdirectory(tcp)
 add_subdirectory(icmp)
+add_subdirectory(vntag)
+
 add_subdirectory(gre)
 add_subdirectory(iptunnel)
-add_subdirectory(vntag)
+add_subdirectory(ayiya)
diff --git a/src/packet_analysis/protocol/ayiya/AYIYA.cc b/src/packet_analysis/protocol/ayiya/AYIYA.cc
new file mode 100644
index 0000000000..203f354dc2
--- /dev/null
+++ b/src/packet_analysis/protocol/ayiya/AYIYA.cc
@@ -0,0 +1,77 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/ayiya/AYIYA.h"
+
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+
+using namespace zeek::packet_analysis::AYIYA;
+
+AYIYAAnalyzer::AYIYAAnalyzer() : zeek::packet_analysis::Analyzer("AYIYA") { }
+
+bool AYIYAAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( ! BifConst::Tunnel::enable_ayiya )
+		return false;
+
+	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		Weird("exceeded_tunnel_max_depth", packet);
+		return false;
+		}
+
+	// This will be expanded based on the header data, but it has to be at least
+	// this long.
+	size_t hdr_size = 8;
+
+	if ( hdr_size > len )
+		{
+		AnalyzerViolation("Truncated AYIYA", packet->session);
+		return false;
+		}
+
+	uint8_t identity_len = 1 << (data[0] >> 4);
+	uint8_t signature_len = (data[1] >> 4) * 4;
+	hdr_size += identity_len + signature_len;
+
+	// Double-check this one now that we know the actual full length of the header.
+	if ( hdr_size > len )
+		{
+		AnalyzerViolation("Truncated AYIYA", packet->session);
+		return false;
+		}
+
+	uint8_t op_code = data[2] & 0x0F;
+
+	// Check that op_code is the "forward" command. Everything else is ignored.
+	// This isn't an error, it's just the end of our parsing.
+	if ( op_code != 1 )
+		return true;
+
+	uint8_t next_header = data[3];
+
+	len -= hdr_size;
+	data += hdr_size;
+
+	int encap_index = 0;
+	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
+		packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::AYIYA,
+		GetAnalyzerTag());
+
+	AnalyzerConfirmation(packet->session);
+
+	// Skip the header and pass on to the next analyzer. It's possible for AYIYA to
+	// just be a header and nothing after it, so check for that case.
+	if ( len > hdr_size )
+		return ForwardPacket(len, data, inner_packet.get(), next_header);
+
+	return true;
+	}
+
+bool AYIYAAnalyzer::DetectProtocol(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( ! BifConst::Tunnel::enable_ayiya )
+		return false;
+
+	// These magic numbers are based on the old DPD entry, which was based on... something?
+	return len >= 3 && data[1] == 0x52 && data[2] == 0x11;
+	}
diff --git a/src/packet_analysis/protocol/ayiya/AYIYA.h b/src/packet_analysis/protocol/ayiya/AYIYA.h
new file mode 100644
index 0000000000..e049c49ebb
--- /dev/null
+++ b/src/packet_analysis/protocol/ayiya/AYIYA.h
@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::AYIYA
+	{
+
+class AYIYAAnalyzer : public zeek::packet_analysis::Analyzer
+	{
+public:
+	AYIYAAnalyzer();
+	~AYIYAAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<AYIYAAnalyzer>();
+		}
+
+	bool DetectProtocol(size_t len, const uint8_t* data, Packet* packet) override;
+	};
+
+	}
diff --git a/src/packet_analysis/protocol/ayiya/CMakeLists.txt b/src/packet_analysis/protocol/ayiya/CMakeLists.txt
new file mode 100644
index 0000000000..d0e0d6eb80
--- /dev/null
+++ b/src/packet_analysis/protocol/ayiya/CMakeLists.txt
@@ -0,0 +1,5 @@
+include(ZeekPlugin)
+
+zeek_plugin_begin(Zeek AYIYA)
+zeek_plugin_cc(AYIYA.cc Plugin.cc)
+zeek_plugin_end()
diff --git a/src/packet_analysis/protocol/ayiya/Plugin.cc b/src/packet_analysis/protocol/ayiya/Plugin.cc
new file mode 100644
index 0000000000..3cd686a180
--- /dev/null
+++ b/src/packet_analysis/protocol/ayiya/Plugin.cc
@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/ayiya/AYIYA.h"
+
+namespace zeek::plugin::Zeek_AYIYA
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"AYIYA", zeek::packet_analysis::AYIYA::AYIYAAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::AYIYA";
+		config.description = "AYIYA packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 8e3c6968ad..8db7b42521 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -55,10 +55,6 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/vlan/main.zeek
     scripts/base/packet-protocols/mpls/__load__.zeek
       scripts/base/packet-protocols/mpls/main.zeek
-    scripts/base/packet-protocols/gre/__load__.zeek
-      scripts/base/packet-protocols/gre/main.zeek
-    scripts/base/packet-protocols/iptunnel/__load__.zeek
-      scripts/base/packet-protocols/iptunnel/main.zeek
     scripts/base/packet-protocols/vntag/__load__.zeek
       scripts/base/packet-protocols/vntag/main.zeek
     scripts/base/packet-protocols/udp/__load__.zeek
@@ -67,6 +63,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/gre/__load__.zeek
+      scripts/base/packet-protocols/gre/main.zeek
+    scripts/base/packet-protocols/iptunnel/__load__.zeek
+      scripts/base/packet-protocols/iptunnel/main.zeek
+    scripts/base/packet-protocols/ayiya/__load__.zeek
+      scripts/base/packet-protocols/ayiya/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 8608d393c8..69a6fc05fa 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -55,10 +55,6 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/vlan/main.zeek
     scripts/base/packet-protocols/mpls/__load__.zeek
       scripts/base/packet-protocols/mpls/main.zeek
-    scripts/base/packet-protocols/gre/__load__.zeek
-      scripts/base/packet-protocols/gre/main.zeek
-    scripts/base/packet-protocols/iptunnel/__load__.zeek
-      scripts/base/packet-protocols/iptunnel/main.zeek
     scripts/base/packet-protocols/vntag/__load__.zeek
       scripts/base/packet-protocols/vntag/main.zeek
     scripts/base/packet-protocols/udp/__load__.zeek
@@ -67,6 +63,12 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/tcp/main.zeek
     scripts/base/packet-protocols/icmp/__load__.zeek
       scripts/base/packet-protocols/icmp/main.zeek
+    scripts/base/packet-protocols/gre/__load__.zeek
+      scripts/base/packet-protocols/gre/main.zeek
+    scripts/base/packet-protocols/iptunnel/__load__.zeek
+      scripts/base/packet-protocols/iptunnel/main.zeek
+    scripts/base/packet-protocols/ayiya/__load__.zeek
+      scripts/base/packet-protocols/ayiya/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 6c0d0635d1..982a4b914d 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -1,6 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
@@ -66,7 +65,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
@@ -131,7 +129,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <no result>
@@ -587,6 +584,10 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets{ if (ignore_checksums_nets == PacketAnalyzer::IP::ID) PacketAnalyzer::__set_ignore_checksums_nets(PacketAnalyzer::IP::new_value)return (PacketAnalyzer::IP::new_value)}, 5)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -632,6 +633,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -642,6 +644,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::install, <frame>, ()) -> <no result>
@@ -672,6 +675,7 @@
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$)) -> <no result>
@@ -919,6 +923,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer, <...>/analyzer) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/api, <...>/api.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ayiya, <...>/ayiya) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/backtrace, <...>/backtrace.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/broker, <...>/broker) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/cluster, <...>/cluster) -> -1
@@ -1213,6 +1218,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./magic, <...>/magic) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./main.zeek, <...>/main.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./max, <...>/max.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./min, <...>/min.zeek) -> (-1, <no content>)
@@ -1286,6 +1292,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/api, <...>/api.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ayiya, <...>/ayiya) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/broker, <...>/broker) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/cluster, <...>/cluster) -> (-1, <no content>)
@@ -1335,6 +1342,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main.zeek, <...>/main.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/modbus, <...>/modbus) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/mpls, <...>/mpls) -> (-1, <no content>)
@@ -1422,7 +1430,6 @@
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 0.000000   MetaHookPost  QueueEvent(zeek_init()) -> false
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
@@ -1488,7 +1495,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
@@ -1553,7 +1559,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
@@ -2009,6 +2014,10 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets{ if (ignore_checksums_nets == PacketAnalyzer::IP::ID) PacketAnalyzer::__set_ignore_checksums_nets(PacketAnalyzer::IP::new_value)return (PacketAnalyzer::IP::new_value)}, 5))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -2054,6 +2063,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -2064,6 +2074,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
 0.000000   MetaHookPre   CallFunction(PacketFilter::install, <frame>, ())
@@ -2094,6 +2105,7 @@
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (5072/udp))
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 0.000000   MetaHookPre   CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$))
@@ -2341,6 +2353,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer, <...>/analyzer)
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/api, <...>/api.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ayiya, <...>/ayiya)
 0.000000   MetaHookPre   LoadFile(0, base<...>/backtrace, <...>/backtrace.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/broker, <...>/broker)
 0.000000   MetaHookPre   LoadFile(0, base<...>/cluster, <...>/cluster)
@@ -2635,6 +2648,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./magic, <...>/magic)
 0.000000   MetaHookPre   LoadFileExtended(0, ./main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./main.zeek, <...>/main.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./max, <...>/max.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./min, <...>/min.zeek)
@@ -2708,6 +2722,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer, <...>/analyzer)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/api, <...>/api.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ayiya, <...>/ayiya)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/broker, <...>/broker)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/cluster, <...>/cluster)
@@ -2757,6 +2772,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main.zeek, <...>/main.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/modbus, <...>/modbus)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/mpls, <...>/mpls)
@@ -2844,7 +2860,6 @@
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
 0.000000   MetaHookPre   QueueEvent(zeek_init())
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
@@ -2910,7 +2925,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
@@ -2975,7 +2989,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, {135/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})
@@ -3430,6 +3443,10 @@
 0.000000 | HookCallFunction Option::set_change_handler(ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets{ if (ignore_checksums_nets == PacketAnalyzer::IP::ID) PacketAnalyzer::__set_ignore_checksums_nets(PacketAnalyzer::IP::new_value)return (PacketAnalyzer::IP::new_value)}, 5)
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -3475,6 +3492,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -3485,6 +3503,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
 0.000000 | HookCallFunction PacketFilter::install()
@@ -3515,6 +3534,7 @@
 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
+0.000000 | HookCallFunction port_to_count(5072/udp)
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
@@ -3774,6 +3794,7 @@
 0.000000 | HookLoadFile  base<...>/analyzer <...>/analyzer
 0.000000 | HookLoadFile  base<...>/analyzer.bif <...>/analyzer.bif.zeek
 0.000000 | HookLoadFile  base<...>/api <...>/api.zeek
+0.000000 | HookLoadFile  base<...>/ayiya <...>/ayiya
 0.000000 | HookLoadFile  base<...>/backtrace <...>/backtrace.zeek
 0.000000 | HookLoadFile  base<...>/broker <...>/broker
 0.000000 | HookLoadFile  base<...>/cluster <...>/cluster
@@ -4065,6 +4086,7 @@
 0.000000 | HookLoadFileExtended ./logging.bif.zeek <...>/logging.bif.zeek
 0.000000 | HookLoadFileExtended ./magic <...>/magic
 0.000000 | HookLoadFileExtended ./main <...>/main.zeek
+0.000000 | HookLoadFileExtended ./main.zeek <...>/main.zeek
 0.000000 | HookLoadFileExtended ./max <...>/max.zeek
 0.000000 | HookLoadFileExtended ./messaging.bif.zeek <...>/messaging.bif.zeek
 0.000000 | HookLoadFileExtended ./min <...>/min.zeek
@@ -4141,6 +4163,7 @@
 0.000000 | HookLoadFileExtended base<...>/analyzer <...>/analyzer
 0.000000 | HookLoadFileExtended base<...>/analyzer.bif <...>/analyzer.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/api <...>/api.zeek
+0.000000 | HookLoadFileExtended base<...>/ayiya <...>/ayiya
 0.000000 | HookLoadFileExtended base<...>/backtrace <...>/backtrace.zeek
 0.000000 | HookLoadFileExtended base<...>/broker <...>/broker
 0.000000 | HookLoadFileExtended base<...>/cluster <...>/cluster
@@ -4190,6 +4213,7 @@
 0.000000 | HookLoadFileExtended base<...>/logging <...>/logging
 0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek
+0.000000 | HookLoadFileExtended base<...>/main.zeek <...>/main.zeek
 0.000000 | HookLoadFileExtended base<...>/messaging.bif <...>/messaging.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/modbus <...>/modbus
 0.000000 | HookLoadFileExtended base<...>/mpls <...>/mpls
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
index ec317f0002..e367d4a17b 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 0
+|Analyzer::all_registered_ports()|, 1
 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request 141.142.220.235:50003 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
index b1530973e6..e516ddea2d 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 0
+|Analyzer::all_registered_ports()|, 1
 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
index 187affad15..4fd064dc30 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 0
+|Analyzer::all_registered_ports()|, 1
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
index 187affad15..4fd064dc30 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 0
+|Analyzer::all_registered_ports()|, 1

From cbb0bcd49ccb879e8dae58219356b6a6d831e6dd Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 26 Aug 2021 12:15:00 -0700
Subject: [PATCH 098/210] Add Geneve packet analyzer, disable old analyzer

---
 scripts/base/frameworks/tunnels/main.zeek     |  3 +-
 scripts/base/init-bare.zeek                   |  6 --
 scripts/base/packet-protocols/__load__.zeek   |  1 +
 .../packet-protocols/geneve/__load__.zeek     |  1 +
 .../base/packet-protocols/geneve/main.zeek    | 22 +++++
 src/analyzer/protocol/CMakeLists.txt          |  2 +-
 src/packet_analysis/protocol/CMakeLists.txt   |  1 +
 .../protocol/geneve/CMakeLists.txt            |  6 ++
 src/packet_analysis/protocol/geneve/Geneve.cc | 90 +++++++++++++++++++
 src/packet_analysis/protocol/geneve/Geneve.h  | 25 ++++++
 src/packet_analysis/protocol/geneve/Plugin.cc | 27 ++++++
 .../protocol/geneve/events.bif                | 12 +++
 .../canonified_loaded_scripts.log             |  4 +-
 .../canonified_loaded_scripts.log             |  4 +-
 testing/btest/Baseline/plugins.hooks/output   | 30 +++++--
 .../Baseline/signatures.dpd/dpd-ipv4.out      |  2 +-
 .../Baseline/signatures.dpd/dpd-ipv6.out      |  2 +-
 .../Baseline/signatures.dpd/nosig-ipv4.out    |  2 +-
 .../Baseline/signatures.dpd/nosig-ipv6.out    |  2 +-
 19 files changed, 218 insertions(+), 24 deletions(-)
 create mode 100644 scripts/base/packet-protocols/geneve/__load__.zeek
 create mode 100644 scripts/base/packet-protocols/geneve/main.zeek
 create mode 100644 src/packet_analysis/protocol/geneve/CMakeLists.txt
 create mode 100644 src/packet_analysis/protocol/geneve/Geneve.cc
 create mode 100644 src/packet_analysis/protocol/geneve/Geneve.h
 create mode 100644 src/packet_analysis/protocol/geneve/Plugin.cc
 create mode 100644 src/packet_analysis/protocol/geneve/events.bif

diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek
index 2afa55f9fb..60d26c5612 100644
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@@ -92,7 +92,7 @@ export {
 
 const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { teredo_ports, gtpv1_ports, vxlan_ports, geneve_ports };
+redef likely_server_ports += { teredo_ports, gtpv1_ports, vxlan_ports };
 
 event zeek_init() &priority=5
 	{
@@ -101,7 +101,6 @@ event zeek_init() &priority=5
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
-	Analyzer::register_for_ports(Analyzer::ANALYZER_GENEVE, geneve_ports);
 	}
 
 function register_all(ecv: EncapsulatingConnVector)
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 401b2496b8..3754270565 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -5065,12 +5065,6 @@ export {
 	## if you customize this, you may still want to manually ensure that
 	## :zeek:see:`likely_server_ports` also gets populated accordingly.
 	const vxlan_ports: set[port] = { 4789/udp } &redef;
-
-	## The set of UDP ports used for Geneve traffic.  Traffic using this
-	## UDP destination port will attempt to be decapsulated.  Note that if
-	## if you customize this, you may still want to manually ensure that
-	## :zeek:see:`likely_server_ports` also gets populated accordingly.
-	const geneve_ports: set[port] = { 6081/udp } &redef;
 } # end export
 
 module Reporter;
diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek
index 23c8a6d5c0..35cbd54118 100644
--- a/scripts/base/packet-protocols/__load__.zeek
+++ b/scripts/base/packet-protocols/__load__.zeek
@@ -22,3 +22,4 @@
 @load base/packet-protocols/gre
 @load base/packet-protocols/iptunnel
 @load base/packet-protocols/ayiya
+@load base/packet-protocols/geneve
diff --git a/scripts/base/packet-protocols/geneve/__load__.zeek b/scripts/base/packet-protocols/geneve/__load__.zeek
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/packet-protocols/geneve/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/geneve/main.zeek b/scripts/base/packet-protocols/geneve/main.zeek
new file mode 100644
index 0000000000..1131deac1d
--- /dev/null
+++ b/scripts/base/packet-protocols/geneve/main.zeek
@@ -0,0 +1,22 @@
+module PacketAnalyzer::Geneve;
+
+export {
+	## The set of UDP ports used for Geneve traffic.  Traffic using this
+	## UDP destination port will attempt to be decapsulated.  Note that if
+	## if you customize this, you may still want to manually ensure that
+	## :zeek:see:`likely_server_ports` also gets populated accordingly.
+	const geneve_ports: set[port] = { 6081/udp } &redef;
+}
+
+redef likely_server_ports += { geneve_ports };
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, geneve_ports);
+
+	# This is defined by IANA as being "Trans Ether Bridging" but the Geneve RFC
+	# says to use it for Ethernet. See
+	# https://datatracker.ietf.org/doc/html/draft-gross-geneve-00#section-3.4
+	# for details.
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x6558, PacketAnalyzer::ANALYZER_ETHERNET);
+	}
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 1d41a72dc3..7f042e361a 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -8,7 +8,7 @@ add_subdirectory(dns)
 add_subdirectory(file)
 add_subdirectory(finger)
 add_subdirectory(ftp)
-add_subdirectory(geneve)
+#add_subdirectory(geneve)
 add_subdirectory(gnutella)
 add_subdirectory(gssapi)
 add_subdirectory(gtpv1)
diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt
index f9a84170bd..7cf36d5de9 100644
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@@ -23,3 +23,4 @@ add_subdirectory(vntag)
 add_subdirectory(gre)
 add_subdirectory(iptunnel)
 add_subdirectory(ayiya)
+add_subdirectory(geneve)
diff --git a/src/packet_analysis/protocol/geneve/CMakeLists.txt b/src/packet_analysis/protocol/geneve/CMakeLists.txt
new file mode 100644
index 0000000000..118289fc07
--- /dev/null
+++ b/src/packet_analysis/protocol/geneve/CMakeLists.txt
@@ -0,0 +1,6 @@
+include(ZeekPlugin)
+
+zeek_plugin_begin(Zeek Geneve)
+zeek_plugin_cc(Geneve.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/packet_analysis/protocol/geneve/Geneve.cc b/src/packet_analysis/protocol/geneve/Geneve.cc
new file mode 100644
index 0000000000..8dac14533b
--- /dev/null
+++ b/src/packet_analysis/protocol/geneve/Geneve.cc
@@ -0,0 +1,90 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/geneve/Geneve.h"
+
+#include "zeek/packet_analysis/protocol/geneve/events.bif.h"
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+
+using namespace zeek::packet_analysis::Geneve;
+
+GeneveAnalyzer::GeneveAnalyzer() : zeek::packet_analysis::Analyzer("Geneve") { }
+
+bool GeneveAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		Weird("exceeded_tunnel_max_depth", packet);
+		return false;
+		}
+
+	// This will be expanded based on the length of the options in the header,
+	// but it will be at least this long.
+	uint16_t hdr_size = 8;
+
+	if ( hdr_size > len )
+		{
+		AnalyzerViolation("Geneve header truncation", packet->session,
+		                  reinterpret_cast<const char*>(data), len);
+		return false;
+		}
+
+	// Validate that the version number is correct. According to the RFC, this
+	// should always be zero, and anything else should be treated as an error.
+	auto version = data[0] >> 6;
+	if ( version != 0 )
+		{
+		Weird("geneve_invalid_version", packet, util::fmt("%d", version));
+		return false;
+		}
+
+	// Option length is the number of bytes for options, expressed in 4-byte multiples.
+	uint8_t opt_len = (data[0] & 0x3F) * 4;
+	hdr_size += opt_len;
+
+	// Double-check this one now that we know the actual full length of the header.
+	if ( hdr_size > len )
+		{
+		AnalyzerViolation("Geneve option header truncation", packet->session,
+		                  reinterpret_cast<const char*>(data), len);
+		return false;
+		}
+
+	// Get the next header. This will probably be Ethernet (0x6558), but get it
+	// anyways so that the forwarding can do its thing.
+	auto next_header = (data[2] << 8) + data[3];
+
+	// Grab the VNI out of the data before advancing the data pointer
+	auto vni = (data[4] << 16) + (data[5] << 8) + data[6];
+
+	len -= hdr_size;
+	data += hdr_size;
+
+	int encap_index = 0;
+	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
+		packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::GENEVE,
+		GetAnalyzerTag());
+
+	// Skip the header and pass on to the next analyzer. It's possible for Geneve to
+	// just be a header and nothing after it, so check for that case.
+	bool fwd_ret_val = true;
+	if ( len > hdr_size )
+		fwd_ret_val = ForwardPacket(len, data, inner_packet.get(), next_header);
+
+	if ( fwd_ret_val )
+		{
+		AnalyzerConfirmation(packet->session);
+
+		if ( geneve_packet && packet->session )
+			{
+			EncapsulatingConn* ec = inner_packet->encap->At(encap_index);
+			if ( ec && ec->ip_hdr )
+				inner_packet->session->EnqueueEvent(geneve_packet, nullptr,
+				                                    packet->session->GetVal(),
+				                                    ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni));
+			}
+		}
+	else
+		AnalyzerViolation("Geneve invalid inner packet", packet->session);
+
+	return fwd_ret_val;
+	}
diff --git a/src/packet_analysis/protocol/geneve/Geneve.h b/src/packet_analysis/protocol/geneve/Geneve.h
new file mode 100644
index 0000000000..5d80ec4d60
--- /dev/null
+++ b/src/packet_analysis/protocol/geneve/Geneve.h
@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::Geneve
+	{
+
+class GeneveAnalyzer : public zeek::packet_analysis::Analyzer
+	{
+public:
+	GeneveAnalyzer();
+	~GeneveAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<GeneveAnalyzer>();
+		}
+	};
+
+	}
diff --git a/src/packet_analysis/protocol/geneve/Plugin.cc b/src/packet_analysis/protocol/geneve/Plugin.cc
new file mode 100644
index 0000000000..5685a4b75c
--- /dev/null
+++ b/src/packet_analysis/protocol/geneve/Plugin.cc
@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/geneve/Geneve.h"
+
+namespace zeek::plugin::Zeek_Geneve
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"Geneve", zeek::packet_analysis::Geneve::GeneveAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::Geneve";
+		config.description = "Geneve packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}
diff --git a/src/packet_analysis/protocol/geneve/events.bif b/src/packet_analysis/protocol/geneve/events.bif
new file mode 100644
index 0000000000..502a703ae4
--- /dev/null
+++ b/src/packet_analysis/protocol/geneve/events.bif
@@ -0,0 +1,12 @@
+## Generated for any packet encapsulated in a Geneve tunnel.
+## See :rfc:`8926` for more information about the Geneve protocol.
+##
+## outer: The Geneve tunnel connection.
+##
+## inner: The Geneve-encapsulated Ethernet packet header and transport header.
+##
+## vni: Geneve Network Identifier.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event geneve_packet%(outer: connection, inner: pkt_hdr, vni: count%);
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 8db7b42521..c641280119 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -69,6 +69,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/iptunnel/main.zeek
     scripts/base/packet-protocols/ayiya/__load__.zeek
       scripts/base/packet-protocols/ayiya/main.zeek
+    scripts/base/packet-protocols/geneve/__load__.zeek
+      scripts/base/packet-protocols/geneve/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -128,7 +130,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
@@ -213,6 +214,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 69a6fc05fa..289c6d1032 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -69,6 +69,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/iptunnel/main.zeek
     scripts/base/packet-protocols/ayiya/__load__.zeek
       scripts/base/packet-protocols/ayiya/main.zeek
+    scripts/base/packet-protocols/geneve/__load__.zeek
+      scripts/base/packet-protocols/geneve/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -128,7 +130,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_Finger.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
@@ -213,6 +214,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 982a4b914d..84e2946e17 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -14,7 +14,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
@@ -79,7 +78,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
@@ -135,7 +133,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result>
@@ -585,7 +582,9 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -598,6 +597,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -634,6 +634,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -676,6 +677,7 @@
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$)) -> <no result>
@@ -953,6 +955,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ftp, <...>/ftp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/geneve, <...>/geneve) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/gre, <...>/gre) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/hash, <...>/hash) -> -1
@@ -1322,6 +1325,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ftp, <...>/ftp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geneve, <...>/geneve) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/gre, <...>/gre) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/hash, <...>/hash) -> (-1, <no content>)
@@ -1444,7 +1448,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
@@ -1509,7 +1512,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
@@ -1565,7 +1567,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GENEVE, {6081/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp}))
@@ -2015,7 +2016,9 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
@@ -2028,6 +2031,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -2064,6 +2068,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -2106,6 +2111,7 @@
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (5072/udp))
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (6081/udp))
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 0.000000   MetaHookPre   CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$))
@@ -2383,6 +2389,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ftp, <...>/ftp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/geneve, <...>/geneve)
 0.000000   MetaHookPre   LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/gre, <...>/gre)
 0.000000   MetaHookPre   LoadFile(0, base<...>/hash, <...>/hash)
@@ -2752,6 +2759,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ftp, <...>/ftp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geneve, <...>/geneve)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/gre, <...>/gre)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/hash, <...>/hash)
@@ -2874,7 +2882,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GENEVE, 6081/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
@@ -2939,7 +2946,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GENEVE, 6081/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
@@ -2995,7 +3001,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GENEVE, {6081/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
@@ -3444,7 +3449,9 @@
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_delivery_ports_use_resp, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
@@ -3457,6 +3464,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -3493,6 +3501,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -3535,6 +3544,7 @@
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
 0.000000 | HookCallFunction port_to_count(5072/udp)
+0.000000 | HookCallFunction port_to_count(6081/udp)
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
@@ -3824,6 +3834,7 @@
 0.000000 | HookLoadFile  base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
 0.000000 | HookLoadFile  base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
 0.000000 | HookLoadFile  base<...>/ftp <...>/ftp
+0.000000 | HookLoadFile  base<...>/geneve <...>/geneve
 0.000000 | HookLoadFile  base<...>/geoip-distance <...>/geoip-distance.zeek
 0.000000 | HookLoadFile  base<...>/gre <...>/gre
 0.000000 | HookLoadFile  base<...>/hash <...>/hash
@@ -4193,6 +4204,7 @@
 0.000000 | HookLoadFileExtended base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
 0.000000 | HookLoadFileExtended base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
 0.000000 | HookLoadFileExtended base<...>/ftp <...>/ftp
+0.000000 | HookLoadFileExtended base<...>/geneve <...>/geneve
 0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek
 0.000000 | HookLoadFileExtended base<...>/gre <...>/gre
 0.000000 | HookLoadFileExtended base<...>/hash <...>/hash
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
index e367d4a17b..3164acb97b 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 1
+|Analyzer::all_registered_ports()|, 2
 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request 141.142.220.235:50003 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
index e516ddea2d..baa45d3a06 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 1
+|Analyzer::all_registered_ports()|, 2
 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
index 4fd064dc30..b012dac860 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 1
+|Analyzer::all_registered_ports()|, 2
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
index 4fd064dc30..b012dac860 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 1
+|Analyzer::all_registered_ports()|, 2

From 05574ecce1d35e3af4f536aeabaf0fdb4194c253 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Thu, 26 Aug 2021 12:37:28 -0700
Subject: [PATCH 099/210] Add VXLAN packet analyzer, disable old analyzer

---
 scripts/base/frameworks/tunnels/main.zeek     |  3 +-
 scripts/base/init-bare.zeek                   |  5 --
 scripts/base/packet-protocols/__load__.zeek   |  1 +
 .../base/packet-protocols/vxlan/__load__.zeek |  1 +
 scripts/base/packet-protocols/vxlan/main.zeek | 20 ++++++
 src/analyzer/Manager.cc                       |  4 +-
 src/analyzer/protocol/CMakeLists.txt          |  2 +-
 src/packet_analysis/protocol/CMakeLists.txt   |  1 +
 src/packet_analysis/protocol/udp/UDP.cc       |  4 +-
 .../protocol/vxlan/CMakeLists.txt             |  6 ++
 src/packet_analysis/protocol/vxlan/Plugin.cc  | 27 ++++++++
 src/packet_analysis/protocol/vxlan/VXLAN.cc   | 65 +++++++++++++++++++
 src/packet_analysis/protocol/vxlan/VXLAN.h    | 25 +++++++
 src/packet_analysis/protocol/vxlan/events.bif | 12 ++++
 .../Baseline/core.tunnels.vxlan/conn.log      |  4 +-
 .../canonified_loaded_scripts.log             |  4 +-
 .../canonified_loaded_scripts.log             |  4 +-
 testing/btest/Baseline/plugins.hooks/output   | 27 +++++---
 .../Baseline/signatures.dpd/dpd-ipv4.out      |  2 +-
 .../Baseline/signatures.dpd/dpd-ipv6.out      |  2 +-
 .../Baseline/signatures.dpd/nosig-ipv4.out    |  2 +-
 .../Baseline/signatures.dpd/nosig-ipv6.out    |  2 +-
 22 files changed, 194 insertions(+), 29 deletions(-)
 create mode 100644 scripts/base/packet-protocols/vxlan/__load__.zeek
 create mode 100644 scripts/base/packet-protocols/vxlan/main.zeek
 create mode 100644 src/packet_analysis/protocol/vxlan/CMakeLists.txt
 create mode 100644 src/packet_analysis/protocol/vxlan/Plugin.cc
 create mode 100644 src/packet_analysis/protocol/vxlan/VXLAN.cc
 create mode 100644 src/packet_analysis/protocol/vxlan/VXLAN.h
 create mode 100644 src/packet_analysis/protocol/vxlan/events.bif

diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek
index 60d26c5612..11b7a90470 100644
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@@ -92,7 +92,7 @@ export {
 
 const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { teredo_ports, gtpv1_ports, vxlan_ports };
+redef likely_server_ports += { teredo_ports, gtpv1_ports };
 
 event zeek_init() &priority=5
 	{
@@ -100,7 +100,6 @@ event zeek_init() &priority=5
 
 	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
-	Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, vxlan_ports);
 	}
 
 function register_all(ecv: EncapsulatingConnVector)
diff --git a/scripts/base/init-bare.zeek b/scripts/base/init-bare.zeek
index 3754270565..9e102ed6fc 100644
--- a/scripts/base/init-bare.zeek
+++ b/scripts/base/init-bare.zeek
@@ -5060,11 +5060,6 @@ export {
 	## may choose whether to perform the validation.
 	const validate_vxlan_checksums = T &redef;
 
-	## The set of UDP ports used for VXLAN traffic.  Traffic using this
-	## UDP destination port will attempt to be decapsulated.  Note that if
-	## if you customize this, you may still want to manually ensure that
-	## :zeek:see:`likely_server_ports` also gets populated accordingly.
-	const vxlan_ports: set[port] = { 4789/udp } &redef;
 } # end export
 
 module Reporter;
diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek
index 35cbd54118..312db9f3b0 100644
--- a/scripts/base/packet-protocols/__load__.zeek
+++ b/scripts/base/packet-protocols/__load__.zeek
@@ -23,3 +23,4 @@
 @load base/packet-protocols/iptunnel
 @load base/packet-protocols/ayiya
 @load base/packet-protocols/geneve
+@load base/packet-protocols/vxlan
diff --git a/scripts/base/packet-protocols/vxlan/__load__.zeek b/scripts/base/packet-protocols/vxlan/__load__.zeek
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/packet-protocols/vxlan/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/vxlan/main.zeek b/scripts/base/packet-protocols/vxlan/main.zeek
new file mode 100644
index 0000000000..83bde18c2b
--- /dev/null
+++ b/scripts/base/packet-protocols/vxlan/main.zeek
@@ -0,0 +1,20 @@
+module PacketAnalyzer::VXLAN;
+
+export {
+	# There's no indicator in the VXLAN packet header format about what the next protocol
+	# in the chain is. All of the documentation just lists Ethernet, so default to that.
+        const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_ETHERNET &redef;
+
+	## The set of UDP ports used for VXLAN traffic.  Traffic using this
+	## UDP destination port will attempt to be decapsulated.  Note that if
+	## if you customize this, you may still want to manually ensure that
+	## :zeek:see:`likely_server_ports` also gets populated accordingly.
+	const vxlan_ports: set[port] = { 4789/udp } &redef;
+}
+
+redef likely_server_ports += { vxlan_ports };
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, vxlan_ports);
+	}
diff --git a/src/analyzer/Manager.cc b/src/analyzer/Manager.cc
index ba21821a84..dfc6236147 100644
--- a/src/analyzer/Manager.cc
+++ b/src/analyzer/Manager.cc
@@ -74,10 +74,10 @@ Manager::~Manager()
 
 void Manager::InitPostScript()
 	{
-	const auto& id = detail::global_scope()->Find("Tunnel::vxlan_ports");
+	const auto& id = detail::global_scope()->Find("PacketAnalyzer::VXLAN::vxlan_ports");
 
 	if ( ! (id && id->GetVal()) )
-		reporter->FatalError("Tunnel::vxlan_ports not defined");
+		reporter->FatalError("PacketAnalyzer::VXLAN::vxlan_ports not defined");
 
 	auto table_val = id->GetVal()->AsTableVal();
 	auto port_list = table_val->ToPureListVal();
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index 7f042e361a..d6b42fa28e 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -42,6 +42,6 @@ add_subdirectory(ssl)
 add_subdirectory(syslog)
 add_subdirectory(tcp)
 add_subdirectory(teredo)
-add_subdirectory(vxlan)
+#add_subdirectory(vxlan)
 add_subdirectory(xmpp)
 add_subdirectory(zip)
diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt
index 7cf36d5de9..53a1d8e161 100644
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@@ -24,3 +24,4 @@ add_subdirectory(gre)
 add_subdirectory(iptunnel)
 add_subdirectory(ayiya)
 add_subdirectory(geneve)
+add_subdirectory(vxlan)
diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc
index cd7681dcd9..b0cb1683a7 100644
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@@ -41,10 +41,10 @@ void UDPAnalyzer::Initialize()
 	{
 	IPBasedAnalyzer::Initialize();
 
-	const auto& id = detail::global_scope()->Find("Tunnel::vxlan_ports");
+	const auto& id = detail::global_scope()->Find("PacketAnalyzer::VXLAN::vxlan_ports");
 
 	if ( ! (id && id->GetVal()) )
-		reporter->FatalError("Tunnel::vxlan_ports not defined");
+		reporter->FatalError("PacketAnalyzer::VXLAN::vxlan_ports not defined");
 
 	auto table_val = id->GetVal()->AsTableVal();
 	auto port_list = table_val->ToPureListVal();
diff --git a/src/packet_analysis/protocol/vxlan/CMakeLists.txt b/src/packet_analysis/protocol/vxlan/CMakeLists.txt
new file mode 100644
index 0000000000..695048f77e
--- /dev/null
+++ b/src/packet_analysis/protocol/vxlan/CMakeLists.txt
@@ -0,0 +1,6 @@
+include(ZeekPlugin)
+
+zeek_plugin_begin(Zeek VXLAN)
+zeek_plugin_cc(VXLAN.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_end()
diff --git a/src/packet_analysis/protocol/vxlan/Plugin.cc b/src/packet_analysis/protocol/vxlan/Plugin.cc
new file mode 100644
index 0000000000..21651ae071
--- /dev/null
+++ b/src/packet_analysis/protocol/vxlan/Plugin.cc
@@ -0,0 +1,27 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/vxlan/VXLAN.h"
+
+namespace zeek::plugin::Zeek_VXLAN
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure()
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"VXLAN", zeek::packet_analysis::VXLAN::VXLAN_Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::VXLAN";
+		config.description = "VXLAN packet analyzer";
+		return config;
+		}
+
+	} plugin;
+
+	}
diff --git a/src/packet_analysis/protocol/vxlan/VXLAN.cc b/src/packet_analysis/protocol/vxlan/VXLAN.cc
new file mode 100644
index 0000000000..7bc7b75c3e
--- /dev/null
+++ b/src/packet_analysis/protocol/vxlan/VXLAN.cc
@@ -0,0 +1,65 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/vxlan/VXLAN.h"
+
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+#include "zeek/packet_analysis/protocol/vxlan/events.bif.h"
+
+using namespace zeek::packet_analysis::VXLAN;
+
+VXLAN_Analyzer::VXLAN_Analyzer() : zeek::packet_analysis::Analyzer("VXLAN") { }
+
+bool VXLAN_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		Weird("exceeded_tunnel_max_depth", packet);
+		return false;
+		}
+
+	constexpr uint16_t hdr_size = 8;
+
+	if ( hdr_size > len )
+		{
+		AnalyzerViolation("VXLAN header truncation", packet->session, (const char*)data, len);
+		return false;
+		}
+
+	if ( (data[0] & 0x08) == 0 )
+		{
+		AnalyzerViolation("VXLAN 'I' flag not set", packet->session, (const char*)data, len);
+		return false;
+		}
+
+	int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
+
+	len -= hdr_size;
+	data += hdr_size;
+
+	int encap_index = 0;
+	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
+		packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::VXLAN,
+		GetAnalyzerTag());
+
+	bool fwd_ret_val = true;
+	if ( len > hdr_size )
+		fwd_ret_val = ForwardPacket(len, data, inner_packet.get());
+
+	if ( fwd_ret_val )
+		{
+		AnalyzerConfirmation(packet->session);
+
+		if ( vxlan_packet && packet->session )
+			{
+			EncapsulatingConn* ec = inner_packet->encap->At(encap_index);
+			if ( ec && ec->ip_hdr )
+				inner_packet->session->EnqueueEvent(vxlan_packet, nullptr,
+				                                    packet->session->GetVal(),
+				                                    ec->ip_hdr->ToPktHdrVal(), val_mgr->Count(vni));
+			}
+		}
+	else
+		AnalyzerViolation("VXLAN invalid inner packet", packet->session);
+
+	return fwd_ret_val;
+	}
diff --git a/src/packet_analysis/protocol/vxlan/VXLAN.h b/src/packet_analysis/protocol/vxlan/VXLAN.h
new file mode 100644
index 0000000000..f1bc5053e6
--- /dev/null
+++ b/src/packet_analysis/protocol/vxlan/VXLAN.h
@@ -0,0 +1,25 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+#include "zeek/packet_analysis/Component.h"
+
+namespace zeek::packet_analysis::VXLAN
+	{
+
+class VXLAN_Analyzer : public zeek::packet_analysis::Analyzer
+	{
+public:
+	VXLAN_Analyzer();
+	~VXLAN_Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<VXLAN_Analyzer>();
+		}
+	};
+
+	}
diff --git a/src/packet_analysis/protocol/vxlan/events.bif b/src/packet_analysis/protocol/vxlan/events.bif
new file mode 100644
index 0000000000..d05c74dfbe
--- /dev/null
+++ b/src/packet_analysis/protocol/vxlan/events.bif
@@ -0,0 +1,12 @@
+## Generated for any packet encapsulated in a VXLAN tunnel.
+## See :rfc:`7348` for more information about the VXLAN protocol.
+##
+## outer: The VXLAN tunnel connection.
+##
+## inner: The VXLAN-encapsulated Ethernet packet header and transport header.
+##
+## vni: VXLAN Network Identifier.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%);
diff --git a/testing/btest/Baseline/core.tunnels.vxlan/conn.log b/testing/btest/Baseline/core.tunnels.vxlan/conn.log
index bb73bfef65..0688cd19d0 100644
--- a/testing/btest/Baseline/core.tunnels.vxlan/conn.log
+++ b/testing/btest/Baseline/core.tunnels.vxlan/conn.log
@@ -9,7 +9,7 @@
 #types	time	string	addr	port	addr	port	enum	string	interval	count	count	string	bool	bool	count	string	count	count	count	count	set[string]
 XXXXXXXXXX.XXXXXX	CtPZjS20MLrsMUOJi2	10.0.0.1	8	10.0.0.2	0	icmp	-	3.004616	224	224	OTH	-	-	0	-	4	336	4	336	CUM0KZ3MLUfNB0cl11,C4J4Th3PJpwUYZZ6gc
 XXXXXXXXXX.XXXXXX	CUM0KZ3MLUfNB0cl11	192.168.56.12	38071	192.168.56.11	4789	udp	vxlan	3.004278	424	0	S0	-	-	0	D	4	536	0	0	-
-XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.56.12	40908	192.168.56.11	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.56.11	39924	192.168.56.12	4789	udp	-	-	-	-	S0	-	-	0	D	1	78	0	0	-
+XXXXXXXXXX.XXXXXX	ClEkJM2Vm5giqnMf4h	192.168.56.12	40908	192.168.56.11	4789	udp	vxlan	-	-	-	S0	-	-	0	D	1	78	0	0	-
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	192.168.56.11	39924	192.168.56.12	4789	udp	vxlan	-	-	-	S0	-	-	0	D	1	78	0	0	-
 XXXXXXXXXX.XXXXXX	C4J4Th3PJpwUYZZ6gc	192.168.56.11	48134	192.168.56.12	4789	udp	vxlan	3.004434	424	0	S0	-	-	0	D	4	536	0	0	-
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index c641280119..be14ccb46b 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -71,6 +71,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/ayiya/main.zeek
     scripts/base/packet-protocols/geneve/__load__.zeek
       scripts/base/packet-protocols/geneve/main.zeek
+    scripts/base/packet-protocols/vxlan/__load__.zeek
+      scripts/base/packet-protocols/vxlan/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -209,12 +211,12 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index 289c6d1032..bab747594c 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -71,6 +71,8 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/ayiya/main.zeek
     scripts/base/packet-protocols/geneve/__load__.zeek
       scripts/base/packet-protocols/geneve/main.zeek
+    scripts/base/packet-protocols/vxlan/__load__.zeek
+      scripts/base/packet-protocols/vxlan/main.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -209,12 +211,12 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 84e2946e17..30cef0ae06 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -60,7 +60,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
@@ -124,7 +123,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) -> <no result>
@@ -154,7 +152,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec)) -> <no result>
@@ -583,8 +580,10 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -633,6 +632,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -676,6 +676,7 @@
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
@@ -1038,6 +1039,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/version, <...>/version.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/vlan, <...>/vlan) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/vntag, <...>/vntag) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/vxlan, <...>/vxlan) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/weird, <...>/weird.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/x509, <...>/x509) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/xmpp, <...>/xmpp) -> -1
@@ -1408,6 +1410,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/version, <...>/version.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vlan, <...>/vlan) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vntag, <...>/vntag) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vxlan, <...>/vxlan) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/weird, <...>/weird.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/x509, <...>/x509) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/xmpp, <...>/xmpp) -> (-1, <no content>)
@@ -1494,7 +1497,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
@@ -1558,7 +1560,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp}))
@@ -1588,7 +1589,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec))
@@ -2017,8 +2017,10 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
@@ -2067,6 +2069,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
@@ -2110,6 +2113,7 @@
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (4789/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (5072/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (6081/udp))
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
@@ -2472,6 +2476,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/version, <...>/version.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/vlan, <...>/vlan)
 0.000000   MetaHookPre   LoadFile(0, base<...>/vntag, <...>/vntag)
+0.000000   MetaHookPre   LoadFile(0, base<...>/vxlan, <...>/vxlan)
 0.000000   MetaHookPre   LoadFile(0, base<...>/weird, <...>/weird.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/x509, <...>/x509)
 0.000000   MetaHookPre   LoadFile(0, base<...>/xmpp, <...>/xmpp)
@@ -2842,6 +2847,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/version, <...>/version.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vlan, <...>/vlan)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vntag, <...>/vntag)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vxlan, <...>/vxlan)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/weird, <...>/weird.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/x509, <...>/x509)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/xmpp, <...>/xmpp)
@@ -2928,7 +2934,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
@@ -2992,7 +2997,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, {135/tcp})
@@ -3022,7 +3026,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {563<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Broker::__set_metrics_export_endpoint_name()
 0.000000 | HookCallFunction Broker::__set_metrics_export_interval(1.0 sec)
@@ -3450,8 +3453,10 @@
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
@@ -3500,6 +3505,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
@@ -3543,6 +3549,7 @@
 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
+0.000000 | HookCallFunction port_to_count(4789/udp)
 0.000000 | HookCallFunction port_to_count(5072/udp)
 0.000000 | HookCallFunction port_to_count(6081/udp)
 0.000000 | HookCallFunction reading_live_traffic()
@@ -3917,6 +3924,7 @@
 0.000000 | HookLoadFile  base<...>/version <...>/version.zeek
 0.000000 | HookLoadFile  base<...>/vlan <...>/vlan
 0.000000 | HookLoadFile  base<...>/vntag <...>/vntag
+0.000000 | HookLoadFile  base<...>/vxlan <...>/vxlan
 0.000000 | HookLoadFile  base<...>/weird <...>/weird.zeek
 0.000000 | HookLoadFile  base<...>/x509 <...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp <...>/xmpp
@@ -4287,6 +4295,7 @@
 0.000000 | HookLoadFileExtended base<...>/version <...>/version.zeek
 0.000000 | HookLoadFileExtended base<...>/vlan <...>/vlan
 0.000000 | HookLoadFileExtended base<...>/vntag <...>/vntag
+0.000000 | HookLoadFileExtended base<...>/vxlan <...>/vxlan
 0.000000 | HookLoadFileExtended base<...>/weird <...>/weird.zeek
 0.000000 | HookLoadFileExtended base<...>/x509 <...>/x509
 0.000000 | HookLoadFileExtended base<...>/xmpp <...>/xmpp
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
index 3164acb97b..06997a6c09 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 2
+|Analyzer::all_registered_ports()|, 3
 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request 141.142.220.235:50003 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
index baa45d3a06..8bcf84d4a5 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 2
+|Analyzer::all_registered_ports()|, 3
 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
index b012dac860..2cde803f33 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 2
+|Analyzer::all_registered_ports()|, 3
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
index b012dac860..2cde803f33 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 2
+|Analyzer::all_registered_ports()|, 3

From dc0ecf98111ac6eb199163540cd61af2c569a080 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 27 Aug 2021 14:49:15 -0700
Subject: [PATCH 100/210] Add Teredo packet analyzer, disable old analyzer

---
 scripts/base/frameworks/tunnels/main.zeek     |   4 +-
 scripts/base/packet-protocols/__load__.zeek   |   1 +
 .../packet-protocols/teredo/__load__.zeek     |   1 +
 .../base/packet-protocols/teredo/main.zeek    |  28 ++
 scripts/base/protocols/tunnels/dpd.sig        |   6 -
 src/IPAddr.cc                                 | 107 +++++--
 src/IPAddr.h                                  |  18 +-
 src/RE.h                                      |   4 +-
 src/analyzer/protocol/CMakeLists.txt          |   2 +-
 src/packet_analysis/protocol/CMakeLists.txt   |   1 +
 .../protocol/teredo/CMakeLists.txt            |   7 +
 src/packet_analysis/protocol/teredo/Plugin.cc |  26 ++
 src/packet_analysis/protocol/teredo/Teredo.cc | 280 ++++++++++++++++++
 src/packet_analysis/protocol/teredo/Teredo.h  | 106 +++++++
 .../protocol/teredo/events.bif                |  55 ++++
 .../protocol/teredo/functions.bif             |  20 ++
 src/session/Manager.cc                        |  43 +--
 .../canonified_loaded_scripts.log             |   5 +-
 .../canonified_loaded_scripts.log             |   5 +-
 testing/btest/Baseline/plugins.hooks/output   |  45 ++-
 .../alarm-mail.txt                            |   2 +-
 .../Baseline/signatures.dpd/dpd-ipv4.out      |   2 +-
 .../Baseline/signatures.dpd/dpd-ipv6.out      |   2 +-
 .../Baseline/signatures.dpd/nosig-ipv4.out    |   2 +-
 .../Baseline/signatures.dpd/nosig-ipv6.out    |   2 +-
 25 files changed, 683 insertions(+), 91 deletions(-)
 create mode 100644 scripts/base/packet-protocols/teredo/__load__.zeek
 create mode 100644 scripts/base/packet-protocols/teredo/main.zeek
 create mode 100644 src/packet_analysis/protocol/teredo/CMakeLists.txt
 create mode 100644 src/packet_analysis/protocol/teredo/Plugin.cc
 create mode 100644 src/packet_analysis/protocol/teredo/Teredo.cc
 create mode 100644 src/packet_analysis/protocol/teredo/Teredo.h
 create mode 100644 src/packet_analysis/protocol/teredo/events.bif
 create mode 100644 src/packet_analysis/protocol/teredo/functions.bif

diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek
index 11b7a90470..7cf4f82e40 100644
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@@ -90,15 +90,13 @@ export {
 	global finalize_tunnel: Conn::RemovalHook;
 }
 
-const teredo_ports = { 3544/udp };
 const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { teredo_ports, gtpv1_ports };
+redef likely_server_ports += { gtpv1_ports };
 
 event zeek_init() &priority=5
 	{
 	Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
 
-	Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, teredo_ports);
 	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	}
 
diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek
index 312db9f3b0..f82027f6d1 100644
--- a/scripts/base/packet-protocols/__load__.zeek
+++ b/scripts/base/packet-protocols/__load__.zeek
@@ -24,3 +24,4 @@
 @load base/packet-protocols/ayiya
 @load base/packet-protocols/geneve
 @load base/packet-protocols/vxlan
+@load base/packet-protocols/teredo
diff --git a/scripts/base/packet-protocols/teredo/__load__.zeek b/scripts/base/packet-protocols/teredo/__load__.zeek
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/packet-protocols/teredo/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/teredo/main.zeek b/scripts/base/packet-protocols/teredo/main.zeek
new file mode 100644
index 0000000000..5bba5c9243
--- /dev/null
+++ b/scripts/base/packet-protocols/teredo/main.zeek
@@ -0,0 +1,28 @@
+module PacketAnalyzer::TEREDO;
+
+# This needs to be loaded here so the functions are available. Function BIFs normally aren't
+# loaded until after the packet analysis init scripts are run, and then zeek complains it
+# can't find the function.
+@load base/bif/plugins/Zeek_Teredo.functions.bif
+
+# Needed for port registration for BPF
+@load base/frameworks/analyzer/main
+
+export {
+        ## Default analyzer
+        const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
+}
+
+const teredo_ports = { 3544/udp };
+redef likely_server_ports += { teredo_ports };
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO);
+	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, teredo_ports);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	remove_teredo_connection(c$id);
+	}
diff --git a/scripts/base/protocols/tunnels/dpd.sig b/scripts/base/protocols/tunnels/dpd.sig
index 552e0c9170..d4d3b533bc 100644
--- a/scripts/base/protocols/tunnels/dpd.sig
+++ b/scripts/base/protocols/tunnels/dpd.sig
@@ -1,8 +1,2 @@
 # Provide DPD signatures for tunneling protocols that otherwise
 # wouldn't be detected at all.
-
-signature dpd_teredo {
-  ip-proto = udp
-  payload /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/
-  enable "teredo"
-}
diff --git a/src/IPAddr.cc b/src/IPAddr.cc
index a957ce4d10..5cb3f4a998 100644
--- a/src/IPAddr.cc
+++ b/src/IPAddr.cc
@@ -24,8 +24,93 @@ namespace detail
 
 ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port,
                  TransportProto t, bool one_way)
-	: transport(t)
 	{
+	Init(src, dst, src_port, dst_port, t, one_way);
+	}
+
+ConnKey::ConnKey(const ConnTuple& id)
+	{
+	Init(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way);
+	}
+
+ConnKey& ConnKey::operator=(const ConnKey& rhs)
+	{
+	if ( this == &rhs )
+		return *this;
+
+	// Because of padding in the object, this needs to memset to clear out
+	// the extra memory used by padding. Otherwise, the session key stuff
+	// doesn't work quite right.
+	memset(this, 0, sizeof(ConnKey));
+
+	memcpy(&ip1, &rhs.ip1, sizeof(in6_addr));
+	memcpy(&ip2, &rhs.ip2, sizeof(in6_addr));
+	port1 = rhs.port1;
+	port2 = rhs.port2;
+	transport = rhs.transport;
+	valid = rhs.valid;
+
+	return *this;
+	}
+
+ConnKey::ConnKey(Val* v)
+	{
+	const auto& vt = v->GetType();
+	if ( ! IsRecord(vt->Tag()) )
+		{
+		valid = false;
+		return;
+		}
+
+	RecordType* vr = vt->AsRecordType();
+	auto vl = v->As<RecordVal*>();
+
+	int orig_h, orig_p; // indices into record's value list
+	int resp_h, resp_p;
+
+	if ( vr == id::conn_id )
+		{
+		orig_h = 0;
+		orig_p = 1;
+		resp_h = 2;
+		resp_p = 3;
+		}
+	else
+		{
+		// While it's not a conn_id, it may have equivalent fields.
+		orig_h = vr->FieldOffset("orig_h");
+		resp_h = vr->FieldOffset("resp_h");
+		orig_p = vr->FieldOffset("orig_p");
+		resp_p = vr->FieldOffset("resp_p");
+
+		if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 )
+			{
+			valid = false;
+			return;
+			}
+
+		// ### we ought to check that the fields have the right
+		// types, too.
+		}
+
+	const IPAddr& orig_addr = vl->GetFieldAs<AddrVal>(orig_h);
+	const IPAddr& resp_addr = vl->GetFieldAs<AddrVal>(resp_h);
+
+	auto orig_portv = vl->GetFieldAs<PortVal>(orig_p);
+	auto resp_portv = vl->GetFieldAs<PortVal>(resp_p);
+
+	Init(orig_addr, resp_addr, htons((unsigned short)orig_portv->Port()),
+	     htons((unsigned short)resp_portv->Port()), orig_portv->PortType(), false);
+	}
+
+void ConnKey::Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port,
+                   TransportProto t, bool one_way)
+	{
+	// Because of padding in the object, this needs to memset to clear out
+	// the extra memory used by padding. Otherwise, the session key stuff
+	// doesn't work quite right.
+	memset(this, 0, sizeof(ConnKey));
+
 	// Lookup up connection based on canonical ordering, which is
 	// the smaller of <src addr, src port> and <dst addr, dst port>
 	// followed by the other.
@@ -43,25 +128,9 @@ ConnKey::ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16
 		port1 = dst_port;
 		port2 = src_port;
 		}
-	}
 
-ConnKey::ConnKey(const ConnTuple& id)
-	: ConnKey(id.src_addr, id.dst_addr, id.src_port, id.dst_port, id.proto, id.is_one_way)
-	{
-	}
-
-ConnKey& ConnKey::operator=(const ConnKey& rhs)
-	{
-	if ( this == &rhs )
-		return *this;
-
-	memcpy(&ip1, &rhs.ip1, sizeof(in6_addr));
-	memcpy(&ip2, &rhs.ip2, sizeof(in6_addr));
-	port1 = rhs.port1;
-	port2 = rhs.port2;
-	transport = rhs.transport;
-
-	return *this;
+	transport = t;
+	valid = true;
 	}
 
 	} // namespace detail
diff --git a/src/IPAddr.h b/src/IPAddr.h
index 6295e7af1d..ea4ed9ac08 100644
--- a/src/IPAddr.h
+++ b/src/IPAddr.h
@@ -17,24 +17,28 @@ namespace zeek
 
 class String;
 struct ConnTuple;
+class Val;
 
 namespace detail
 	{
 
 class HashKey;
 
-struct ConnKey
+class ConnKey
 	{
+public:
 	in6_addr ip1;
 	in6_addr ip2;
-	uint16_t port1;
-	uint16_t port2;
-	TransportProto transport;
+	uint16_t port1 = 0;
+	uint16_t port2 = 0;
+	TransportProto transport = TRANSPORT_UNKNOWN;
+	bool valid = true;
 
 	ConnKey(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port,
 	        TransportProto t, bool one_way);
 	ConnKey(const ConnTuple& conn);
 	ConnKey(const ConnKey& rhs) { *this = rhs; }
+	ConnKey(Val* v);
 
 	bool operator<(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) < 0; }
 	bool operator<=(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) <= 0; }
@@ -44,6 +48,10 @@ struct ConnKey
 	bool operator>(const ConnKey& rhs) const { return memcmp(this, &rhs, sizeof(ConnKey)) > 0; }
 
 	ConnKey& operator=(const ConnKey& rhs);
+
+private:
+	void Init(const IPAddr& src, const IPAddr& dst, uint16_t src_port, uint16_t dst_port,
+	          TransportProto t, bool one_way);
 	};
 
 using ConnIDKey [[deprecated("Remove in v5.1. Use zeek::detail::ConnKey.")]] = ConnKey;
@@ -430,7 +438,7 @@ public:
 	static const IPAddr v6_unspecified;
 
 private:
-	friend struct detail::ConnKey;
+	friend class detail::ConnKey;
 	friend class IPPrefix;
 
 	/**
diff --git a/src/RE.h b/src/RE.h
index c9461685d5..06fdd5f391 100644
--- a/src/RE.h
+++ b/src/RE.h
@@ -109,6 +109,7 @@ public:
 	// in an attempt to match at least one character.
 	int Match(const char* s);
 	int Match(const String* s);
+	int Match(const u_char* bv, int n);
 
 	int LongestMatch(const char* s);
 	int LongestMatch(const String* s);
@@ -136,7 +137,6 @@ protected:
 	void AddPat(const char* pat, const char* orig_fmt, const char* app_fmt);
 
 	bool MatchAll(const u_char* bv, int n);
-	int Match(const u_char* bv, int n);
 
 	match_type mt;
 	int multiline;
@@ -228,6 +228,8 @@ public:
 	int MatchPrefix(const String* s) { return re_exact->LongestMatch(s); }
 	int MatchPrefix(const u_char* s, int n) { return re_exact->LongestMatch(s, n); }
 
+	bool Match(const u_char* s, int n) { return re_anywhere->Match(s, n); }
+
 	const char* PatternText() const { return re_exact->PatternText(); }
 	const char* AnywherePatternText() const { return re_anywhere->PatternText(); }
 
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index d6b42fa28e..bbc5048718 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -41,7 +41,7 @@ add_subdirectory(ssh)
 add_subdirectory(ssl)
 add_subdirectory(syslog)
 add_subdirectory(tcp)
-add_subdirectory(teredo)
+#add_subdirectory(teredo)
 #add_subdirectory(vxlan)
 add_subdirectory(xmpp)
 add_subdirectory(zip)
diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt
index 53a1d8e161..f4c3490963 100644
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@@ -25,3 +25,4 @@ add_subdirectory(iptunnel)
 add_subdirectory(ayiya)
 add_subdirectory(geneve)
 add_subdirectory(vxlan)
+add_subdirectory(teredo)
diff --git a/src/packet_analysis/protocol/teredo/CMakeLists.txt b/src/packet_analysis/protocol/teredo/CMakeLists.txt
new file mode 100644
index 0000000000..949d4beaf7
--- /dev/null
+++ b/src/packet_analysis/protocol/teredo/CMakeLists.txt
@@ -0,0 +1,7 @@
+include(ZeekPlugin)
+
+zeek_plugin_begin(Zeek Teredo)
+zeek_plugin_cc(Teredo.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_end()
diff --git a/src/packet_analysis/protocol/teredo/Plugin.cc b/src/packet_analysis/protocol/teredo/Plugin.cc
new file mode 100644
index 0000000000..a4f6782458
--- /dev/null
+++ b/src/packet_analysis/protocol/teredo/Plugin.cc
@@ -0,0 +1,26 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/teredo/Teredo.h"
+
+namespace zeek::plugin::detail::Zeek_Teredo
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure() override
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"Teredo", zeek::packet_analysis::teredo::TeredoAnalyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::Teredo";
+		config.description = "Teredo packet analyzer";
+		return config;
+		}
+	} plugin;
+
+	} // namespace zeek::plugin::detail::Zeek_Teredo
diff --git a/src/packet_analysis/protocol/teredo/Teredo.cc b/src/packet_analysis/protocol/teredo/Teredo.cc
new file mode 100644
index 0000000000..fc755be951
--- /dev/null
+++ b/src/packet_analysis/protocol/teredo/Teredo.cc
@@ -0,0 +1,280 @@
+#include "zeek/packet_analysis/protocol/teredo/Teredo.h"
+
+#include "zeek/Conn.h"
+#include "zeek/IP.h"
+#include "zeek/RE.h"
+#include "zeek/Reporter.h"
+#include "zeek/RunState.h"
+#include "zeek/TunnelEncapsulation.h"
+#include "zeek/ZeekString.h"
+#include "zeek/packet_analysis/protocol/ip/IP.h"
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+#include "zeek/packet_analysis/protocol/teredo/events.bif.h"
+
+namespace zeek::packet_analysis::teredo
+	{
+
+namespace detail
+	{
+
+bool TeredoEncapsulation::DoParse(const u_char* data, size_t& len, bool found_origin,
+                                  bool found_auth)
+	{
+	if ( len < 2 )
+		{
+		Weird("truncated_Teredo");
+		return false;
+		}
+
+	uint16_t tag = ntohs((*((const uint16_t*)data)));
+
+	if ( tag == 0 )
+		{
+		// Origin Indication
+		if ( found_origin )
+			// can't have multiple origin indications
+			return false;
+
+		if ( len < 8 )
+			{
+			Weird("truncated_Teredo_origin_indication");
+			return false;
+			}
+
+		origin_indication = data;
+		len -= 8;
+		data += 8;
+		return DoParse(data, len, true, found_auth);
+		}
+
+	else if ( tag == 1 )
+		{
+		// Authentication
+		if ( found_origin || found_auth )
+			// can't have multiple authentication headers and can't come after
+			// an origin indication
+			return false;
+
+		if ( len < 4 )
+			{
+			Weird("truncated_Teredo_authentication");
+			return false;
+			}
+
+		uint8_t id_len = data[2];
+		uint8_t au_len = data[3];
+		uint16_t tot_len = 4 + id_len + au_len + 8 + 1;
+
+		if ( len < tot_len )
+			{
+			Weird("truncated_Teredo_authentication");
+			return false;
+			}
+
+		auth = data;
+		len -= tot_len;
+		data += tot_len;
+		return DoParse(data, len, found_origin, true);
+		}
+
+	else if ( ((tag & 0xf000) >> 12) == 6 )
+		{
+		// IPv6
+		if ( len < 40 )
+			{
+			Weird("truncated_IPv6_in_Teredo");
+			return false;
+			}
+
+		// There's at least a possible IPv6 header, we'll decide what to do
+		// later if the payload length field doesn't match the actual length
+		// of the packet.
+		inner_ip = data;
+		return true;
+		}
+
+	return false;
+	}
+
+RecordValPtr TeredoEncapsulation::BuildVal(const std::shared_ptr<IP_Hdr>& inner) const
+	{
+	static auto teredo_hdr_type = id::find_type<RecordType>("teredo_hdr");
+	static auto teredo_auth_type = id::find_type<RecordType>("teredo_auth");
+	static auto teredo_origin_type = id::find_type<RecordType>("teredo_origin");
+
+	auto teredo_hdr = make_intrusive<RecordVal>(teredo_hdr_type);
+
+	if ( auth )
+		{
+		auto teredo_auth = make_intrusive<RecordVal>(teredo_auth_type);
+		uint8_t id_len = *((uint8_t*)(auth + 2));
+		uint8_t au_len = *((uint8_t*)(auth + 3));
+		uint64_t nonce = ntohll(*((uint64_t*)(auth + 4 + id_len + au_len)));
+		uint8_t conf = *((uint8_t*)(auth + 4 + id_len + au_len + 8));
+		teredo_auth->Assign(0, new String(auth + 4, id_len, true));
+		teredo_auth->Assign(1, new String(auth + 4 + id_len, au_len, true));
+		teredo_auth->Assign(2, nonce);
+		teredo_auth->Assign(3, conf);
+		teredo_hdr->Assign(0, std::move(teredo_auth));
+		}
+
+	if ( origin_indication )
+		{
+		auto teredo_origin = make_intrusive<RecordVal>(teredo_origin_type);
+		uint16_t port = ntohs(*((uint16_t*)(origin_indication + 2))) ^ 0xFFFF;
+		uint32_t addr = ntohl(*((uint32_t*)(origin_indication + 4))) ^ 0xFFFFFFFF;
+		teredo_origin->Assign(0, val_mgr->Port(port, TRANSPORT_UDP));
+		teredo_origin->Assign(1, make_intrusive<AddrVal>(htonl(addr)));
+		teredo_hdr->Assign(1, std::move(teredo_origin));
+		}
+
+	teredo_hdr->Assign(2, inner->ToPktHdrVal());
+	return teredo_hdr;
+	}
+
+	} // namespace detail
+
+TeredoAnalyzer::TeredoAnalyzer() : zeek::packet_analysis::Analyzer("TEREDO")
+	{
+	// The pattern matching below is based on this old DPD signature
+	// signature dpd_teredo {
+	// 	ip-proto = udp
+	// 	payload
+	// /^(\x00\x00)|(\x00\x01)|([\x60-\x6f].{7}((\x20\x01\x00\x00)).{28})|([\x60-\x6f].{23}((\x20\x01\x00\x00))).{12}/
+	// 	enable "teredo"
+	// 	}
+
+	pattern_re = std::make_unique<zeek::detail::Specific_RE_Matcher>(zeek::detail::MATCH_EXACTLY,
+	                                                                 1);
+	pattern_re->AddPat("^(\\x00\\x00)|(\\x00\\x01)|([\\x60-\\x6f].{7}((\\x20\\x01\\x00\\x00)).{28})"
+	                   "|([\\x60-\\x6f].{23}((\\x20\\x01\\x00\\x00))).{12}");
+	pattern_re->Compile();
+	}
+
+bool TeredoAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( ! BifConst::Tunnel::enable_teredo )
+		return false;
+
+	// Teredo always comes from a UDP connection, which means that session should always
+	// be valid and always be a connection. Store this off for the span of the
+	// processing so that it can be used for other things. Return a weird if we didn't
+	// have a session stored.
+	if ( ! packet->session )
+		{
+		Analyzer::Weird("teredo_missing_connection");
+		return false;
+		}
+	else if ( AnalyzerViolated(packet->session) )
+		return false;
+
+	if ( packet->encap && packet->encap->Depth() >= BifConst::Tunnel::max_depth )
+		{
+		Analyzer::Weird("exceeded_tunnel_max_depth", packet);
+		return false;
+		}
+
+	conn = static_cast<Connection*>(packet->session);
+	zeek::detail::ConnKey conn_key = conn->Key();
+
+	OrigRespMap::iterator or_it = orig_resp_map.find(conn_key);
+	if ( or_it == orig_resp_map.end() )
+		or_it = orig_resp_map.insert(or_it, {conn_key, {}});
+
+	detail::TeredoEncapsulation te(this);
+	if ( ! te.Parse(data, len) )
+		{
+		AnalyzerViolation("Bad Teredo encapsulation", conn, (const char*)data, len);
+		return false;
+		}
+
+	// TODO: i'm not sure about this. on the one hand, we do some error checking with the result
+	// but on the other hand we duplicate this work here. maybe this header could just be stored
+	// and reused in the IP analyzer somehow?
+	std::shared_ptr<IP_Hdr> inner = nullptr;
+	int rslt = packet_analysis::IP::ParsePacket(len, te.InnerIP(), IPPROTO_IPV6, inner);
+	if ( rslt > 0 )
+		{
+		if ( inner->NextProto() == IPPROTO_NONE && inner->PayloadLen() == 0 )
+			// Teredo bubbles having data after IPv6 header isn't strictly a
+			// violation, but a little weird.
+			Weird("Teredo_bubble_with_payload", true);
+		else
+			{
+			AnalyzerViolation("Teredo payload length", conn, (const char*)data, len);
+			return false;
+			}
+		}
+
+	if ( rslt == 0 || rslt > 0 )
+		{
+		if ( packet->is_orig )
+			or_it->second.valid_orig = true;
+		else
+			or_it->second.valid_resp = true;
+
+		Confirm(or_it->second.valid_orig, or_it->second.valid_resp);
+		}
+	else
+		{
+		AnalyzerViolation("Truncated Teredo or invalid inner IP version", conn, (const char*)data,
+		                  len);
+		return false;
+		}
+
+	ValPtr teredo_hdr;
+
+	if ( teredo_packet )
+		{
+		teredo_hdr = te.BuildVal(inner);
+		packet->session->EnqueueEvent(teredo_packet, nullptr, packet->session->GetVal(),
+		                              teredo_hdr);
+		}
+
+	if ( te.Authentication() && teredo_authentication )
+		{
+		if ( ! teredo_hdr )
+			teredo_hdr = te.BuildVal(inner);
+
+		packet->session->EnqueueEvent(teredo_authentication, nullptr, packet->session->GetVal(),
+		                              teredo_hdr);
+		}
+
+	if ( te.OriginIndication() && teredo_origin_indication )
+		{
+		if ( ! teredo_hdr )
+			teredo_hdr = te.BuildVal(inner);
+
+		packet->session->EnqueueEvent(teredo_origin_indication, nullptr, packet->session->GetVal(),
+		                              teredo_hdr);
+		}
+
+	if ( inner->NextProto() == IPPROTO_NONE && teredo_bubble )
+		{
+		if ( ! teredo_hdr )
+			teredo_hdr = te.BuildVal(inner);
+
+		packet->session->EnqueueEvent(teredo_bubble, nullptr, packet->session->GetVal(),
+		                              teredo_hdr);
+		}
+
+	int encap_index = 0;
+	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
+		packet, &encap_index, nullptr, len, te.InnerIP(), DLT_RAW, BifEnum::Tunnel::TEREDO,
+		GetAnalyzerTag());
+
+	return ForwardPacket(len, te.InnerIP(), inner_packet.get());
+	}
+
+bool TeredoAnalyzer::DetectProtocol(size_t len, const uint8_t* data, Packet* packet)
+	{
+	if ( ! BifConst::Tunnel::enable_teredo )
+		return false;
+
+	if ( ! pattern_re->Match(data, len) )
+		return false;
+
+	return true;
+	}
+
+	} // namespace zeek::packet_analysis::teredo
diff --git a/src/packet_analysis/protocol/teredo/Teredo.h b/src/packet_analysis/protocol/teredo/Teredo.h
new file mode 100644
index 0000000000..82bd150a17
--- /dev/null
+++ b/src/packet_analysis/protocol/teredo/Teredo.h
@@ -0,0 +1,106 @@
+#pragma once
+
+#include <map>
+
+#include "zeek/Conn.h"
+#include "zeek/NetVar.h"
+#include "zeek/RE.h"
+#include "zeek/Reporter.h"
+#include "zeek/packet_analysis/Analyzer.h"
+
+namespace zeek::packet_analysis::teredo
+	{
+
+class TeredoAnalyzer final : public packet_analysis::Analyzer
+	{
+public:
+	TeredoAnalyzer();
+	~TeredoAnalyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<TeredoAnalyzer>();
+		}
+
+	/**
+	 * Emits a weird only if the analyzer has previously been able to
+	 * decapsulate a Teredo packet in both directions or if *force* param is
+	 * set, since otherwise the weirds could happen frequently enough to be less
+	 * than helpful.  The *force* param is meant for cases where just one side
+	 * has a valid encapsulation and so the weird would be informative.
+	 */
+	void Weird(const char* name, bool force = false) const
+		{
+		if ( AnalyzerConfirmed(conn) || force )
+			reporter->Weird(conn, name, "", GetAnalyzerName());
+		}
+
+	/**
+	 * If the delayed confirmation option is set, then a valid encapsulation
+	 * seen from both end points is required before confirming.
+	 */
+	void Confirm(bool valid_orig, bool valid_resp)
+		{
+		if ( ! BifConst::Tunnel::delay_teredo_confirmation || (valid_orig && valid_resp) )
+			{
+			AnalyzerConfirmation(conn);
+			}
+		}
+
+	bool DetectProtocol(size_t len, const uint8_t* data, Packet* packet) override;
+
+	void RemoveConnection(const zeek::detail::ConnKey& conn_key) { orig_resp_map.erase(conn_key); }
+
+protected:
+	Connection* conn = nullptr;
+
+	struct OrigResp
+		{
+		bool valid_orig = false;
+		bool valid_resp = false;
+		bool confirmed = false;
+		};
+	using OrigRespMap = std::map<zeek::detail::ConnKey, OrigResp>;
+	OrigRespMap orig_resp_map;
+
+	std::unique_ptr<zeek::detail::Specific_RE_Matcher> pattern_re;
+	};
+
+namespace detail
+	{
+
+class TeredoEncapsulation
+	{
+public:
+	explicit TeredoEncapsulation(const TeredoAnalyzer* ta) : analyzer(ta) { }
+
+	/**
+	 * Returns whether input data parsed as a valid Teredo encapsulation type.
+	 * If it was valid, the len argument is decremented appropriately.
+	 */
+	bool Parse(const u_char* data, size_t& len) { return DoParse(data, len, false, false); }
+
+	const u_char* InnerIP() const { return inner_ip; }
+
+	const u_char* OriginIndication() const { return origin_indication; }
+
+	const u_char* Authentication() const { return auth; }
+
+	RecordValPtr BuildVal(const std::shared_ptr<IP_Hdr>& inner) const;
+
+private:
+	bool DoParse(const u_char* data, size_t& len, bool found_orig, bool found_au);
+
+	void Weird(const char* name) const { analyzer->Weird(name); }
+
+	const u_char* inner_ip = nullptr;
+	const u_char* origin_indication = nullptr;
+	const u_char* auth = nullptr;
+	const TeredoAnalyzer* analyzer = nullptr;
+	};
+
+	} // namespace detail
+
+	} // namespace zeek::packet_analysis::teredo
diff --git a/src/packet_analysis/protocol/teredo/events.bif b/src/packet_analysis/protocol/teredo/events.bif
new file mode 100644
index 0000000000..080eb1bf6e
--- /dev/null
+++ b/src/packet_analysis/protocol/teredo/events.bif
@@ -0,0 +1,55 @@
+## Generated for any IPv6 packet encapsulated in a Teredo tunnel.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. zeek:see:: teredo_authentication teredo_origin_indication teredo_bubble
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event teredo_packet%(outer: connection, inner: teredo_hdr%);
+
+## Generated for IPv6 packets encapsulated in a Teredo tunnel that
+## use the Teredo authentication encapsulation method.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. zeek:see:: teredo_packet teredo_origin_indication teredo_bubble
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event teredo_authentication%(outer: connection, inner: teredo_hdr%);
+
+## Generated for IPv6 packets encapsulated in a Teredo tunnel that
+## use the Teredo origin indication encapsulation method.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. zeek:see:: teredo_packet teredo_authentication teredo_bubble
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event teredo_origin_indication%(outer: connection, inner: teredo_hdr%);
+
+## Generated for Teredo bubble packets.  That is, IPv6 packets encapsulated
+## in a Teredo tunnel that have a Next Header value of :zeek:id:`IPPROTO_NONE`.
+## See :rfc:`4380` for more information about the Teredo protocol.
+##
+## outer: The Teredo tunnel connection.
+##
+## inner: The Teredo-encapsulated IPv6 packet header and transport header.
+##
+## .. zeek:see:: teredo_packet teredo_authentication teredo_origin_indication
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event teredo_bubble%(outer: connection, inner: teredo_hdr%);
+
diff --git a/src/packet_analysis/protocol/teredo/functions.bif b/src/packet_analysis/protocol/teredo/functions.bif
new file mode 100644
index 0000000000..8607712ca5
--- /dev/null
+++ b/src/packet_analysis/protocol/teredo/functions.bif
@@ -0,0 +1,20 @@
+module PacketAnalyzer::TEREDO;
+
+%%{
+#include "zeek/Conn.h"
+#include "zeek/session/Manager.h"
+#include "zeek/packet_analysis/Manager.h"
+#include "zeek/packet_analysis/protocol/teredo/Teredo.h"
+%%}
+
+function remove_teredo_connection%(cid: conn_id%) : bool
+	%{
+	zeek::packet_analysis::AnalyzerPtr teredo = zeek::packet_mgr->GetAnalyzer("Teredo");
+	if ( teredo )
+		{
+		zeek::detail::ConnKey conn_key(cid);
+		static_cast<zeek::packet_analysis::teredo::TeredoAnalyzer*>(teredo.get())->RemoveConnection(conn_key);
+		}
+
+	return zeek::val_mgr->True();
+	%}
diff --git a/src/session/Manager.cc b/src/session/Manager.cc
index 2fdb05c4e4..3ed9d9741d 100644
--- a/src/session/Manager.cc
+++ b/src/session/Manager.cc
@@ -101,48 +101,11 @@ void Manager::Done() { }
 
 Connection* Manager::FindConnection(Val* v)
 	{
-	const auto& vt = v->GetType();
-	if ( ! IsRecord(vt->Tag()) )
+	zeek::detail::ConnKey conn_key(v);
+
+	if ( ! conn_key.valid )
 		return nullptr;
 
-	RecordType* vr = vt->AsRecordType();
-	auto vl = v->As<RecordVal*>();
-
-	int orig_h, orig_p; // indices into record's value list
-	int resp_h, resp_p;
-
-	if ( vr == id::conn_id )
-		{
-		orig_h = 0;
-		orig_p = 1;
-		resp_h = 2;
-		resp_p = 3;
-		}
-	else
-		{
-		// While it's not a conn_id, it may have equivalent fields.
-		orig_h = vr->FieldOffset("orig_h");
-		resp_h = vr->FieldOffset("resp_h");
-		orig_p = vr->FieldOffset("orig_p");
-		resp_p = vr->FieldOffset("resp_p");
-
-		if ( orig_h < 0 || resp_h < 0 || orig_p < 0 || resp_p < 0 )
-			return nullptr;
-
-		// ### we ought to check that the fields have the right
-		// types, too.
-		}
-
-	const IPAddr& orig_addr = vl->GetFieldAs<AddrVal>(orig_h);
-	const IPAddr& resp_addr = vl->GetFieldAs<AddrVal>(resp_h);
-
-	auto orig_portv = vl->GetFieldAs<PortVal>(orig_p);
-	auto resp_portv = vl->GetFieldAs<PortVal>(resp_p);
-
-	zeek::detail::ConnKey conn_key(orig_addr, resp_addr, htons((unsigned short)orig_portv->Port()),
-	                               htons((unsigned short)resp_portv->Port()),
-	                               orig_portv->PortType(), false);
-
 	return FindConnection(conn_key);
 	}
 
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index be14ccb46b..81552f328f 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -73,6 +73,9 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/geneve/main.zeek
     scripts/base/packet-protocols/vxlan/__load__.zeek
       scripts/base/packet-protocols/vxlan/main.zeek
+    scripts/base/packet-protocols/teredo/__load__.zeek
+      scripts/base/packet-protocols/teredo/main.zeek
+        build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -210,13 +213,13 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index bab747594c..f215057ab1 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -73,6 +73,9 @@ scripts/base/init-bare.zeek
       scripts/base/packet-protocols/geneve/main.zeek
     scripts/base/packet-protocols/vxlan/__load__.zeek
       scripts/base/packet-protocols/vxlan/main.zeek
+    scripts/base/packet-protocols/teredo/__load__.zeek
+      scripts/base/packet-protocols/teredo/main.zeek
+        build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -210,13 +213,13 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.types.bif.zeek
     build/scripts/base/bif/plugins/Zeek_TCP.functions.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_XMPP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ARP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_UDP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_ICMP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 30cef0ae06..d0f098c5fb 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -59,7 +59,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
@@ -122,7 +121,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) -> <no result>
@@ -151,7 +149,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSH, {22/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec)) -> <no result>
@@ -580,9 +577,11 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -632,6 +631,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> <no result>
@@ -646,6 +646,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::install, <frame>, ()) -> <no result>
@@ -676,6 +677,7 @@
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (6081/udp)) -> <no result>
@@ -804,6 +806,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> -1
@@ -921,6 +924,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/active-http, <...>/active-http.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/addrs, <...>/addrs.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer, <...>/analyzer) -> -1
@@ -1029,6 +1033,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/syslog, <...>/syslog) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/tcp, <...>/tcp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/teredo, <...>/teredo) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/time, <...>/time.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/tunnels, <...>/tunnels) -> -1
@@ -1175,6 +1180,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> (-1, <no content>)
@@ -1292,6 +1298,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) -> (-1, <no content>)
@@ -1400,6 +1407,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/syslog, <...>/syslog) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/tcp, <...>/tcp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/teredo, <...>/teredo) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/time, <...>/time.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/tunnels, <...>/tunnels) -> (-1, <no content>)
@@ -1496,7 +1504,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
@@ -1559,7 +1566,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp}))
@@ -1588,7 +1594,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSH, {22/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec))
@@ -2017,9 +2022,11 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
@@ -2069,6 +2076,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE))
@@ -2083,6 +2091,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO))
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
 0.000000   MetaHookPre   CallFunction(PacketFilter::install, <frame>, ())
@@ -2113,6 +2122,7 @@
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (3544/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (4789/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (5072/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (6081/udp))
@@ -2241,6 +2251,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek)
@@ -2358,6 +2369,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/active-http, <...>/active-http.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/addrs, <...>/addrs.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer, <...>/analyzer)
@@ -2466,6 +2478,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/syslog, <...>/syslog)
 0.000000   MetaHookPre   LoadFile(0, base<...>/tcp, <...>/tcp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/teredo, <...>/teredo)
 0.000000   MetaHookPre   LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/time, <...>/time.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/tunnels, <...>/tunnels)
@@ -2612,6 +2625,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek)
@@ -2729,6 +2743,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer, <...>/analyzer)
@@ -2837,6 +2852,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/syslog, <...>/syslog)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/tcp, <...>/tcp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/teredo, <...>/teredo)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/time, <...>/time.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/tunnels, <...>/tunnels)
@@ -2933,7 +2949,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
@@ -2996,7 +3011,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, {135/tcp})
@@ -3025,7 +3039,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, {22/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {563<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Broker::__set_metrics_export_endpoint_name()
 0.000000 | HookCallFunction Broker::__set_metrics_export_interval(1.0 sec)
@@ -3453,9 +3466,11 @@
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
@@ -3505,6 +3520,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)
@@ -3519,6 +3535,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)
+0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
 0.000000 | HookCallFunction PacketFilter::install()
@@ -3549,6 +3566,7 @@
 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
+0.000000 | HookCallFunction port_to_count(3544/udp)
 0.000000 | HookCallFunction port_to_count(4789/udp)
 0.000000 | HookCallFunction port_to_count(5072/udp)
 0.000000 | HookCallFunction port_to_count(6081/udp)
@@ -3677,6 +3695,7 @@
 0.000000 | HookLoadFile  ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_Teredo.functions.bif.zeek <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek
@@ -3806,6 +3825,7 @@
 0.000000 | HookLoadFile  base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
 0.000000 | HookLoadFile  base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFile  base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFile  base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFile  base<...>/active-http <...>/active-http.zeek
 0.000000 | HookLoadFile  base<...>/addrs <...>/addrs.zeek
 0.000000 | HookLoadFile  base<...>/analyzer <...>/analyzer
@@ -3914,6 +3934,7 @@
 0.000000 | HookLoadFile  base<...>/supervisor.bif <...>/supervisor.bif.zeek
 0.000000 | HookLoadFile  base<...>/syslog <...>/syslog
 0.000000 | HookLoadFile  base<...>/tcp <...>/tcp
+0.000000 | HookLoadFile  base<...>/teredo <...>/teredo
 0.000000 | HookLoadFile  base<...>/thresholds <...>/thresholds.zeek
 0.000000 | HookLoadFile  base<...>/time <...>/time.zeek
 0.000000 | HookLoadFile  base<...>/tunnels <...>/tunnels
@@ -4048,6 +4069,7 @@
 0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Teredo.functions.bif.zeek <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek
@@ -4177,6 +4199,7 @@
 0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/active-http <...>/active-http.zeek
 0.000000 | HookLoadFileExtended base<...>/addrs <...>/addrs.zeek
 0.000000 | HookLoadFileExtended base<...>/analyzer <...>/analyzer
@@ -4285,6 +4308,7 @@
 0.000000 | HookLoadFileExtended base<...>/supervisor.bif <...>/supervisor.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/syslog <...>/syslog
 0.000000 | HookLoadFileExtended base<...>/tcp <...>/tcp
+0.000000 | HookLoadFileExtended base<...>/teredo <...>/teredo
 0.000000 | HookLoadFileExtended base<...>/thresholds <...>/thresholds.zeek
 0.000000 | HookLoadFileExtended base<...>/time <...>/time.zeek
 0.000000 | HookLoadFileExtended base<...>/tunnels <...>/tunnels
@@ -4782,6 +4806,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, (
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
@@ -4819,6 +4844,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, (
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
@@ -4857,6 +4883,7 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.2
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
+XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::TEREDO::remove_teredo_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
 XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction filter_change_tracking()
diff --git a/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt b/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt
index 3b64f8ef57..fda4f6d244 100644
--- a/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt
+++ b/testing/btest/Baseline/scripts.base.frameworks.notice.mail-alarms/alarm-mail.txt
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
->  2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid CHhAvVGS1DHFjwGM9)
+>  2005-10-07-23:23:55 Test_Notice 141.42.64.125:56730/tcp -> 125.190.109.199:80/tcp (uid ClEkJM2Vm5giqnMf4h)
    test
    # 141.42.64.125 = <skipped>  125.190.109.199 = <skipped>
 
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
index 06997a6c09..26470a7fdf 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 3
+|Analyzer::all_registered_ports()|, 4
 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request 141.142.220.235:50003 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
index 8bcf84d4a5..40ce076959 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 3
+|Analyzer::all_registered_ports()|, 4
 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
index 2cde803f33..123f40020a 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 3
+|Analyzer::all_registered_ports()|, 4
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
index 2cde803f33..123f40020a 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 3
+|Analyzer::all_registered_ports()|, 4

From 2044fbe53bb9f0a3d6db262c9eef23b8bd66f1dc Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 3 Nov 2021 12:17:22 -0700
Subject: [PATCH 101/210] Add GTPv1 packet analyzer, disable old analyzer

---
 auxil/bifcl                                   |   2 +-
 scripts/base/frameworks/tunnels/main.zeek     |   5 -
 scripts/base/packet-protocols/__load__.zeek   |   1 +
 .../base/packet-protocols/gtpv1/__load__.zeek |   1 +
 scripts/base/packet-protocols/gtpv1/main.zeek |  28 +
 src/analyzer/protocol/CMakeLists.txt          |   2 +-
 src/binpac_zeek.h                             |   4 +
 src/packet_analysis/Analyzer.h                |  24 +-
 src/packet_analysis/protocol/CMakeLists.txt   |   1 +
 .../protocol/gtpv1/CMakeLists.txt             |  11 +
 src/packet_analysis/protocol/gtpv1/GTPv1.cc   | 102 +++
 src/packet_analysis/protocol/gtpv1/GTPv1.h    |  46 ++
 src/packet_analysis/protocol/gtpv1/Plugin.cc  |  26 +
 src/packet_analysis/protocol/gtpv1/events.bif |  74 ++
 .../protocol/gtpv1/functions.bif              |  20 +
 .../protocol/gtpv1/gtpv1-analyzer.pac         | 759 ++++++++++++++++++
 .../protocol/gtpv1/gtpv1-protocol.pac         | 496 ++++++++++++
 src/packet_analysis/protocol/gtpv1/gtpv1.pac  |  18 +
 src/zeek.pac                                  |   1 +
 .../core.tunnels.gtp.non_recursive/out        |   2 +-
 .../dpd.log                                   |   2 +-
 .../canonified_loaded_scripts.log             |   5 +-
 .../canonified_loaded_scripts.log             |   5 +-
 testing/btest/Baseline/plugins.hooks/output   |  60 +-
 .../Baseline/signatures.dpd/dpd-ipv4.out      |   2 +-
 .../Baseline/signatures.dpd/dpd-ipv6.out      |   2 +-
 .../Baseline/signatures.dpd/nosig-ipv4.out    |   2 +-
 .../Baseline/signatures.dpd/nosig-ipv6.out    |   2 +-
 28 files changed, 1661 insertions(+), 42 deletions(-)
 create mode 100644 scripts/base/packet-protocols/gtpv1/__load__.zeek
 create mode 100644 scripts/base/packet-protocols/gtpv1/main.zeek
 create mode 100644 src/packet_analysis/protocol/gtpv1/CMakeLists.txt
 create mode 100644 src/packet_analysis/protocol/gtpv1/GTPv1.cc
 create mode 100644 src/packet_analysis/protocol/gtpv1/GTPv1.h
 create mode 100644 src/packet_analysis/protocol/gtpv1/Plugin.cc
 create mode 100644 src/packet_analysis/protocol/gtpv1/events.bif
 create mode 100644 src/packet_analysis/protocol/gtpv1/functions.bif
 create mode 100644 src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac
 create mode 100644 src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac
 create mode 100644 src/packet_analysis/protocol/gtpv1/gtpv1.pac

diff --git a/auxil/bifcl b/auxil/bifcl
index 6bd2643518..762d55f9c6 160000
--- a/auxil/bifcl
+++ b/auxil/bifcl
@@ -1 +1 @@
-Subproject commit 6bd264351813eedb92753d2d4ed76ac6ddc076b3
+Subproject commit 762d55f9c6747267acca77f19d4b60b4dc3c3821
diff --git a/scripts/base/frameworks/tunnels/main.zeek b/scripts/base/frameworks/tunnels/main.zeek
index 7cf4f82e40..3c4e8adf3d 100644
--- a/scripts/base/frameworks/tunnels/main.zeek
+++ b/scripts/base/frameworks/tunnels/main.zeek
@@ -90,14 +90,9 @@ export {
 	global finalize_tunnel: Conn::RemovalHook;
 }
 
-const gtpv1_ports = { 2152/udp, 2123/udp };
-redef likely_server_ports += { gtpv1_ports };
-
 event zeek_init() &priority=5
 	{
 	Log::create_stream(Tunnel::LOG, [$columns=Info, $path="tunnel", $policy=log_policy]);
-
-	Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, gtpv1_ports);
 	}
 
 function register_all(ecv: EncapsulatingConnVector)
diff --git a/scripts/base/packet-protocols/__load__.zeek b/scripts/base/packet-protocols/__load__.zeek
index f82027f6d1..5ea4cb93ef 100644
--- a/scripts/base/packet-protocols/__load__.zeek
+++ b/scripts/base/packet-protocols/__load__.zeek
@@ -25,3 +25,4 @@
 @load base/packet-protocols/geneve
 @load base/packet-protocols/vxlan
 @load base/packet-protocols/teredo
+@load base/packet-protocols/gtpv1
diff --git a/scripts/base/packet-protocols/gtpv1/__load__.zeek b/scripts/base/packet-protocols/gtpv1/__load__.zeek
new file mode 100644
index 0000000000..d551be57d3
--- /dev/null
+++ b/scripts/base/packet-protocols/gtpv1/__load__.zeek
@@ -0,0 +1 @@
+@load ./main
\ No newline at end of file
diff --git a/scripts/base/packet-protocols/gtpv1/main.zeek b/scripts/base/packet-protocols/gtpv1/main.zeek
new file mode 100644
index 0000000000..052efa5f58
--- /dev/null
+++ b/scripts/base/packet-protocols/gtpv1/main.zeek
@@ -0,0 +1,28 @@
+module PacketAnalyzer::GTPV1;
+
+# This needs to be loaded here so the function is available. Function BIFs normally aren't
+# loaded until after the packet analysis init scripts are run, and then zeek complains it
+# can't find the function.
+@load base/bif/plugins/Zeek_GTPv1.functions.bif
+
+# Needed for port registration for BPF
+@load base/frameworks/analyzer/main
+
+export {
+        ## Default analyzer
+        const default_analyzer: PacketAnalyzer::Tag = PacketAnalyzer::ANALYZER_IP &redef;
+}
+
+const gtpv1_ports = { 2152/udp, 2123/udp };
+redef likely_server_ports += { gtpv1_ports };
+
+event zeek_init() &priority=20
+	{
+	PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1);
+	PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, gtpv1_ports);
+	}
+
+event connection_state_remove(c: connection)
+	{
+	remove_gtpv1_connection(c$id);
+	}
diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index bbc5048718..b21ec3a545 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -11,7 +11,7 @@ add_subdirectory(ftp)
 #add_subdirectory(geneve)
 add_subdirectory(gnutella)
 add_subdirectory(gssapi)
-add_subdirectory(gtpv1)
+#add_subdirectory(gtpv1)
 add_subdirectory(http)
 add_subdirectory(ident)
 add_subdirectory(imap)
diff --git a/src/binpac_zeek.h b/src/binpac_zeek.h
index 3735ff30a7..22bf8ed09e 100644
--- a/src/binpac_zeek.h
+++ b/src/binpac_zeek.h
@@ -6,6 +6,8 @@
 #include "zeek/Val.h"
 #include "zeek/analyzer/Analyzer.h"
 #include "zeek/file_analysis/Analyzer.h"
+#include "zeek/iosource/Packet.h"
+#include "zeek/packet_analysis/Analyzer.h"
 #include "zeek/util.h"
 
 #include "event.bif.func_h"
@@ -15,9 +17,11 @@ namespace binpac
 
 using ZeekAnalyzer = zeek::analyzer::Analyzer*;
 using ZeekFileAnalyzer = zeek::file_analysis::Analyzer;
+using ZeekPacketAnalyzer = zeek::packet_analysis::Analyzer*;
 using ZeekVal = zeek::Val*;
 using ZeekPortVal = zeek::PortVal*;
 using ZeekStringVal = zeek::StringVal*;
+using ZeekPacket = zeek::Packet;
 
 inline zeek::StringValPtr to_stringval(const_bytestring const& str)
 	{
diff --git a/src/packet_analysis/Analyzer.h b/src/packet_analysis/Analyzer.h
index fd11ba484e..d778128b7c 100644
--- a/src/packet_analysis/Analyzer.h
+++ b/src/packet_analysis/Analyzer.h
@@ -173,6 +173,18 @@ public:
 		       session::AnalyzerConfirmationState::VIOLATED;
 		}
 
+	/**
+	 * Reports a Weird with the analyzer's name included in the addl field.
+	 *
+	 * @param name The name of the weird.
+	 * @param packet An optional pointer to a packet to be used for additional
+	 * information in the weird output.
+	 * @param addl An optional string containing additional information about
+	 * the weird. If this is passed, the analyzer's name will be prepended to
+	 * it before output.
+	 */
+	void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const;
+
 protected:
 	friend class Manager;
 
@@ -227,18 +239,6 @@ protected:
 	 */
 	bool ForwardPacket(size_t len, const uint8_t* data, Packet* packet) const;
 
-	/**
-	 * Reports a Weird with the analyzer's name included in the addl field.
-	 *
-	 * @param name The name of the weird.
-	 * @param packet An optional pointer to a packet to be used for additional
-	 * information in the weird output.
-	 * @param addl An optional string containing additional information about
-	 * the weird. If this is passed, the analyzer's name will be prepended to
-	 * it before output.
-	 */
-	void Weird(const char* name, Packet* packet = nullptr, const char* addl = "") const;
-
 private:
 	zeek::Tag tag;
 	Dispatcher dispatcher;
diff --git a/src/packet_analysis/protocol/CMakeLists.txt b/src/packet_analysis/protocol/CMakeLists.txt
index f4c3490963..e325816351 100644
--- a/src/packet_analysis/protocol/CMakeLists.txt
+++ b/src/packet_analysis/protocol/CMakeLists.txt
@@ -26,3 +26,4 @@ add_subdirectory(ayiya)
 add_subdirectory(geneve)
 add_subdirectory(vxlan)
 add_subdirectory(teredo)
+add_subdirectory(gtpv1)
diff --git a/src/packet_analysis/protocol/gtpv1/CMakeLists.txt b/src/packet_analysis/protocol/gtpv1/CMakeLists.txt
new file mode 100644
index 0000000000..49e23e36e8
--- /dev/null
+++ b/src/packet_analysis/protocol/gtpv1/CMakeLists.txt
@@ -0,0 +1,11 @@
+
+include(ZeekPlugin)
+
+include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
+
+zeek_plugin_begin(Zeek GTPv1)
+zeek_plugin_cc(GTPv1.cc Plugin.cc)
+zeek_plugin_bif(events.bif)
+zeek_plugin_bif(functions.bif)
+zeek_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac)
+zeek_plugin_end()
diff --git a/src/packet_analysis/protocol/gtpv1/GTPv1.cc b/src/packet_analysis/protocol/gtpv1/GTPv1.cc
new file mode 100644
index 0000000000..a382317a57
--- /dev/null
+++ b/src/packet_analysis/protocol/gtpv1/GTPv1.cc
@@ -0,0 +1,102 @@
+// See the file "COPYING" in the main distribution directory for copyright.
+
+#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
+
+#include "zeek/packet_analysis/protocol/gtpv1/events.bif.h"
+#include "zeek/packet_analysis/protocol/ip/IP.h"
+#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
+
+namespace zeek::packet_analysis::gtpv1
+	{
+GTPv1_Analyzer::GTPv1_Analyzer() : zeek::packet_analysis::Analyzer("GTPV1") { }
+
+bool GTPv1_Analyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
+	{
+	// GTPv1 always comes from a UDP connection, which means that session should always
+	// be valid and always be a connection. Return a weird if we didn't have a session
+	// stored.
+	if ( ! packet->session )
+		{
+		Analyzer::Weird("gtpv1_missing_connection");
+		return false;
+		}
+
+	auto conn = static_cast<Connection*>(packet->session);
+	zeek::detail::ConnKey conn_key = conn->Key();
+
+	auto cm_it = conn_map.find(conn_key);
+	if ( cm_it == conn_map.end() )
+		cm_it = conn_map.insert(cm_it,
+		                        {conn_key, std::make_unique<binpac::GTPv1::GTPv1_Conn>(this)});
+
+	try
+		{
+		cm_it->second->set_raw_packet(packet);
+		cm_it->second->NewData(packet->is_orig, data, data + len);
+		}
+	catch ( const binpac::Exception& e )
+		{
+		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()), packet->session);
+		return false;
+		}
+
+	// Inner packet offset not being set means we failed to process somewhere, and SetInnerInfo()
+	// was never called by the binpac code. Assume this is a failure and return false.
+	if ( inner_packet_offset <= 0 )
+		return false;
+
+	auto odata = data;
+	auto olen = len;
+	data += inner_packet_offset;
+	len -= inner_packet_offset;
+	inner_packet_offset = -1;
+
+	// TODO: i'm not sure about this. on the one hand, we do some error checking with the result
+	// but on the other hand we duplicate this work here. maybe this header could just be stored
+	// and reused in the IP analyzer somehow?
+	std::shared_ptr<IP_Hdr> inner = nullptr;
+	int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner);
+
+	if ( result == 0 )
+		{
+		cm_it->second->set_valid(packet->is_orig, true);
+
+		if ( (! BifConst::Tunnel::delay_gtp_confirmation) ||
+		     (cm_it->second->valid(true) && cm_it->second->valid(false)) )
+			AnalyzerConfirmation(packet->session);
+
+		if ( gtp_hdr_val )
+			{
+			BifEvent::enqueue_gtpv1_g_pdu_packet(nullptr, conn, std::move(gtp_hdr_val),
+			                                     inner->ToPktHdrVal());
+			gtp_hdr_val = nullptr;
+			}
+		}
+	else if ( result == -2 )
+		{
+		AnalyzerViolation("Invalid IP version in wrapped packet", packet->session);
+		gtp_hdr_val = nullptr;
+		return false;
+		}
+	else if ( result < 0 )
+		{
+		AnalyzerViolation("Truncated GTPv1", packet->session);
+		gtp_hdr_val = nullptr;
+		return false;
+		}
+	else
+		{
+		AnalyzerViolation("GTPv1 payload length", packet->session);
+		gtp_hdr_val = nullptr;
+		return false;
+		}
+
+	int encap_index = 0;
+	auto inner_packet = packet_analysis::IPTunnel::build_inner_packet(
+		packet, &encap_index, nullptr, len, data, DLT_RAW, BifEnum::Tunnel::GTPv1,
+		GetAnalyzerTag());
+
+	return ForwardPacket(len, data, inner_packet.get());
+	}
+
+	} // namespace zeek::packet_analysis::gtpv1
diff --git a/src/packet_analysis/protocol/gtpv1/GTPv1.h b/src/packet_analysis/protocol/gtpv1/GTPv1.h
new file mode 100644
index 0000000000..11763782ab
--- /dev/null
+++ b/src/packet_analysis/protocol/gtpv1/GTPv1.h
@@ -0,0 +1,46 @@
+#pragma once
+
+#include "zeek/packet_analysis/Analyzer.h"
+
+#include "packet_analysis/protocol/gtpv1/gtpv1_pac.h"
+
+namespace binpac::GTPv1
+	{
+class GTPv1_Conn;
+	}
+
+namespace zeek::packet_analysis::gtpv1
+	{
+
+class GTPv1_Analyzer final : public packet_analysis::Analyzer
+	{
+public:
+	explicit GTPv1_Analyzer();
+	~GTPv1_Analyzer() override = default;
+
+	bool AnalyzePacket(size_t len, const uint8_t* data, Packet* packet) override;
+
+	static zeek::packet_analysis::AnalyzerPtr Instantiate()
+		{
+		return std::make_shared<GTPv1_Analyzer>();
+		}
+
+	void SetInnerInfo(int offset, uint8_t next, RecordValPtr val)
+		{
+		inner_packet_offset = offset;
+		next_header = next;
+		gtp_hdr_val = std::move(val);
+		}
+
+	void RemoveConnection(const zeek::detail::ConnKey& conn_key) { conn_map.erase(conn_key); }
+
+protected:
+	using ConnMap = std::map<zeek::detail::ConnKey, std::unique_ptr<binpac::GTPv1::GTPv1_Conn>>;
+	ConnMap conn_map;
+
+	int inner_packet_offset = -1;
+	uint8_t next_header = 0;
+	RecordValPtr gtp_hdr_val;
+	};
+
+	} // namespace zeek::packet_analysis::gtpv1
diff --git a/src/packet_analysis/protocol/gtpv1/Plugin.cc b/src/packet_analysis/protocol/gtpv1/Plugin.cc
new file mode 100644
index 0000000000..01811e71b6
--- /dev/null
+++ b/src/packet_analysis/protocol/gtpv1/Plugin.cc
@@ -0,0 +1,26 @@
+// See the file  in the main distribution directory for copyright.
+
+#include "zeek/plugin/Plugin.h"
+
+#include "zeek/packet_analysis/Component.h"
+#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
+
+namespace zeek::plugin::detail::Zeek_GTPv1
+	{
+
+class Plugin : public zeek::plugin::Plugin
+	{
+public:
+	zeek::plugin::Configuration Configure() override
+		{
+		AddComponent(new zeek::packet_analysis::Component(
+			"GTPv1", zeek::packet_analysis::gtpv1::GTPv1_Analyzer::Instantiate));
+
+		zeek::plugin::Configuration config;
+		config.name = "Zeek::GTPv1";
+		config.description = "GTPv1 analyzer";
+		return config;
+		}
+	} plugin;
+
+	} // namespace zeek::plugin::detail::Zeek_GTPv1
diff --git a/src/packet_analysis/protocol/gtpv1/events.bif b/src/packet_analysis/protocol/gtpv1/events.bif
new file mode 100644
index 0000000000..b3bac93a2e
--- /dev/null
+++ b/src/packet_analysis/protocol/gtpv1/events.bif
@@ -0,0 +1,74 @@
+## Generated for any GTP message with a GTPv1 header.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+event gtpv1_message%(c: connection, hdr: gtpv1_hdr%);
+
+## Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
+## that includes a GTP header followed by an IPv4 or IPv6 packet.
+##
+## outer: The GTP outer tunnel connection.
+##
+## inner_gtp: The GTP header.
+##
+## inner_ip: The inner IP and transport layer packet headers.
+##
+## .. note:: Since this event may be raised on a per-packet basis, handling
+##    it may become particularly expensive for real-time analysis.
+event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
+
+## Generated for GTPv1-C Create PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Create PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%);
+
+## Generated for GTPv1-C Update PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Update PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%);
+
+## Generated for GTPv1-C Delete PDP Context Request messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%);
+
+## Generated for GTPv1-C Delete PDP Context Response messages.
+##
+## c: The connection over which the message is sent.
+##
+## hdr: The GTPv1 header.
+##
+## elements: The set of Information Elements comprising the message.
+event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%);
+
diff --git a/src/packet_analysis/protocol/gtpv1/functions.bif b/src/packet_analysis/protocol/gtpv1/functions.bif
new file mode 100644
index 0000000000..05376a920e
--- /dev/null
+++ b/src/packet_analysis/protocol/gtpv1/functions.bif
@@ -0,0 +1,20 @@
+module PacketAnalyzer::GTPV1;
+
+%%{
+#include "zeek/Conn.h"
+#include "zeek/session/Manager.h"
+#include "zeek/packet_analysis/Manager.h"
+#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
+%%}
+
+function remove_gtpv1_connection%(cid: conn_id%) : bool
+	%{
+	zeek::packet_analysis::AnalyzerPtr gtpv1 = zeek::packet_mgr->GetAnalyzer("GTPv1");
+	if ( gtpv1 )
+		{
+		zeek::detail::ConnKey conn_key(cid);
+		static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(gtpv1.get())->RemoveConnection(conn_key);
+		}
+
+	return zeek::val_mgr->True();
+	%}
diff --git a/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac b/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac
new file mode 100644
index 0000000000..6fc18befea
--- /dev/null
+++ b/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac
@@ -0,0 +1,759 @@
+%extern{
+#include "zeek/ZeekString.h"
+#include "zeek/packet_analysis/protocol/gtpv1/GTPv1.h"
+%}
+
+%code{
+zeek::RecordValPtr BuildGTPv1Hdr(const GTPv1_Header* pdu)
+	{
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtpv1_hdr);
+
+	rv->Assign(0, pdu->version());
+	rv->Assign(1, pdu->pt_flag());
+	rv->Assign(2, pdu->rsv());
+	rv->Assign(3, pdu->e_flag());
+	rv->Assign(4, pdu->s_flag());
+	rv->Assign(5, pdu->pn_flag());
+	rv->Assign(6, pdu->msg_type());
+	rv->Assign(7, pdu->length());
+	rv->Assign(8, pdu->teid());
+
+	if ( pdu->has_opt() )
+		{
+		rv->Assign(9, pdu->opt_hdr()->seq());
+		rv->Assign(10, pdu->opt_hdr()->n_pdu());
+		rv->Assign(11, pdu->opt_hdr()->next_type());
+		}
+
+	return rv;
+	}
+
+static zeek::ValPtr BuildIMSI(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->imsi()->value());
+	}
+
+static zeek::ValPtr BuildRAI(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_rai);
+	ev->Assign(0, ie->rai()->mcc());
+	ev->Assign(1, ie->rai()->mnc());
+	ev->Assign(2, ie->rai()->lac());
+	ev->Assign(3, ie->rai()->rac());
+	return ev;
+	}
+
+static zeek::ValPtr BuildRecovery(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->recovery()->restart_counter());
+	}
+
+static zeek::ValPtr BuildSelectionMode(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->selection_mode()->mode());
+	}
+
+static zeek::ValPtr BuildTEID1(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->teid1()->value());
+	}
+
+static zeek::ValPtr BuildTEID_ControlPlane(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->teidcp()->value());
+	}
+
+static zeek::ValPtr BuildNSAPI(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->nsapi()->nsapi());
+	}
+
+static zeek::ValPtr BuildChargingCharacteristics(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->charging_characteristics()->value());
+	}
+
+static zeek::ValPtr BuildTraceReference(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->trace_reference()->value());
+	}
+
+static zeek::ValPtr BuildTraceType(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->trace_type()->value());
+	}
+
+zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_end_user_addr);
+	ev->Assign(0, ie->end_user_addr()->pdp_type_org());
+	ev->Assign(1, ie->end_user_addr()->pdp_type_num());
+
+	int len = ie->end_user_addr()->pdp_addr().length();
+
+	if ( len > 0 )
+		{
+		const uint8* d = ie->end_user_addr()->pdp_addr().data();
+
+		switch ( ie->end_user_addr()->pdp_type_num() ) {
+		case 0x21:
+			ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
+			  zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
+			break;
+		case 0x57:
+			ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
+			  zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
+			break;
+		default:
+			ev->Assign(3, new zeek::String((const u_char*) d, len, false));
+			break;
+		}
+		}
+
+	return ev;
+	}
+
+zeek::ValPtr BuildAccessPointName(const InformationElement* ie)
+	{
+	zeek::String* bs = new zeek::String((const u_char*) ie->ap_name()->value().data(),
+	                                          ie->ap_name()->value().length(), false);
+	return zeek::make_intrusive<zeek::StringVal>(bs);
+	}
+
+zeek::ValPtr BuildProtoConfigOptions(const InformationElement* ie)
+	{
+	const u_char* d = (const u_char*) ie->proto_config_opts()->value().data();
+	int len = ie->proto_config_opts()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false));
+	}
+
+zeek::ValPtr BuildGSN_Addr(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_gsn_addr);
+
+	int len = ie->gsn_addr()->value().length();
+	const uint8* d = ie->gsn_addr()->value().data();
+
+	if ( len == 4 )
+		ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
+		  zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
+	else if ( len == 16 )
+		ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
+		  zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
+	else
+		ev->Assign(1, new zeek::String((const u_char*) d, len, false));
+
+	return ev;
+	}
+
+zeek::ValPtr BuildMSISDN(const InformationElement* ie)
+	{
+	const u_char* d = (const u_char*) ie->msisdn()->value().data();
+	int len = ie->msisdn()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false));
+	}
+
+zeek::ValPtr BuildQoS_Profile(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_qos_profile);
+
+	const u_char* d = (const u_char*) ie->qos_profile()->data().data();
+	int len = ie->qos_profile()->data().length();
+
+	ev->Assign(0, ie->qos_profile()->alloc_retention_priority());
+	ev->Assign(1, new zeek::String(d, len, false));
+
+	return ev;
+	}
+
+zeek::ValPtr BuildTrafficFlowTemplate(const InformationElement* ie)
+	{
+	const uint8* d = ie->traffic_flow_template()->value().data();
+	int len = ie->traffic_flow_template()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
+	}
+
+zeek::ValPtr BuildTriggerID(const InformationElement* ie)
+	{
+	const uint8* d = ie->trigger_id()->value().data();
+	int len = ie->trigger_id()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
+	}
+
+zeek::ValPtr BuildOMC_ID(const InformationElement* ie)
+	{
+	const uint8* d = ie->omc_id()->value().data();
+	int len = ie->omc_id()->value().length();
+	return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
+	}
+
+zeek::ValPtr BuildPrivateExt(const InformationElement* ie)
+	{
+	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_private_extension);
+
+	const uint8* d = ie->private_ext()->value().data();
+	int len = ie->private_ext()->value().length();
+
+	ev->Assign(0, ie->private_ext()->id());
+	ev->Assign(1, new zeek::String((const u_char*) d, len, false));
+
+	return ev;
+	}
+
+static zeek::ValPtr BuildCause(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->cause()->value());
+	}
+
+static zeek::ValPtr BuildReorderReq(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Bool(ie->reorder_req()->req());
+	}
+
+static zeek::ValPtr BuildChargingID(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Count(ie->charging_id()->value());;
+	}
+
+zeek::ValPtr BuildChargingGatewayAddr(const InformationElement* ie)
+	{
+	const uint8* d = ie->charging_gateway_addr()->value().data();
+	int len = ie->charging_gateway_addr()->value().length();
+	if ( len == 4 )
+		return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network));
+	else if ( len == 16 )
+		return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network));
+	else
+		return nullptr;
+	}
+
+static zeek::ValPtr BuildTeardownInd(const InformationElement* ie)
+	{
+	return zeek::val_mgr->Bool(ie->teardown_ind()->ind());
+	}
+
+void CreatePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_create_pdp_ctx_request ) return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_create_pdp_ctx_request_elements);
+
+	const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
+
+	bool second_nsapi = false;
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_IMSI:
+			rv->Assign(0, BuildIMSI(ie));
+			break;
+		case GTPv1::TYPE_RAI:
+			rv->Assign(1, BuildRAI(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(2, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_SELECTION_MODE:
+			rv->Assign(3, BuildSelectionMode(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(4, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(5, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_NSAPI:
+			if ( second_nsapi )
+				rv->Assign(7, BuildNSAPI(ie));
+			else
+				{
+				second_nsapi = true;
+				rv->Assign(6, BuildNSAPI(ie));
+				}
+			break;
+		case GTPv1::TYPE_CHARGING_CHARACTERISTICS:
+			rv->Assign(8, BuildChargingCharacteristics(ie));
+			break;
+		case GTPv1::TYPE_TRACE_REFERENCE:
+			rv->Assign(9, BuildTraceReference(ie));
+			break;
+		case GTPv1::TYPE_TRACE_TYPE:
+			rv->Assign(10, BuildTraceType(ie));
+			break;
+		case GTPv1::TYPE_END_USER_ADDR:
+			rv->Assign(11, BuildEndUserAddr(ie));
+			break;
+		case GTPv1::TYPE_ACCESS_POINT_NAME:
+			rv->Assign(12, BuildAccessPointName(ie));
+			break;
+		case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
+			rv->Assign(13, BuildProtoConfigOptions(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(15, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(14, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_MSISDN:
+			rv->Assign(16, BuildMSISDN(ie));
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(17, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
+			rv->Assign(18, BuildTrafficFlowTemplate(ie));
+			break;
+		case GTPv1::TYPE_TRIGGER_ID:
+			rv->Assign(19, BuildTriggerID(ie));
+			break;
+		case GTPv1::TYPE_OMC_ID:
+			rv->Assign(20, BuildOMC_ID(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(21, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void CreatePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_create_pdp_ctx_response )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_create_pdp_ctx_response_elements);
+
+	const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
+
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_CAUSE:
+			rv->Assign(0, BuildCause(ie));
+			break;
+		case GTPv1::TYPE_REORDER_REQ:
+			rv->Assign(1, BuildReorderReq(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(2, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(3, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(4, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_ID:
+			rv->Assign(5, BuildChargingID(ie));
+			break;
+		case GTPv1::TYPE_END_USER_ADDR:
+			rv->Assign(6, BuildEndUserAddr(ie));
+			break;
+		case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
+			rv->Assign(7, BuildProtoConfigOptions(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(9, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(8, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(10, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
+			rv->Assign(11, BuildChargingGatewayAddr(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(12, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void UpdatePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_update_pdp_ctx_request )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_update_pdp_ctx_request_elements);
+
+	const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
+
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_IMSI:
+			rv->Assign(0, BuildIMSI(ie));
+			break;
+		case GTPv1::TYPE_RAI:
+			rv->Assign(1, BuildRAI(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(2, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(3, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(4, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_NSAPI:
+			rv->Assign(5, BuildNSAPI(ie));
+			break;
+		case GTPv1::TYPE_TRACE_REFERENCE:
+			rv->Assign(6, BuildTraceReference(ie));
+			break;
+		case GTPv1::TYPE_TRACE_TYPE:
+			rv->Assign(7, BuildTraceType(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(9, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(8, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(10, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
+			rv->Assign(11, BuildTrafficFlowTemplate(ie));
+			break;
+		case GTPv1::TYPE_TRIGGER_ID:
+			rv->Assign(12, BuildTriggerID(ie));
+			break;
+		case GTPv1::TYPE_OMC_ID:
+			rv->Assign(13, BuildOMC_ID(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(14, BuildPrivateExt(ie));
+			break;
+		case GTPv1::TYPE_END_USER_ADDR:
+			rv->Assign(15, BuildEndUserAddr(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void UpdatePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_update_pdp_ctx_response )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_update_pdp_ctx_response_elements);
+
+	const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
+
+	bool second_gsn_addr = false;
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_CAUSE:
+			rv->Assign(0, BuildCause(ie));
+			break;
+		case GTPv1::TYPE_RECOVERY:
+			rv->Assign(1, BuildRecovery(ie));
+			break;
+		case GTPv1::TYPE_TEID1:
+			rv->Assign(2, BuildTEID1(ie));
+			break;
+		case GTPv1::TYPE_TEID_CONTROL_PLANE:
+			rv->Assign(3, BuildTEID_ControlPlane(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_ID:
+			rv->Assign(4, BuildChargingID(ie));
+			break;
+		case GTPv1::TYPE_GSN_ADDR:
+			if ( second_gsn_addr )
+				rv->Assign(6, BuildGSN_Addr(ie));
+			else
+				{
+				second_gsn_addr = true;
+				rv->Assign(5, BuildGSN_Addr(ie));
+				}
+			break;
+		case GTPv1::TYPE_QOS_PROFILE:
+			rv->Assign(7, BuildQoS_Profile(ie));
+			break;
+		case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
+			rv->Assign(8, BuildChargingGatewayAddr(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(9, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void DeletePDP_Request(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_delete_pdp_ctx_request )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_delete_pdp_ctx_request_elements);
+
+	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_TEARDOWN_IND:
+			rv->Assign(0, BuildTeardownInd(ie));
+			break;
+		case GTPv1::TYPE_NSAPI:
+			rv->Assign(1, BuildNSAPI(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(2, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+
+void DeletePDP_Response(const ZeekPacketAnalyzer& a, zeek::Connection* c, const GTPv1_Header* pdu)
+	{
+	if ( ! ::gtpv1_delete_pdp_ctx_response )
+	    return;
+
+	auto rv = zeek::make_intrusive<zeek::RecordVal>(
+	  zeek::BifType::Record::gtp_delete_pdp_ctx_response_elements);
+
+	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
+
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		const InformationElement* ie = (*v)[i];
+
+		switch ( ie->type() ) {
+		case GTPv1::TYPE_CAUSE:
+			rv->Assign(0, BuildCause(ie));
+			break;
+		case GTPv1::TYPE_PRIVATE_EXT:
+			rv->Assign(1, BuildPrivateExt(ie));
+			break;
+		default:
+			a->Weird("gtp_invalid_info_element", nullptr, zeek::util::fmt("%d", (*v)[i]->type()));
+			break;
+		}
+		}
+
+	zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(nullptr, c, BuildGTPv1Hdr(pdu), std::move(rv));
+	}
+%}
+
+connection GTPv1_Conn(zeek_analyzer: ZeekPacketAnalyzer)
+	{
+	upflow = GTPv1_Flow(true);
+	downflow = GTPv1_Flow(false);
+
+	%member{
+		bool valid_orig;
+		bool valid_resp;
+		ZeekPacket* packet;
+	%}
+
+	%init{
+		valid_orig = valid_resp = false;
+	%}
+
+	function valid(orig: bool): bool
+		%{
+		return orig ? valid_orig : valid_resp;
+		%}
+
+	function set_valid(orig: bool, val: bool): void
+		%{
+		if ( orig )
+			valid_orig = val;
+		else
+			valid_resp = val;
+		%}
+
+	function set_raw_packet(p: ZeekPacket): void
+		%{
+		packet = p;
+		%}
+
+	function get_raw_packet(): ZeekPacket
+		%{
+		return packet;
+		%}
+	}
+
+flow GTPv1_Flow(is_orig: bool)
+	{
+	datagram = GTPv1_Header withcontext(connection, this);
+
+	function violate(r: string, pdu: GTPv1_Header): void
+		%{
+		ZeekPacketAnalyzer a = connection()->zeek_analyzer();
+		ZeekPacket* p = connection()->get_raw_packet();
+		a->AnalyzerViolation(r.c_str(), p->session);
+		%}
+
+	function process_gtpv1(pdu: GTPv1_Header): bool
+		%{
+		ZeekPacketAnalyzer a = connection()->zeek_analyzer();
+		ZeekPacket* p = connection()->get_raw_packet();
+		zeek::Connection* c = static_cast<zeek::Connection*>(p->session);
+		const std::shared_ptr<zeek::EncapsulationStack> e = p->encap;
+
+		connection()->set_valid(is_orig(), false);
+
+		if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth )
+			{
+			a->Weird("tunnel_depth");
+			return false;
+			}
+
+		if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 )
+			{
+			// GTP is never tunneled in GTP so, this must be a regular packet
+			violate("GTP-in-GTP", pdu);
+			return false;
+			}
+
+		if ( ${pdu.version} != 1 )
+			{
+			// Only know of GTPv1 with Version == 1
+			violate("GTPv1 bad Version", pdu);
+			return false;
+			}
+
+		if ( ! ${pdu.pt_flag} )
+			{
+			// Not interested in GTP
+			return false;
+			}
+
+		if ( ::gtpv1_message )
+			zeek::BifEvent::enqueue_gtpv1_message(nullptr, c, BuildGTPv1Hdr(pdu));
+
+		switch ( ${pdu.msg_type} ) {
+		case 16:
+			CreatePDP_Request(a, c, pdu);
+			return true;
+		case 17:
+			CreatePDP_Response(a, c, pdu);
+			return true;
+		case 18:
+			UpdatePDP_Request(a, c, pdu);
+			return true;
+		case 19:
+			UpdatePDP_Response(a, c, pdu);
+			return true;
+		case 20:
+			DeletePDP_Request(a, c, pdu);
+			return true;
+		case 21:
+			DeletePDP_Response(a, c, pdu);
+			return true;
+		case 255:
+			return process_g_pdu(pdu);
+		default:
+			return false;
+		}
+
+		return false;
+		%}
+
+	function process_g_pdu(pdu: GTPv1_Header): bool
+		%{
+		ZeekPacketAnalyzer a = connection()->zeek_analyzer();
+		ZeekPacket* p = connection()->get_raw_packet();
+		zeek::Connection* c = static_cast<zeek::Connection*>(p->session);
+
+		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
+			{
+			violate("Truncated GTPv1", pdu);
+			return false;
+			}
+
+		const struct ip* ip = (const struct ip*) ${pdu.packet}.data();
+
+		if ( ip->ip_v != 4 && ip->ip_v != 6 )
+			{
+			violate("non-IP packet in GTPv1", pdu);
+			return false;
+			}
+
+		int hdr_len = 8;
+
+		if ( pdu->has_opt() )
+			hdr_len += 4;
+
+		if ( pdu->e_flag() && pdu->ext_hdrs() )
+			for ( const auto& eh : *pdu->ext_hdrs() )
+				hdr_len += 2 + eh->contents().length();
+
+		auto next_hdr = ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4;
+		zeek::RecordValPtr hdr_val;
+
+		if ( ::gtpv1_g_pdu_packet )
+			hdr_val = BuildGTPv1Hdr(pdu);
+
+		static_cast<zeek::packet_analysis::gtpv1::GTPv1_Analyzer*>(a)->SetInnerInfo(
+			hdr_len, next_hdr, std::move(hdr_val));
+
+		return true;
+		%}
+	};
+
+refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); };
diff --git a/src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac b/src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac
new file mode 100644
index 0000000000..0a87665fd2
--- /dev/null
+++ b/src/packet_analysis/protocol/gtpv1/gtpv1-protocol.pac
@@ -0,0 +1,496 @@
+
+type GTPv1_Header = record {
+	flags:     uint8;
+	msg_type:  uint8;
+	length:    uint16;
+	teid:      uint32;
+
+	opt:       case has_opt of {
+		true  -> opt_hdr: GTPv1_Opt_Header;
+		false -> no_opt:  empty;
+	};
+
+	ext:       case e_flag of {
+		true  -> ext_hdrs: GTPv1_Ext_Header[] &until($element.next_type == 0);
+		false -> no_ext:   empty;
+	};
+
+	msg:       case msg_type of {
+		16      -> create_pdp_ctx_request:  InformationElement[];
+		17      -> create_pdp_ctx_response: InformationElement[];
+		18      -> update_pdp_ctx_request:  InformationElement[];
+		19      -> update_pdp_ctx_response: InformationElement[];
+		20      -> delete_pdp_ctx_request:  InformationElement[];
+		21      -> delete_pdp_ctx_response: InformationElement[];
+		255     -> packet:  bytestring &restofdata;
+		default -> unknown: bytestring &restofdata;
+	};
+
+} &let {
+	version:  uint8 = (flags & 0xE0) >> 5;
+	pt_flag:  bool  = flags & 0x10;
+	rsv:      bool  = flags & 0x08;
+	e_flag:   bool  = flags & 0x04;
+	s_flag:   bool  = flags & 0x02;
+	pn_flag:  bool  = flags & 0x01;
+	has_opt:  bool  = flags & 0x07;
+} &byteorder = bigendian, &exportsourcedata;
+
+type GTPv1_Opt_Header = record {
+	seq:       uint16;
+	n_pdu:     uint8;
+	next_type: uint8;
+};
+
+type GTPv1_Ext_Header = record {
+	length:    uint8;
+	contents:  bytestring &length=(length * 4 - 2);
+	next_type: uint8;
+};
+
+enum InfoElementType {
+	TYPE_CAUSE                       = 1,
+	TYPE_IMSI                        = 2,
+	TYPE_RAI                         = 3,
+	TYPE_TLLI                        = 4,
+	TYPE_P_TMSI                      = 5,
+	TYPE_REORDER_REQ                 = 8,
+	TYPE_AUTHN_TRIPLET               = 9,
+	TYPE_MAP_CAUSE                   = 11,
+	TYPE_P_TMSI_SIG                  = 12,
+	TYPE_MS_VALID                    = 13,
+	TYPE_RECOVERY                    = 14,
+	TYPE_SELECTION_MODE              = 15,
+	TYPE_TEID1                       = 16,
+	TYPE_TEID_CONTROL_PLANE          = 17,
+	TYPE_TEID2                       = 18,
+	TYPE_TEARDOWN_IND                = 19,
+	TYPE_NSAPI                       = 20,
+	TYPE_RANAP_CAUSE                 = 21,
+	TYPE_RAB_CTX                     = 22,
+	TYPE_RADIO_PRIORITY_SMS          = 23,
+	TYPE_RADIO_PRIORITY              = 24,
+	TYPE_PACKET_FLOW_ID              = 25,
+	TYPE_CHARGING_CHARACTERISTICS    = 26,
+	TYPE_TRACE_REFERENCE             = 27,
+	TYPE_TRACE_TYPE                  = 28,
+	TYPE_MS_NOT_REACHABLE_REASON     = 29,
+	TYPE_CHARGING_ID                 = 127,
+	TYPE_END_USER_ADDR               = 128,
+	TYPE_MM_CTX                      = 129,
+	TYPE_PDP_CTX                     = 130,
+	TYPE_ACCESS_POINT_NAME           = 131,
+	TYPE_PROTO_CONFIG_OPTIONS        = 132,
+	TYPE_GSN_ADDR                    = 133,
+	TYPE_MSISDN                      = 134,
+	TYPE_QOS_PROFILE                 = 135,
+	TYPE_AUTHN_QUINTUPLET            = 136,
+	TYPE_TRAFFIC_FLOW_TEMPLATE       = 137,
+	TYPE_TARGET_ID                   = 138,
+	TYPE_UTRAN_TRANSPARENT_CONTAINER = 139,
+	TYPE_RAB_SETUP_INFO              = 140,
+	TYPE_EXT_HEADER_TYPE_LIST        = 141,
+	TYPE_TRIGGER_ID                  = 142,
+	TYPE_OMC_ID                      = 143,
+	TYPE_CHARGING_GATEWAY_ADDR       = 251,
+	TYPE_PRIVATE_EXT                 = 255,
+};
+
+type InformationElement = record {
+	type: uint8;
+
+	len: case is_tlv of {
+		true  -> tlv_len: uint16;
+		false -> no_len:  empty;
+	};
+
+	value: case type of {
+		TYPE_CAUSE -> cause: Cause;
+		TYPE_IMSI -> imsi: IMSI;
+		TYPE_RAI -> rai: RAI;
+		TYPE_TLLI -> tlli: TLLI;
+		TYPE_P_TMSI -> p_tmsi: P_TMSI;
+		TYPE_REORDER_REQ -> reorder_req: ReorderReq;
+		TYPE_AUTHN_TRIPLET -> authn_triplet: AuthN_Triplet;
+		TYPE_MAP_CAUSE -> map_cause: MAP_Cause;
+		TYPE_P_TMSI_SIG -> p_tmsi_sig: P_TMSI_Sig;
+		TYPE_MS_VALID -> ms_valid: MS_Valid;
+		TYPE_RECOVERY -> recovery: Recovery;
+		TYPE_SELECTION_MODE -> selection_mode: SelectionMode;
+		TYPE_TEID1 -> teid1: TEID1;
+		TYPE_TEID_CONTROL_PLANE -> teidcp: TEID_ControlPlane;
+		TYPE_TEID2 -> teid2: TEID2;
+		TYPE_TEARDOWN_IND -> teardown_ind: TeardownInd;
+		TYPE_NSAPI -> nsapi: NSAPI;
+		TYPE_RANAP_CAUSE -> ranap_cause: RANAP_Cause;
+		TYPE_RAB_CTX -> rab_ctx: RAB_Ctx;
+		TYPE_RADIO_PRIORITY_SMS -> radio_priority_sms: RadioPrioritySMS;
+		TYPE_RADIO_PRIORITY -> radio_priority: RadioPriority;
+		TYPE_PACKET_FLOW_ID -> packet_flow_id: PacketFlowID;
+		TYPE_CHARGING_CHARACTERISTICS -> charging_characteristics: ChargingCharacteristics;
+		TYPE_TRACE_REFERENCE -> trace_reference: TraceReference;
+		TYPE_TRACE_TYPE -> trace_type: TraceType;
+		TYPE_MS_NOT_REACHABLE_REASON -> ms_not_reachable_reason: MS_Not_Reachable_Reason;
+		TYPE_CHARGING_ID -> charging_id: ChargingID;
+		TYPE_END_USER_ADDR -> end_user_addr: EndUserAddr(length);
+		TYPE_MM_CTX -> mm_ctx: MM_Ctx(length);
+		TYPE_PDP_CTX -> pdp_ctx: PDP_Ctx(length);
+		TYPE_ACCESS_POINT_NAME -> ap_name: AP_Name(length);
+		TYPE_PROTO_CONFIG_OPTIONS -> proto_config_opts: ProtoConfigOpts(length);
+		TYPE_GSN_ADDR -> gsn_addr: GSN_Addr(length);
+		TYPE_MSISDN -> msisdn: MSISDN(length);
+		TYPE_QOS_PROFILE -> qos_profile: QoS_Profile(length);
+		TYPE_AUTHN_QUINTUPLET -> authn_quintuplet: AuthN_Quintuplet(length);
+		TYPE_TRAFFIC_FLOW_TEMPLATE -> traffic_flow_template: TrafficFlowTemplate(length);
+		TYPE_TARGET_ID -> target_id: TargetID(length);
+		TYPE_UTRAN_TRANSPARENT_CONTAINER -> utran_transparent_container: UTRAN_TransparentContainer(length);
+		TYPE_RAB_SETUP_INFO -> rab_setup_info: RAB_SetupInfo(length);
+		TYPE_EXT_HEADER_TYPE_LIST -> ext_hdr_type_list: ExtHdrTypeList(length);
+		TYPE_TRIGGER_ID -> trigger_id: TriggerID(length);
+		TYPE_OMC_ID -> omc_id: OMC_ID(length);
+		TYPE_CHARGING_GATEWAY_ADDR -> charging_gateway_addr: ChargingGatewayAddr(length);
+		TYPE_PRIVATE_EXT -> private_ext: PrivateExt(length);
+		default -> unknown: bytestring &length=length;
+	} &requires(length);
+
+} &let {
+	is_tlv: bool = (type & 0x80);
+	length: uint16 = is_tlv ? tlv_len : Get_IE_Len(type);
+};
+
+type Cause = record {
+	value: uint8;
+};
+
+function decode_imsi(v: uint8[8]): uint64
+	%{
+	uint64 rval = 0;
+	uint8 digits[16];
+	for ( size_t i = 0; i < v->size(); ++i )
+		{
+		digits[2 * i + 1] = ((*v)[i] & 0xf0) >> 4;
+		digits[2 * i] = (*v)[i] & 0x0f;
+		}
+	int power = 0;
+	for ( int i = 15; i >= 0; --i )
+		{
+		if ( digits[i] == 0x0f ) continue;
+		rval += digits[i] * pow(10, power);
+		++power;
+		}
+	return rval;
+	%}
+
+type IMSI = record {
+	tbcd_encoded_value: uint8[8];
+} &let {
+	value: uint64 = decode_imsi(tbcd_encoded_value);
+};
+
+type RAI = record {
+	mcc2_mcc1: uint8;
+	mnc3_mcc3: uint8;
+	mnc2_mnc1: uint8;
+	lac: uint16;
+	rac: uint8;
+} &let {
+	mcc1: uint8 = (mcc2_mcc1 & 0x0f);
+	mcc2: uint8 = ((mcc2_mcc1 & 0xf0)>>4);
+	mcc3: uint8 = (mnc3_mcc3 & 0x0f);
+	mcc: uint16 = mcc1 * 100 + mcc2 * 10 + mcc3;
+	mnc1: uint8 = (mnc2_mnc1 & 0x0f);
+	mnc2: uint8 = ((mnc2_mnc1 & 0xf0)>>4);
+	mnc3: uint8 = (mnc3_mcc3 & 0xf0)>>4;
+	mnc: uint16 = (mnc3 & 0x0f) ? mnc1 * 10 + mnc2 : mnc1 * 100 + mnc2 * 10 + mnc3;
+};
+
+type TLLI = record {
+	value: uint32;
+};
+
+type P_TMSI = record {
+	value: uint32;
+};
+
+type ReorderReq = record {
+	value: uint8;
+} &let {
+	req: bool = value & 0x01;
+};
+
+type AuthN_Triplet = record {
+	rand: bytestring &length=16;
+	sres: uint32;
+	kc: uint64;
+};
+
+type MAP_Cause = record {
+	value: uint8;
+};
+
+type P_TMSI_Sig = record {
+	value: bytestring &length=3;
+};
+
+type MS_Valid = record {
+	value: uint8;
+};
+
+type Recovery = record {
+	restart_counter: uint8;
+};
+
+type SelectionMode = record {
+	value: uint8;
+} &let {
+	mode: uint8 = value & 0x01;
+};
+
+type TEID1 = record {
+	value: uint32;
+};
+
+type TEID_ControlPlane = record {
+	value: uint32;
+};
+
+type TEID2 = record {
+	spare_nsapi: uint8;
+	teid2: uint32;
+};
+
+type TeardownInd = record {
+	value: uint8;
+} &let {
+	ind: bool = value & 0x01;
+};
+
+type NSAPI = record {
+	xxxx_nsapi: uint8;
+} &let {
+	nsapi: uint8 = xxxx_nsapi & 0x0f;
+};
+
+type RANAP_Cause = record {
+	value: uint8;
+};
+
+type RAB_Ctx = record {
+	spare_nsapi: uint8;
+	dl_gtpu_seq_num: uint16;
+	ul_gtpu_seq_num: uint16;
+	dl_pdcp_seq_num: uint16;
+	ul_pdcp_seq_num: uint16;
+};
+
+type RadioPrioritySMS = record {
+	value: uint8;
+};
+
+type RadioPriority = record {
+	nsapi_radio_priority: uint8;
+};
+
+type PacketFlowID = record {
+	rsv_nsapi: uint8;
+	packet_flow_id: uint8;
+};
+
+type ChargingCharacteristics = record {
+	value: uint16;
+};
+
+type TraceReference = record {
+	value: uint16;
+};
+
+type TraceType = record {
+	value: uint16;
+};
+
+type MS_Not_Reachable_Reason = record {
+	value: uint8;
+};
+
+type ChargingID = record {
+	value: uint32;
+};
+
+type EndUserAddr(n: uint16) = record {
+	spare_pdp_type_org: uint8;
+	pdp_type_num: uint8;
+	pdp_addr: bytestring &length=(n-2);
+} &let {
+	pdp_type_org: uint8 = spare_pdp_type_org & 0x0f;
+};
+
+type MM_Ctx(n: uint16) = record {
+	spare_cksn_ksi: uint8;
+	security_params: uint8;
+
+	keys: case gsm_keys of {
+		true  -> kc: uint64;
+		false -> ck_ik: bytestring &length=32;
+	};
+
+	vector_len: case have_triplets of {
+		true  -> no_quint_len: empty;
+		false -> quint_len: uint16;
+	};
+
+	vectors: case have_triplets of {
+		true  -> triplets: AuthN_Triplet[num_vectors];
+		false -> quintuplets: AuthN_Quintuplet(quint_len)[num_vectors];
+	} &requires(num_vectors);
+
+	drx_param: uint16;
+	ms_net_capability_len: uint8;
+	ms_net_capability: bytestring &length=ms_net_capability_len;
+	container_len: uint16;
+	container: bytestring &length=container_len;
+
+} &let {
+	security_mode: uint8 = security_params >> 6;
+	gsm_keys: bool = security_mode & 0x01;
+	have_triplets: bool = (security_mode == 1);
+	num_vectors: uint8 = (security_params & 0x38) >> 3;
+};
+
+type PDP_Ctx(n: uint16) = record {
+	rsv_nsapi:	uint8;
+	xxxx_sapi: uint8;
+	qos_sub_len: uint8;
+	qos_sub: QoS_Profile(qos_sub_len);
+	qos_req_len: uint8;
+	qos_req: QoS_Profile(qos_req_len);
+	qos_neg_len: uint8;
+	qos_neg: QoS_Profile(qos_neg_len);
+	snd: uint16;
+	snu: uint16;
+	send_npdu_num: uint8;
+	recv_npdu_num: uint8;
+	ul_teid_cp: TEID_ControlPlane;
+	ul_teid_data1: TEID1;
+	pdp_ctx_id: uint8;
+	spare_pdp_type_org: uint8;
+	pdp_type_num: uint8;
+	pdp_addr_len: uint8;
+	pdp_addr: bytestring &length=pdp_addr_len;
+	ggsn_addr_control_plane_len: uint8;
+	ggsn_addr_control_plane: bytestring &length=ggsn_addr_control_plane_len;
+	ggsn_addr_user_traffic_len: uint8;
+	ggsn_addr_user_traffic: bytestring &length=ggsn_addr_user_traffic_len;
+	apn_len: uint8;
+	apn: AP_Name(apn_len);
+	spare_transaction_id: uint8;
+	transaction_id: uint8;
+};
+
+type AP_Name(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type ProtoConfigOpts(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type GSN_Addr(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type MSISDN(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type QoS_Profile(n: uint16) = record {
+	alloc_retention_priority: uint8;
+	data: bytestring &length=n-1;
+};
+
+type AuthN_Quintuplet(n: uint16) = record {
+	rand: bytestring &length=16;
+	xres_len: uint8;
+	xres: bytestring &length=xres_len;
+	ck: bytestring &length=16;
+	ik: bytestring &length=16;
+	autn_len: uint8;
+	autn: bytestring &length=autn_len;
+};
+
+type TrafficFlowTemplate(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type TargetID(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type UTRAN_TransparentContainer(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type RAB_SetupInfo(n: uint16) = record {
+	xxxx_nsapi: uint8;
+
+	have_teid: case n of {
+		1 -> no_teid: empty;
+		default -> teid: TEID1;
+	};
+
+	have_addr: case n of {
+		1 -> no_addr: empty;
+		default -> rnc_addr: bytestring &length=n-5;
+	};
+};
+
+type ExtHdrTypeList(n: uint16) = record {
+	value: uint8[n];
+};
+
+type TriggerID(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type OMC_ID(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type ChargingGatewayAddr(n: uint16) = record {
+	value: bytestring &length=n;
+};
+
+type PrivateExt(n: uint16) = record {
+	id: uint16;
+	value: bytestring &length=n-2;
+};
+
+function Get_IE_Len(t: uint8): uint16 =
+	case t of {
+	TYPE_CAUSE -> 1;
+	TYPE_IMSI -> 8;
+	TYPE_RAI -> 6;
+	TYPE_TLLI -> 4;
+	TYPE_P_TMSI -> 4;
+	TYPE_REORDER_REQ -> 1;
+	TYPE_AUTHN_TRIPLET -> 28;
+	TYPE_MAP_CAUSE -> 1;
+	TYPE_P_TMSI_SIG -> 3;
+	TYPE_MS_VALID -> 1;
+	TYPE_RECOVERY -> 1;
+	TYPE_SELECTION_MODE -> 1;
+	TYPE_TEID1 -> 4;
+	TYPE_TEID_CONTROL_PLANE -> 4;
+	TYPE_TEID2 -> 5;
+	TYPE_TEARDOWN_IND -> 1;
+	TYPE_NSAPI -> 1;
+	TYPE_RANAP_CAUSE -> 1;
+	TYPE_RAB_CTX -> 9;
+	TYPE_RADIO_PRIORITY_SMS -> 1;
+	TYPE_RADIO_PRIORITY -> 1;
+	TYPE_PACKET_FLOW_ID -> 2;
+	TYPE_CHARGING_CHARACTERISTICS -> 2;
+	TYPE_TRACE_REFERENCE -> 2;
+	TYPE_TRACE_TYPE -> 2;
+	TYPE_MS_NOT_REACHABLE_REASON -> 1;
+	TYPE_CHARGING_ID -> 4;
+	};
diff --git a/src/packet_analysis/protocol/gtpv1/gtpv1.pac b/src/packet_analysis/protocol/gtpv1/gtpv1.pac
new file mode 100644
index 0000000000..acc3fdeb42
--- /dev/null
+++ b/src/packet_analysis/protocol/gtpv1/gtpv1.pac
@@ -0,0 +1,18 @@
+%include binpac.pac
+%include zeek.pac
+
+%extern{
+#include "zeek/IP.h"
+#include "zeek/TunnelEncapsulation.h"
+#include "zeek/Reporter.h"
+
+#include "zeek/packet_analysis/protocol/gtpv1/events.bif.h"
+%}
+
+analyzer GTPv1 withcontext {
+	connection:	GTPv1_Conn;
+	flow:		GTPv1_Flow;
+};
+
+%include gtpv1-protocol.pac
+%include gtpv1-analyzer.pac
diff --git a/src/zeek.pac b/src/zeek.pac
index d53a23a4a8..52d0a174f0 100644
--- a/src/zeek.pac
+++ b/src/zeek.pac
@@ -3,6 +3,7 @@
 %}
 
 extern type ZeekAnalyzer;
+extern type ZeekPacketAnalyzer;
 extern type ZeekVal;
 extern type ZeekPortVal;
 extern type ZeekStringVal;
diff --git a/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out
index 6555b3a123..6d38edf0cd 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out
+++ b/testing/btest/Baseline/core.tunnels.gtp.non_recursive/out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP [\x80\xe1Bc.\xe20\xebn\xd9'|\x00\x00\x01\xb6[\xf6\xdc0\xb7d\xe5\xe6\xa76\x91\xfbk\x0e\x02\xc8A\x05\xa8\xe6\xf3Gi\x80...]
+protocol_violation, [orig_h=74.125.216.149, orig_p=2152/udp, resp_h=10.131.138.69, resp_p=2152/udp], GTP-in-GTP
diff --git a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log
index 733c3255ea..377275b772 100644
--- a/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log
+++ b/testing/btest/Baseline/core.tunnels.gtp.unknown_or_too_short/dpd.log
@@ -7,5 +7,5 @@
 #open XXXX-XX-XX-XX-XX-XX
 #fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	proto	analyzer	failure_reason
 #types	time	string	addr	port	addr	port	enum	string	string
-XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	173.86.159.28	2152	213.72.147.186	2152	udp	GTPV1	Truncated GTPv1 [0\\xff\\x00\\xac\\x98\\x13\\x01LE\\x00\\x05\\xc8G\\xea@\\x00\\x80\\x06\\xb6\\x83\\x0a\\x83w&\\xd9\\x14\\x9c\\x04\\xd9\\xc2\\x00P\\xddh\\xb4\\x8f41eV...]
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	173.86.159.28	2152	213.72.147.186	2152	udp	GTPV1	Truncated GTPv1
 #close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
index 81552f328f..b53f471b1e 100644
--- a/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.bare-load-baseline/canonified_loaded_scripts.log
@@ -76,6 +76,9 @@ scripts/base/init-bare.zeek
     scripts/base/packet-protocols/teredo/__load__.zeek
       scripts/base/packet-protocols/teredo/main.zeek
         build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek
+    scripts/base/packet-protocols/gtpv1/__load__.zeek
+      scripts/base/packet-protocols/gtpv1/main.zeek
+        build/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -137,7 +140,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek
@@ -220,6 +222,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
diff --git a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
index f215057ab1..38ef5af526 100644
--- a/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
+++ b/testing/btest/Baseline/coverage.default-load-baseline/canonified_loaded_scripts.log
@@ -76,6 +76,9 @@ scripts/base/init-bare.zeek
     scripts/base/packet-protocols/teredo/__load__.zeek
       scripts/base/packet-protocols/teredo/main.zeek
         build/scripts/base/bif/plugins/Zeek_Teredo.functions.bif.zeek
+    scripts/base/packet-protocols/gtpv1/__load__.zeek
+      scripts/base/packet-protocols/gtpv1/main.zeek
+        build/scripts/base/bif/plugins/Zeek_GTPv1.functions.bif.zeek
 scripts/base/init-frameworks-and-bifs.zeek
   scripts/base/frameworks/logging/__load__.zeek
     scripts/base/frameworks/logging/main.zeek
@@ -137,7 +140,6 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_FTP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Gnutella.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_GSSAPI.events.bif.zeek
-    build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_HTTP.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_HTTP.functions.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Ident.events.bif.zeek
@@ -220,6 +222,7 @@ scripts/base/init-frameworks-and-bifs.zeek
     build/scripts/base/bif/plugins/Zeek_Geneve.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_VXLAN.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_Teredo.events.bif.zeek
+    build/scripts/base/bif/plugins/Zeek_GTPv1.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileEntropy.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.events.bif.zeek
     build/scripts/base/bif/plugins/Zeek_FileExtract.functions.bif.zeek
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index d0f098c5fb..bdb7837b2e 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -14,8 +14,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <no result>
@@ -76,8 +74,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <no result>
@@ -129,7 +125,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6666<...>/tcp})) -> <no result>
@@ -577,10 +572,13 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -631,6 +629,8 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
@@ -646,6 +646,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
@@ -677,6 +678,8 @@
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (2123/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (3544/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
@@ -720,6 +723,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> -1
@@ -922,6 +926,7 @@
 0.000000   MetaHookPost  LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base/packet-protocols, <...>/packet-protocols) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> -1
@@ -963,6 +968,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/geneve, <...>/geneve) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/gre, <...>/gre) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/gtpv1, <...>/gtpv1) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/hash, <...>/hash) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/http, <...>/http) -> -1
@@ -1094,6 +1100,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> (-1, <no content>)
@@ -1296,6 +1303,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, <no content>)
@@ -1337,6 +1345,7 @@
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geneve, <...>/geneve) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/gre, <...>/gre) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/gtpv1, <...>/gtpv1) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/hash, <...>/hash) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> (-1, <no content>)
 0.000000   MetaHookPost  LoadFileExtended(0, base<...>/http, <...>/http) -> (-1, <no content>)
@@ -1459,8 +1468,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp))
@@ -1521,8 +1528,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp))
@@ -1574,7 +1579,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6666<...>/tcp}))
@@ -2022,10 +2026,13 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
@@ -2076,6 +2083,8 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
@@ -2091,6 +2100,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO))
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
@@ -2122,6 +2132,8 @@
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (2123/udp))
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (2152/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (3544/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (4789/udp))
 0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (5072/udp))
@@ -2165,6 +2177,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek)
@@ -2367,6 +2380,7 @@
 0.000000   MetaHookPre   LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
 0.000000   MetaHookPre   LoadFile(0, base/packet-protocols, <...>/packet-protocols)
 0.000000   MetaHookPre   LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
@@ -2408,6 +2422,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/geneve, <...>/geneve)
 0.000000   MetaHookPre   LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/gre, <...>/gre)
+0.000000   MetaHookPre   LoadFile(0, base<...>/gtpv1, <...>/gtpv1)
 0.000000   MetaHookPre   LoadFile(0, base<...>/hash, <...>/hash)
 0.000000   MetaHookPre   LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/http, <...>/http)
@@ -2539,6 +2554,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek)
@@ -2741,6 +2757,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
@@ -2782,6 +2799,7 @@
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geneve, <...>/geneve)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/gre, <...>/gre)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/gtpv1, <...>/gtpv1)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/hash, <...>/hash)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek)
 0.000000   MetaHookPre   LoadFileExtended(0, base<...>/http, <...>/http)
@@ -2904,8 +2922,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
@@ -2966,8 +2982,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
@@ -3019,7 +3033,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6666<...>/tcp})
@@ -3466,10 +3479,13 @@
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ Config::log = Config::Info($ts=network_time(), $id=Config::ID, $old_value=Config::format_value(lookup_ID(Config::ID)), $new_value=Config::format_value(Config::new_value))if ( != Config::location) Config::log$location = Config::locationLog::write(Config::LOG, to_any_coerceConfig::log)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
@@ -3520,6 +3536,8 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
@@ -3535,6 +3553,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)
+0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)
 0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
@@ -3566,6 +3585,8 @@
 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
+0.000000 | HookCallFunction port_to_count(2123/udp)
+0.000000 | HookCallFunction port_to_count(2152/udp)
 0.000000 | HookCallFunction port_to_count(3544/udp)
 0.000000 | HookCallFunction port_to_count(4789/udp)
 0.000000 | HookCallFunction port_to_count(5072/udp)
@@ -3609,6 +3630,7 @@
 0.000000 | HookLoadFile  ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek
@@ -3823,6 +3845,7 @@
 0.000000 | HookLoadFile  base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
 0.000000 | HookLoadFile  base/packet-protocols <...>/packet-protocols
 0.000000 | HookLoadFile  base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
+0.000000 | HookLoadFile  base<...>/Zeek_GTPv1.functions.bif <...>/Zeek_GTPv1.functions.bif.zeek
 0.000000 | HookLoadFile  base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFile  base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
 0.000000 | HookLoadFile  base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
@@ -3864,6 +3887,7 @@
 0.000000 | HookLoadFile  base<...>/geneve <...>/geneve
 0.000000 | HookLoadFile  base<...>/geoip-distance <...>/geoip-distance.zeek
 0.000000 | HookLoadFile  base<...>/gre <...>/gre
+0.000000 | HookLoadFile  base<...>/gtpv1 <...>/gtpv1
 0.000000 | HookLoadFile  base<...>/hash <...>/hash
 0.000000 | HookLoadFile  base<...>/hash_hrw <...>/hash_hrw.zeek
 0.000000 | HookLoadFile  base<...>/http <...>/http
@@ -3983,6 +4007,7 @@
 0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek
 0.000000 | HookLoadFileExtended ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek
@@ -4197,6 +4222,7 @@
 0.000000 | HookLoadFileExtended base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
 0.000000 | HookLoadFileExtended base/packet-protocols <...>/packet-protocols
 0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/Zeek_GTPv1.functions.bif <...>/Zeek_GTPv1.functions.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
 0.000000 | HookLoadFileExtended base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
@@ -4238,6 +4264,7 @@
 0.000000 | HookLoadFileExtended base<...>/geneve <...>/geneve
 0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek
 0.000000 | HookLoadFileExtended base<...>/gre <...>/gre
+0.000000 | HookLoadFileExtended base<...>/gtpv1 <...>/gtpv1
 0.000000 | HookLoadFileExtended base<...>/hash <...>/hash
 0.000000 | HookLoadFileExtended base<...>/hash_hrw <...>/hash_hrw.zeek
 0.000000 | HookLoadFileExtended base<...>/http <...>/http
@@ -4806,6 +4833,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, (
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(PacketAnalyzer::GTPV1::remove_gtpv1_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
@@ -4844,6 +4872,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, (
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(PacketAnalyzer::GTPV1::remove_gtpv1_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
@@ -4883,6 +4912,7 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.2
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
+XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::GTPV1::remove_gtpv1_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
 XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::TEREDO::remove_teredo_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
 XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::info{ if (HTTP::c?$http_state) { for ([HTTP::r] in HTTP::c$http_state$pending) { if (0 == HTTP::r) next Log::write(HTTP::LOG, to_any_coerceHTTP::info)}}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
index 26470a7fdf..1c399929a2 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv4.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 4
+|Analyzer::all_registered_ports()|, 5
 signature_match [orig_h=141.142.220.235, orig_p=50003/tcp, resp_h=199.233.217.249, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply 199.233.217.249:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request 141.142.220.235:50003 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
index 40ce076959..d7f9033f64 100644
--- a/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/dpd-ipv6.out
@@ -1,5 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 4
+|Analyzer::all_registered_ports()|, 5
 signature_match [orig_h=2001:470:1f11:81f:c999:d94:aa7c:2e3e, orig_p=49185/tcp, resp_h=2001:470:4867:99::21, resp_p=21/tcp] - matched my_ftp_client
 ftp_reply [2001:470:4867:99::21]:21 - 220 ftp.NetBSD.org FTP server (NetBSD-ftpd 20100320) ready.
 ftp_request [2001:470:1f11:81f:c999:d94:aa7c:2e3e]:49185 - USER anonymous
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
index 123f40020a..67da14aaad 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv4.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 4
+|Analyzer::all_registered_ports()|, 5
diff --git a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
index 123f40020a..67da14aaad 100644
--- a/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
+++ b/testing/btest/Baseline/signatures.dpd/nosig-ipv6.out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-|Analyzer::all_registered_ports()|, 4
+|Analyzer::all_registered_ports()|, 5

From 9135345fa84d157eb4ce63a5b54801ca7c19afee Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 3 Nov 2021 15:51:00 -0700
Subject: [PATCH 102/210] Remove the old session-based tunnel analyzers

---
 src/analyzer/protocol/CMakeLists.txt          |   5 -
 src/analyzer/protocol/ayiya/AYIYA.cc          |  71 --
 src/analyzer/protocol/ayiya/AYIYA.h           |  37 -
 src/analyzer/protocol/ayiya/CMakeLists.txt    |   9 -
 src/analyzer/protocol/ayiya/Plugin.cc         |  26 -
 .../protocol/ayiya/ayiya-analyzer.pac         |  68 --
 .../protocol/ayiya/ayiya-protocol.pac         |  17 -
 src/analyzer/protocol/ayiya/ayiya.pac         |  17 -
 src/analyzer/protocol/geneve/CMakeLists.txt   |   8 -
 src/analyzer/protocol/geneve/Geneve.cc        |  95 ---
 src/analyzer/protocol/geneve/Geneve.h         |  23 -
 src/analyzer/protocol/geneve/Plugin.cc        |  26 -
 src/analyzer/protocol/geneve/events.bif       |  12 -
 src/analyzer/protocol/gtpv1/CMakeLists.txt    |  10 -
 src/analyzer/protocol/gtpv1/GTPv1.cc          |  80 --
 src/analyzer/protocol/gtpv1/GTPv1.h           |  39 -
 src/analyzer/protocol/gtpv1/Plugin.cc         |  26 -
 src/analyzer/protocol/gtpv1/events.bif        |  74 --
 .../protocol/gtpv1/gtpv1-analyzer.pac         | 753 ------------------
 .../protocol/gtpv1/gtpv1-protocol.pac         | 496 ------------
 src/analyzer/protocol/gtpv1/gtpv1.pac         |  18 -
 src/analyzer/protocol/teredo/CMakeLists.txt   |   9 -
 src/analyzer/protocol/teredo/Plugin.cc        |  26 -
 src/analyzer/protocol/teredo/Teredo.cc        | 237 ------
 src/analyzer/protocol/teredo/Teredo.h         |  93 ---
 src/analyzer/protocol/teredo/events.bif       |  55 --
 src/analyzer/protocol/vxlan/CMakeLists.txt    |   9 -
 src/analyzer/protocol/vxlan/Plugin.cc         |  26 -
 src/analyzer/protocol/vxlan/VXLAN.cc          | 102 ---
 src/analyzer/protocol/vxlan/VXLAN.h           |  23 -
 src/analyzer/protocol/vxlan/events.bif        |  12 -
 31 files changed, 2502 deletions(-)
 delete mode 100644 src/analyzer/protocol/ayiya/AYIYA.cc
 delete mode 100644 src/analyzer/protocol/ayiya/AYIYA.h
 delete mode 100644 src/analyzer/protocol/ayiya/CMakeLists.txt
 delete mode 100644 src/analyzer/protocol/ayiya/Plugin.cc
 delete mode 100644 src/analyzer/protocol/ayiya/ayiya-analyzer.pac
 delete mode 100644 src/analyzer/protocol/ayiya/ayiya-protocol.pac
 delete mode 100644 src/analyzer/protocol/ayiya/ayiya.pac
 delete mode 100644 src/analyzer/protocol/geneve/CMakeLists.txt
 delete mode 100644 src/analyzer/protocol/geneve/Geneve.cc
 delete mode 100644 src/analyzer/protocol/geneve/Geneve.h
 delete mode 100644 src/analyzer/protocol/geneve/Plugin.cc
 delete mode 100644 src/analyzer/protocol/geneve/events.bif
 delete mode 100644 src/analyzer/protocol/gtpv1/CMakeLists.txt
 delete mode 100644 src/analyzer/protocol/gtpv1/GTPv1.cc
 delete mode 100644 src/analyzer/protocol/gtpv1/GTPv1.h
 delete mode 100644 src/analyzer/protocol/gtpv1/Plugin.cc
 delete mode 100644 src/analyzer/protocol/gtpv1/events.bif
 delete mode 100644 src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
 delete mode 100644 src/analyzer/protocol/gtpv1/gtpv1-protocol.pac
 delete mode 100644 src/analyzer/protocol/gtpv1/gtpv1.pac
 delete mode 100644 src/analyzer/protocol/teredo/CMakeLists.txt
 delete mode 100644 src/analyzer/protocol/teredo/Plugin.cc
 delete mode 100644 src/analyzer/protocol/teredo/Teredo.cc
 delete mode 100644 src/analyzer/protocol/teredo/Teredo.h
 delete mode 100644 src/analyzer/protocol/teredo/events.bif
 delete mode 100644 src/analyzer/protocol/vxlan/CMakeLists.txt
 delete mode 100644 src/analyzer/protocol/vxlan/Plugin.cc
 delete mode 100644 src/analyzer/protocol/vxlan/VXLAN.cc
 delete mode 100644 src/analyzer/protocol/vxlan/VXLAN.h
 delete mode 100644 src/analyzer/protocol/vxlan/events.bif

diff --git a/src/analyzer/protocol/CMakeLists.txt b/src/analyzer/protocol/CMakeLists.txt
index b21ec3a545..4bebee739e 100644
--- a/src/analyzer/protocol/CMakeLists.txt
+++ b/src/analyzer/protocol/CMakeLists.txt
@@ -1,4 +1,3 @@
-#add_subdirectory(ayiya)
 add_subdirectory(bittorrent)
 add_subdirectory(conn-size)
 add_subdirectory(dce-rpc)
@@ -8,10 +7,8 @@ add_subdirectory(dns)
 add_subdirectory(file)
 add_subdirectory(finger)
 add_subdirectory(ftp)
-#add_subdirectory(geneve)
 add_subdirectory(gnutella)
 add_subdirectory(gssapi)
-#add_subdirectory(gtpv1)
 add_subdirectory(http)
 add_subdirectory(ident)
 add_subdirectory(imap)
@@ -41,7 +38,5 @@ add_subdirectory(ssh)
 add_subdirectory(ssl)
 add_subdirectory(syslog)
 add_subdirectory(tcp)
-#add_subdirectory(teredo)
-#add_subdirectory(vxlan)
 add_subdirectory(xmpp)
 add_subdirectory(zip)
diff --git a/src/analyzer/protocol/ayiya/AYIYA.cc b/src/analyzer/protocol/ayiya/AYIYA.cc
deleted file mode 100644
index 8ce18318c1..0000000000
--- a/src/analyzer/protocol/ayiya/AYIYA.cc
+++ /dev/null
@@ -1,71 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek/analyzer/protocol/ayiya/AYIYA.h"
-
-#include "zeek/Func.h"
-#include "zeek/packet_analysis/protocol/ip/IP.h"
-#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
-
-namespace zeek::analyzer::ayiya
-	{
-
-AYIYA_Analyzer::AYIYA_Analyzer(Connection* conn) : Analyzer("AYIYA", conn)
-	{
-	interp = new binpac::AYIYA::AYIYA_Conn(this);
-	}
-
-AYIYA_Analyzer::~AYIYA_Analyzer()
-	{
-	delete interp;
-	}
-
-void AYIYA_Analyzer::Done()
-	{
-	Analyzer::Done();
-	Event(udp_session_done);
-	}
-
-void AYIYA_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
-                                   const IP_Hdr* ip, int caplen)
-	{
-	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-
-	try
-		{
-		interp->NewData(orig, data, data + len);
-		}
-	catch ( const binpac::Exception& e )
-		{
-		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
-		}
-
-	if ( inner_packet_offset <= 0 )
-		return;
-
-	data += inner_packet_offset;
-	len -= inner_packet_offset;
-	caplen -= inner_packet_offset;
-	inner_packet_offset = -1;
-
-	std::shared_ptr<IP_Hdr> inner;
-	int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner);
-
-	if ( result == 0 )
-		{
-		AnalyzerConfirmation();
-	std:
-		shared_ptr<EncapsulationStack> e = Conn()->GetEncapsulation();
-		EncapsulatingConn ec(Conn(), BifEnum::Tunnel::AYIYA);
-		packet_analysis::IPTunnel::ip_tunnel_analyzer->ProcessEncapsulatedPacket(
-			run_state::network_time, nullptr, inner, e, ec);
-		}
-	else if ( result == -2 )
-		AnalyzerViolation("AYIYA next header internal mismatch",
-		                  reinterpret_cast<const char*>(data), len);
-	else if ( result < 0 )
-		AnalyzerViolation("Truncated AYIYA", reinterpret_cast<const char*>(data), len);
-	else
-		AnalyzerViolation("AYIYA payload length", reinterpret_cast<const char*>(data), len);
-	}
-
-	} // namespace zeek::analyzer::ayiya
diff --git a/src/analyzer/protocol/ayiya/AYIYA.h b/src/analyzer/protocol/ayiya/AYIYA.h
deleted file mode 100644
index dd7698f49d..0000000000
--- a/src/analyzer/protocol/ayiya/AYIYA.h
+++ /dev/null
@@ -1,37 +0,0 @@
-#pragma once
-
-#include "analyzer/protocol/ayiya/ayiya_pac.h"
-
-namespace binpac::AYIYA
-	{
-class AYIYA_Conn;
-	}
-
-namespace zeek::analyzer::ayiya
-	{
-
-class AYIYA_Analyzer final : public analyzer::Analyzer
-	{
-public:
-	explicit AYIYA_Analyzer(Connection* conn);
-	virtual ~AYIYA_Analyzer();
-
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
-	                           const IP_Hdr* ip, int caplen);
-
-	static analyzer::Analyzer* Instantiate(Connection* conn) { return new AYIYA_Analyzer(conn); }
-
-	void SetInnerInfo(int offset, uint8_t next)
-		{
-		inner_packet_offset = offset;
-		next_header = next;
-		}
-
-protected:
-	binpac::AYIYA::AYIYA_Conn* interp;
-	int inner_packet_offset = -1;
-	uint8_t next_header = 0;
-	};
-
-	} // namespace zeek::analyzer::ayiya
diff --git a/src/analyzer/protocol/ayiya/CMakeLists.txt b/src/analyzer/protocol/ayiya/CMakeLists.txt
deleted file mode 100644
index 480d0bdfeb..0000000000
--- a/src/analyzer/protocol/ayiya/CMakeLists.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek AYIYA)
-zeek_plugin_cc(AYIYA.cc Plugin.cc)
-zeek_plugin_pac(ayiya.pac ayiya-protocol.pac ayiya-analyzer.pac)
-zeek_plugin_end()
diff --git a/src/analyzer/protocol/ayiya/Plugin.cc b/src/analyzer/protocol/ayiya/Plugin.cc
deleted file mode 100644
index 61d251e592..0000000000
--- a/src/analyzer/protocol/ayiya/Plugin.cc
+++ /dev/null
@@ -1,26 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#include "zeek/plugin/Plugin.h"
-
-#include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/ayiya/AYIYA.h"
-
-namespace zeek::plugin::detail::Zeek_AYIYA
-	{
-
-class Plugin : public zeek::plugin::Plugin
-	{
-public:
-	zeek::plugin::Configuration Configure() override
-		{
-		AddComponent(new zeek::analyzer::Component(
-			"AYIYA", zeek::analyzer::ayiya::AYIYA_Analyzer::Instantiate));
-
-		zeek::plugin::Configuration config;
-		config.name = "Zeek::AYIYA";
-		config.description = "AYIYA Analyzer";
-		return config;
-		}
-	} plugin;
-
-	} // namespace zeek::plugin::detail::Zeek_AYIYA
diff --git a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac b/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
deleted file mode 100644
index 85b4ead410..0000000000
--- a/src/analyzer/protocol/ayiya/ayiya-analyzer.pac
+++ /dev/null
@@ -1,68 +0,0 @@
-%extern{
-#include "zeek/Conn.h"
-#include "zeek/analyzer/protocol/ayiya/AYIYA.h"
-%}
-
-connection AYIYA_Conn(zeek_analyzer: ZeekAnalyzer)
-	{
-	upflow = AYIYA_Flow;
-	downflow = AYIYA_Flow;
-	};
-
-flow AYIYA_Flow
-	{
-	datagram = PDU withcontext(connection, this);
-
-	function process_ayiya(pdu: PDU): bool
-		%{
-		zeek::Connection* c = connection()->zeek_analyzer()->Conn();
-		std:shared_ptr<zeek::EncapsulationStack> e = c->GetEncapsulation();
-
-		if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth )
-			{
-			connection()->zeek_analyzer()->Weird("tunnel_depth");
-			return false;
-			}
-
-		if ( ${pdu.op} != 1 )
-			{
-			// 1 is the "forward" command.
-			return false;
-			}
-
-		if ( ${pdu.next_header} != IPPROTO_IPV6 &&
-		     ${pdu.next_header} != IPPROTO_IPV4 )
-			{
-			connection()->zeek_analyzer()->Weird("ayiya_tunnel_non_ip");
-			return false;
-			}
-
-		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
-			{
-			connection()->zeek_analyzer()->AnalyzerViolation(
-			    "Truncated AYIYA", (const char*) ${pdu.packet}.data(),
-			    ${pdu.packet}.length());
-			return false;
-			}
-
-		const struct ip* ip = (const struct ip*) ${pdu.packet}.data();
-
-		if ( ( ${pdu.next_header} == IPPROTO_IPV6 && ip->ip_v != 6 ) ||
-		     ( ${pdu.next_header} == IPPROTO_IPV4 && ip->ip_v != 4) )
-			{
-			connection()->zeek_analyzer()->AnalyzerViolation(
-			    "AYIYA next header mismatch", (const char*)${pdu.packet}.data(),
-			     ${pdu.packet}.length());
-			return false;
-			}
-
-		static_cast<zeek::analyzer::ayiya::AYIYA_Analyzer*>(connection()->zeek_analyzer())->SetInnerInfo(${pdu.hdr_len}, ${pdu.next_header});
-
-		return true;
-		%}
-
-	};
-
-refine typeattr PDU += &let {
-	proc_ayiya = $context.flow.process_ayiya(this);
-};
diff --git a/src/analyzer/protocol/ayiya/ayiya-protocol.pac b/src/analyzer/protocol/ayiya/ayiya-protocol.pac
deleted file mode 100644
index 9b65ee8493..0000000000
--- a/src/analyzer/protocol/ayiya/ayiya-protocol.pac
+++ /dev/null
@@ -1,17 +0,0 @@
-
-type PDU = record {
-	identity_byte:  uint8;
-	signature_byte: uint8;
-	auth_and_op:    uint8;
-	next_header:    uint8;
-	epoch:          uint32;
-	identity:       bytestring &length=identity_len;
-	signature:      bytestring &length=signature_len;
-	packet:         bytestring &restofdata;
-} &let {
-	identity_len  = (1 << (identity_byte >> 4));
-	signature_len = (signature_byte >> 4) * 4;
-	hdr_len = 8 + identity_len + signature_len;
-	auth = auth_and_op >> 4;
-	op = auth_and_op & 0xF;
-} &byteorder = littleendian;
diff --git a/src/analyzer/protocol/ayiya/ayiya.pac b/src/analyzer/protocol/ayiya/ayiya.pac
deleted file mode 100644
index c1e3fbc613..0000000000
--- a/src/analyzer/protocol/ayiya/ayiya.pac
+++ /dev/null
@@ -1,17 +0,0 @@
-
-%include binpac.pac
-%include zeek.pac
-
-%extern{
-#include "zeek/IP.h"
-#include "zeek/Reporter.h"
-#include "zeek/TunnelEncapsulation.h"
-%}
-
-analyzer AYIYA withcontext {
-	connection:	AYIYA_Conn;
-	flow:		AYIYA_Flow;
-};
-
-%include ayiya-protocol.pac
-%include ayiya-analyzer.pac
diff --git a/src/analyzer/protocol/geneve/CMakeLists.txt b/src/analyzer/protocol/geneve/CMakeLists.txt
deleted file mode 100644
index b00de62376..0000000000
--- a/src/analyzer/protocol/geneve/CMakeLists.txt
+++ /dev/null
@@ -1,8 +0,0 @@
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek Geneve)
-zeek_plugin_cc(Geneve.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_end()
diff --git a/src/analyzer/protocol/geneve/Geneve.cc b/src/analyzer/protocol/geneve/Geneve.cc
deleted file mode 100644
index edd78af21c..0000000000
--- a/src/analyzer/protocol/geneve/Geneve.cc
+++ /dev/null
@@ -1,95 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#include "zeek/analyzer/protocol/geneve/Geneve.h"
-
-#include "zeek/Conn.h"
-#include "zeek/IP.h"
-#include "zeek/RunState.h"
-#include "zeek/analyzer/protocol/geneve/events.bif.h"
-#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
-
-namespace zeek::analyzer::geneve
-	{
-
-void Geneve_Analyzer::Done()
-	{
-	Analyzer::Done();
-	Event(udp_session_done);
-	}
-
-void Geneve_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
-                                    const IP_Hdr* ip, int caplen)
-	{
-	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-
-	// Outer Ethernet, IP, and UDP layers already skipped.
-	// Also, generic UDP analyzer already checked/guarantees caplen >= len.
-
-	constexpr auto tunnel_header_len = 8;
-
-	if ( len < tunnel_header_len )
-		{
-		AnalyzerViolation("Geneve header truncation", reinterpret_cast<const char*>(data), len);
-		return;
-		}
-
-	auto outer = Conn()->GetEncapsulation();
-
-	if ( outer && outer->Depth() >= BifConst::Tunnel::max_depth )
-		{
-		Weird("tunnel_depth");
-		return;
-		}
-
-	if ( ! outer )
-		outer = std::make_shared<EncapsulationStack>();
-
-	EncapsulatingConn inner(Conn(), BifEnum::Tunnel::GENEVE);
-	outer->Add(inner);
-	int encap_index = outer->Depth();
-
-	uint8_t tunnel_opt_len = (data[0] & 0x3F) * 4;
-	auto vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
-
-	if ( len < tunnel_header_len + tunnel_opt_len )
-		{
-		AnalyzerViolation("Geneve option header truncation", reinterpret_cast<const char*>(data),
-		                  len);
-		return;
-		}
-
-	// Skip over the Geneve headers and create a new packet.
-	data += tunnel_header_len + tunnel_opt_len;
-	caplen -= tunnel_header_len + tunnel_opt_len;
-	len -= tunnel_header_len + tunnel_opt_len;
-
-	pkt_timeval ts;
-	ts.tv_sec = static_cast<time_t>(run_state::current_timestamp);
-	ts.tv_usec = static_cast<suseconds_t>(
-		(run_state::current_timestamp - static_cast<double>(ts.tv_sec)) * 1000000);
-	Packet pkt(DLT_EN10MB, &ts, caplen, len, data);
-	pkt.encap = outer;
-
-	if ( ! packet_mgr->ProcessInnerPacket(&pkt) )
-		{
-		AnalyzerViolation("Geneve invalid inner packet");
-		return;
-		}
-
-	// This isn't really an error. It's just that the inner packet wasn't an IP packet (like ARP).
-	// Just return without reporting a violation.
-	if ( ! pkt.ip_hdr )
-		return;
-
-	AnalyzerConfirmation();
-
-	if ( geneve_packet )
-		{
-		EncapsulatingConn* ec = pkt.encap->At(encap_index);
-		if ( ec && ec->ip_hdr )
-			Conn()->EnqueueEvent(geneve_packet, nullptr, ConnVal(), pkt.ip_hdr->ToPktHdrVal(),
-			                     val_mgr->Count(vni));
-		}
-	}
-
-	} // namespace zeek::analyzer::geneve
diff --git a/src/analyzer/protocol/geneve/Geneve.h b/src/analyzer/protocol/geneve/Geneve.h
deleted file mode 100644
index f2fe004306..0000000000
--- a/src/analyzer/protocol/geneve/Geneve.h
+++ /dev/null
@@ -1,23 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#pragma once
-
-#include "zeek/analyzer/Analyzer.h"
-
-namespace zeek::analyzer::geneve
-	{
-
-class Geneve_Analyzer final : public analyzer::Analyzer
-	{
-public:
-	explicit Geneve_Analyzer(Connection* conn) : Analyzer("Geneve", conn) { }
-
-	void Done() override;
-
-	void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip,
-	                   int caplen) override;
-
-	static analyzer::Analyzer* Instantiate(Connection* conn) { return new Geneve_Analyzer(conn); }
-	};
-
-	} // namespace zeek::analyzer::vxlan
diff --git a/src/analyzer/protocol/geneve/Plugin.cc b/src/analyzer/protocol/geneve/Plugin.cc
deleted file mode 100644
index 1fc1f7f4b2..0000000000
--- a/src/analyzer/protocol/geneve/Plugin.cc
+++ /dev/null
@@ -1,26 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#include "zeek/plugin/Plugin.h"
-
-#include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/geneve/Geneve.h"
-
-namespace zeek::plugin::detail::Zeek_Geneve
-	{
-
-class Plugin : public zeek::plugin::Plugin
-	{
-public:
-	zeek::plugin::Configuration Configure() override
-		{
-		AddComponent(new zeek::analyzer::Component(
-			"Geneve", zeek::analyzer::geneve::Geneve_Analyzer::Instantiate));
-
-		zeek::plugin::Configuration config;
-		config.name = "Zeek::Geneve";
-		config.description = "Geneve analyzer";
-		return config;
-		}
-	} plugin;
-
-	} // namespace zeek::plugin::detail::Zeek_Geneve
diff --git a/src/analyzer/protocol/geneve/events.bif b/src/analyzer/protocol/geneve/events.bif
deleted file mode 100644
index f399821f95..0000000000
--- a/src/analyzer/protocol/geneve/events.bif
+++ /dev/null
@@ -1,12 +0,0 @@
-## Generated for any packet encapsulated in a Geneve tunnel.
-## See :rfc:`8926` for more information about the VXLAN protocol.
-##
-## outer: The Geneve tunnel connection.
-##
-## inner: The Geneve-encapsulated Ethernet packet header and transport header.
-##
-## vni: Geneve Network Identifier.
-##
-## .. note:: Since this event may be raised on a per-packet basis, handling
-##    it may become particularly expensive for real-time analysis.
-event geneve_packet%(outer: connection, inner: pkt_hdr, vni: count%);
diff --git a/src/analyzer/protocol/gtpv1/CMakeLists.txt b/src/analyzer/protocol/gtpv1/CMakeLists.txt
deleted file mode 100644
index 61856cf1f1..0000000000
--- a/src/analyzer/protocol/gtpv1/CMakeLists.txt
+++ /dev/null
@@ -1,10 +0,0 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek GTPv1)
-zeek_plugin_cc(GTPv1.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_pac(gtpv1.pac gtpv1-protocol.pac gtpv1-analyzer.pac)
-zeek_plugin_end()
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.cc b/src/analyzer/protocol/gtpv1/GTPv1.cc
deleted file mode 100644
index 64c66f6f1e..0000000000
--- a/src/analyzer/protocol/gtpv1/GTPv1.cc
+++ /dev/null
@@ -1,80 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek/analyzer/protocol/gtpv1/GTPv1.h"
-
-#include "zeek/analyzer/protocol/gtpv1/events.bif.h"
-#include "zeek/packet_analysis/protocol/ip/IP.h"
-#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
-
-namespace zeek::analyzer::gtpv1
-	{
-
-GTPv1_Analyzer::GTPv1_Analyzer(Connection* conn) : Analyzer("GTPV1", conn)
-	{
-	interp = new binpac::GTPv1::GTPv1_Conn(this);
-	}
-
-GTPv1_Analyzer::~GTPv1_Analyzer()
-	{
-	delete interp;
-	}
-
-void GTPv1_Analyzer::Done()
-	{
-	Analyzer::Done();
-	Event(udp_session_done);
-	}
-
-void GTPv1_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
-                                   const IP_Hdr* ip, int caplen)
-	{
-	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-	try
-		{
-		interp->NewData(orig, data, data + len);
-		}
-	catch ( const binpac::Exception& e )
-		{
-		AnalyzerViolation(util::fmt("Binpac exception: %s", e.c_msg()));
-		}
-
-	if ( inner_packet_offset <= 0 )
-		return;
-
-	auto odata = data;
-	auto olen = len;
-	data += inner_packet_offset;
-	len -= inner_packet_offset;
-	caplen -= inner_packet_offset;
-	inner_packet_offset = -1;
-
-	std::shared_ptr<IP_Hdr> inner = nullptr;
-	int result = packet_analysis::IP::ParsePacket(len, data, next_header, inner);
-
-	if ( result == 0 )
-		{
-		interp->set_valid(orig, true);
-
-		if ( (! BifConst::Tunnel::delay_gtp_confirmation) ||
-		     (interp->valid(true) && interp->valid(false)) )
-			AnalyzerConfirmation();
-
-		if ( gtp_hdr_val )
-			BifEvent::enqueue_gtpv1_g_pdu_packet(this, Conn(), std::move(gtp_hdr_val),
-			                                     inner->ToPktHdrVal());
-
-		std::shared_ptr<zeek::EncapsulationStack> e = Conn()->GetEncapsulation();
-		EncapsulatingConn ec(Conn(), BifEnum::Tunnel::GTPv1);
-		zeek::packet_analysis::IPTunnel::ip_tunnel_analyzer->ProcessEncapsulatedPacket(
-			run_state::network_time, nullptr, inner, e, ec);
-		}
-	else if ( result == -2 )
-		AnalyzerViolation("Invalid IP version in wrapped packet",
-		                  reinterpret_cast<const char*>(odata), olen);
-	else if ( result < 0 )
-		AnalyzerViolation("Truncated GTPv1", reinterpret_cast<const char*>(odata), olen);
-	else
-		AnalyzerViolation("GTPv1 payload length", reinterpret_cast<const char*>(odata), olen);
-	}
-
-	} // namespace zeek::analyzer::gtpv1
diff --git a/src/analyzer/protocol/gtpv1/GTPv1.h b/src/analyzer/protocol/gtpv1/GTPv1.h
deleted file mode 100644
index 37d20b3cd9..0000000000
--- a/src/analyzer/protocol/gtpv1/GTPv1.h
+++ /dev/null
@@ -1,39 +0,0 @@
-#pragma once
-
-#include "analyzer/protocol/gtpv1/gtpv1_pac.h"
-
-namespace binpac::GTPv1
-	{
-class GTPv1_Conn;
-	}
-
-namespace zeek::analyzer::gtpv1
-	{
-
-class GTPv1_Analyzer final : public analyzer::Analyzer
-	{
-public:
-	explicit GTPv1_Analyzer(Connection* conn);
-	virtual ~GTPv1_Analyzer();
-
-	virtual void Done();
-	virtual void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
-	                           const IP_Hdr* ip, int caplen);
-
-	static analyzer::Analyzer* Instantiate(Connection* conn) { return new GTPv1_Analyzer(conn); }
-
-	void SetInnerInfo(int offset, uint8_t next, RecordValPtr val)
-		{
-		inner_packet_offset = offset;
-		next_header = next;
-		gtp_hdr_val = std::move(val);
-		}
-
-protected:
-	binpac::GTPv1::GTPv1_Conn* interp;
-	int inner_packet_offset = -1;
-	uint8_t next_header = 0;
-	RecordValPtr gtp_hdr_val;
-	};
-
-	} // namespace zeek::analyzer::gtpv1
diff --git a/src/analyzer/protocol/gtpv1/Plugin.cc b/src/analyzer/protocol/gtpv1/Plugin.cc
deleted file mode 100644
index c008140e7d..0000000000
--- a/src/analyzer/protocol/gtpv1/Plugin.cc
+++ /dev/null
@@ -1,26 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#include "zeek/plugin/Plugin.h"
-
-#include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/gtpv1/GTPv1.h"
-
-namespace zeek::plugin::detail::Zeek_GTPv1
-	{
-
-class Plugin : public zeek::plugin::Plugin
-	{
-public:
-	zeek::plugin::Configuration Configure() override
-		{
-		AddComponent(new zeek::analyzer::Component(
-			"GTPv1", zeek::analyzer::gtpv1::GTPv1_Analyzer::Instantiate));
-
-		zeek::plugin::Configuration config;
-		config.name = "Zeek::GTPv1";
-		config.description = "GTPv1 analyzer";
-		return config;
-		}
-	} plugin;
-
-	} // namespace zeek::plugin::detail::Zeek_GTPv1
diff --git a/src/analyzer/protocol/gtpv1/events.bif b/src/analyzer/protocol/gtpv1/events.bif
deleted file mode 100644
index b3bac93a2e..0000000000
--- a/src/analyzer/protocol/gtpv1/events.bif
+++ /dev/null
@@ -1,74 +0,0 @@
-## Generated for any GTP message with a GTPv1 header.
-##
-## c: The connection over which the message is sent.
-##
-## hdr: The GTPv1 header.
-event gtpv1_message%(c: connection, hdr: gtpv1_hdr%);
-
-## Generated for GTPv1 G-PDU packets.  That is, packets with a UDP payload
-## that includes a GTP header followed by an IPv4 or IPv6 packet.
-##
-## outer: The GTP outer tunnel connection.
-##
-## inner_gtp: The GTP header.
-##
-## inner_ip: The inner IP and transport layer packet headers.
-##
-## .. note:: Since this event may be raised on a per-packet basis, handling
-##    it may become particularly expensive for real-time analysis.
-event gtpv1_g_pdu_packet%(outer: connection, inner_gtp: gtpv1_hdr, inner_ip: pkt_hdr%);
-
-## Generated for GTPv1-C Create PDP Context Request messages.
-##
-## c: The connection over which the message is sent.
-##
-## hdr: The GTPv1 header.
-##
-## elements: The set of Information Elements comprising the message.
-event gtpv1_create_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_request_elements%);
-
-## Generated for GTPv1-C Create PDP Context Response messages.
-##
-## c: The connection over which the message is sent.
-##
-## hdr: The GTPv1 header.
-##
-## elements: The set of Information Elements comprising the message.
-event gtpv1_create_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_create_pdp_ctx_response_elements%);
-
-## Generated for GTPv1-C Update PDP Context Request messages.
-##
-## c: The connection over which the message is sent.
-##
-## hdr: The GTPv1 header.
-##
-## elements: The set of Information Elements comprising the message.
-event gtpv1_update_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_request_elements%);
-
-## Generated for GTPv1-C Update PDP Context Response messages.
-##
-## c: The connection over which the message is sent.
-##
-## hdr: The GTPv1 header.
-##
-## elements: The set of Information Elements comprising the message.
-event gtpv1_update_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_update_pdp_ctx_response_elements%);
-
-## Generated for GTPv1-C Delete PDP Context Request messages.
-##
-## c: The connection over which the message is sent.
-##
-## hdr: The GTPv1 header.
-##
-## elements: The set of Information Elements comprising the message.
-event gtpv1_delete_pdp_ctx_request%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_request_elements%);
-
-## Generated for GTPv1-C Delete PDP Context Response messages.
-##
-## c: The connection over which the message is sent.
-##
-## hdr: The GTPv1 header.
-##
-## elements: The set of Information Elements comprising the message.
-event gtpv1_delete_pdp_ctx_response%(c: connection, hdr: gtpv1_hdr, elements: gtp_delete_pdp_ctx_response_elements%);
-
diff --git a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac b/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
deleted file mode 100644
index fc91c3dd00..0000000000
--- a/src/analyzer/protocol/gtpv1/gtpv1-analyzer.pac
+++ /dev/null
@@ -1,753 +0,0 @@
-%extern{
-#include "zeek/ZeekString.h"
-#include "zeek/analyzer/protocol/gtpv1/GTPv1.h"
-%}
-
-%code{
-zeek::RecordValPtr BuildGTPv1Hdr(const GTPv1_Header* pdu)
-	{
-	auto rv = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtpv1_hdr);
-
-	rv->Assign(0, pdu->version());
-	rv->Assign(1, pdu->pt_flag());
-	rv->Assign(2, pdu->rsv());
-	rv->Assign(3, pdu->e_flag());
-	rv->Assign(4, pdu->s_flag());
-	rv->Assign(5, pdu->pn_flag());
-	rv->Assign(6, pdu->msg_type());
-	rv->Assign(7, pdu->length());
-	rv->Assign(8, pdu->teid());
-
-	if ( pdu->has_opt() )
-		{
-		rv->Assign(9, pdu->opt_hdr()->seq());
-		rv->Assign(10, pdu->opt_hdr()->n_pdu());
-		rv->Assign(11, pdu->opt_hdr()->next_type());
-		}
-
-	return rv;
-	}
-
-static zeek::ValPtr BuildIMSI(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->imsi()->value());
-	}
-
-static zeek::ValPtr BuildRAI(const InformationElement* ie)
-	{
-	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_rai);
-	ev->Assign(0, ie->rai()->mcc());
-	ev->Assign(1, ie->rai()->mnc());
-	ev->Assign(2, ie->rai()->lac());
-	ev->Assign(3, ie->rai()->rac());
-	return ev;
-	}
-
-static zeek::ValPtr BuildRecovery(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->recovery()->restart_counter());
-	}
-
-static zeek::ValPtr BuildSelectionMode(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->selection_mode()->mode());
-	}
-
-static zeek::ValPtr BuildTEID1(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->teid1()->value());
-	}
-
-static zeek::ValPtr BuildTEID_ControlPlane(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->teidcp()->value());
-	}
-
-static zeek::ValPtr BuildNSAPI(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->nsapi()->nsapi());
-	}
-
-static zeek::ValPtr BuildChargingCharacteristics(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->charging_characteristics()->value());
-	}
-
-static zeek::ValPtr BuildTraceReference(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->trace_reference()->value());
-	}
-
-static zeek::ValPtr BuildTraceType(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->trace_type()->value());
-	}
-
-zeek::ValPtr BuildEndUserAddr(const InformationElement* ie)
-	{
-	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_end_user_addr);
-	ev->Assign(0, ie->end_user_addr()->pdp_type_org());
-	ev->Assign(1, ie->end_user_addr()->pdp_type_num());
-
-	int len = ie->end_user_addr()->pdp_addr().length();
-
-	if ( len > 0 )
-		{
-		const uint8* d = ie->end_user_addr()->pdp_addr().data();
-
-		switch ( ie->end_user_addr()->pdp_type_num() ) {
-		case 0x21:
-			ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
-			  zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
-			break;
-		case 0x57:
-			ev->Assign(2, zeek::make_intrusive<zeek::AddrVal>(
-			  zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
-			break;
-		default:
-			ev->Assign(3, new zeek::String((const u_char*) d, len, false));
-			break;
-		}
-		}
-
-	return ev;
-	}
-
-zeek::ValPtr BuildAccessPointName(const InformationElement* ie)
-	{
-	zeek::String* bs = new zeek::String((const u_char*) ie->ap_name()->value().data(),
-	                                          ie->ap_name()->value().length(), false);
-	return zeek::make_intrusive<zeek::StringVal>(bs);
-	}
-
-zeek::ValPtr BuildProtoConfigOptions(const InformationElement* ie)
-	{
-	const u_char* d = (const u_char*) ie->proto_config_opts()->value().data();
-	int len = ie->proto_config_opts()->value().length();
-	return zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false));
-	}
-
-zeek::ValPtr BuildGSN_Addr(const InformationElement* ie)
-	{
-	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_gsn_addr);
-
-	int len = ie->gsn_addr()->value().length();
-	const uint8* d = ie->gsn_addr()->value().data();
-
-	if ( len == 4 )
-		ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
-		  zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network)));
-	else if ( len == 16 )
-		ev->Assign(0, zeek::make_intrusive<zeek::AddrVal>(
-		  zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network)));
-	else
-		ev->Assign(1, new zeek::String((const u_char*) d, len, false));
-
-	return ev;
-	}
-
-zeek::ValPtr BuildMSISDN(const InformationElement* ie)
-	{
-	const u_char* d = (const u_char*) ie->msisdn()->value().data();
-	int len = ie->msisdn()->value().length();
-	return zeek::make_intrusive<zeek::StringVal>(new zeek::String(d, len, false));
-	}
-
-zeek::ValPtr BuildQoS_Profile(const InformationElement* ie)
-	{
-	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_qos_profile);
-
-	const u_char* d = (const u_char*) ie->qos_profile()->data().data();
-	int len = ie->qos_profile()->data().length();
-
-	ev->Assign(0, ie->qos_profile()->alloc_retention_priority());
-	ev->Assign(1, new zeek::String(d, len, false));
-
-	return ev;
-	}
-
-zeek::ValPtr BuildTrafficFlowTemplate(const InformationElement* ie)
-	{
-	const uint8* d = ie->traffic_flow_template()->value().data();
-	int len = ie->traffic_flow_template()->value().length();
-	return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
-	}
-
-zeek::ValPtr BuildTriggerID(const InformationElement* ie)
-	{
-	const uint8* d = ie->trigger_id()->value().data();
-	int len = ie->trigger_id()->value().length();
-	return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
-	}
-
-zeek::ValPtr BuildOMC_ID(const InformationElement* ie)
-	{
-	const uint8* d = ie->omc_id()->value().data();
-	int len = ie->omc_id()->value().length();
-	return zeek::make_intrusive<zeek::StringVal>(new zeek::String((const u_char*) d, len, false));
-	}
-
-zeek::ValPtr BuildPrivateExt(const InformationElement* ie)
-	{
-	auto ev = zeek::make_intrusive<zeek::RecordVal>(zeek::BifType::Record::gtp_private_extension);
-
-	const uint8* d = ie->private_ext()->value().data();
-	int len = ie->private_ext()->value().length();
-
-	ev->Assign(0, ie->private_ext()->id());
-	ev->Assign(1, new zeek::String((const u_char*) d, len, false));
-
-	return ev;
-	}
-
-static zeek::ValPtr BuildCause(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->cause()->value());
-	}
-
-static zeek::ValPtr BuildReorderReq(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Bool(ie->reorder_req()->req());
-	}
-
-static zeek::ValPtr BuildChargingID(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Count(ie->charging_id()->value());;
-	}
-
-zeek::ValPtr BuildChargingGatewayAddr(const InformationElement* ie)
-	{
-	const uint8* d = ie->charging_gateway_addr()->value().data();
-	int len = ie->charging_gateway_addr()->value().length();
-	if ( len == 4 )
-		return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv4, (const uint32*) d, zeek::IPAddr::Network));
-	else if ( len == 16 )
-		return zeek::make_intrusive<zeek::AddrVal>(zeek::IPAddr(IPv6, (const uint32*) d, zeek::IPAddr::Network));
-	else
-		return nullptr;
-	}
-
-static zeek::ValPtr BuildTeardownInd(const InformationElement* ie)
-	{
-	return zeek::val_mgr->Bool(ie->teardown_ind()->ind());
-	}
-
-void CreatePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
-	{
-	if ( ! ::gtpv1_create_pdp_ctx_request ) return;
-
-	auto rv = zeek::make_intrusive<zeek::RecordVal>(
-	  zeek::BifType::Record::gtp_create_pdp_ctx_request_elements);
-
-	const vector<InformationElement *> * v = pdu->create_pdp_ctx_request();
-
-	bool second_nsapi = false;
-	bool second_gsn_addr = false;
-
-	for ( size_t i = 0; i < v->size(); ++i )
-		{
-		const InformationElement* ie = (*v)[i];
-
-		switch ( ie->type() ) {
-		case GTPv1::TYPE_IMSI:
-			rv->Assign(0, BuildIMSI(ie));
-			break;
-		case GTPv1::TYPE_RAI:
-			rv->Assign(1, BuildRAI(ie));
-			break;
-		case GTPv1::TYPE_RECOVERY:
-			rv->Assign(2, BuildRecovery(ie));
-			break;
-		case GTPv1::TYPE_SELECTION_MODE:
-			rv->Assign(3, BuildSelectionMode(ie));
-			break;
-		case GTPv1::TYPE_TEID1:
-			rv->Assign(4, BuildTEID1(ie));
-			break;
-		case GTPv1::TYPE_TEID_CONTROL_PLANE:
-			rv->Assign(5, BuildTEID_ControlPlane(ie));
-			break;
-		case GTPv1::TYPE_NSAPI:
-			if ( second_nsapi )
-				rv->Assign(7, BuildNSAPI(ie));
-			else
-				{
-				second_nsapi = true;
-				rv->Assign(6, BuildNSAPI(ie));
-				}
-			break;
-		case GTPv1::TYPE_CHARGING_CHARACTERISTICS:
-			rv->Assign(8, BuildChargingCharacteristics(ie));
-			break;
-		case GTPv1::TYPE_TRACE_REFERENCE:
-			rv->Assign(9, BuildTraceReference(ie));
-			break;
-		case GTPv1::TYPE_TRACE_TYPE:
-			rv->Assign(10, BuildTraceType(ie));
-			break;
-		case GTPv1::TYPE_END_USER_ADDR:
-			rv->Assign(11, BuildEndUserAddr(ie));
-			break;
-		case GTPv1::TYPE_ACCESS_POINT_NAME:
-			rv->Assign(12, BuildAccessPointName(ie));
-			break;
-		case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
-			rv->Assign(13, BuildProtoConfigOptions(ie));
-			break;
-		case GTPv1::TYPE_GSN_ADDR:
-			if ( second_gsn_addr )
-				rv->Assign(15, BuildGSN_Addr(ie));
-			else
-				{
-				second_gsn_addr = true;
-				rv->Assign(14, BuildGSN_Addr(ie));
-				}
-			break;
-		case GTPv1::TYPE_MSISDN:
-			rv->Assign(16, BuildMSISDN(ie));
-			break;
-		case GTPv1::TYPE_QOS_PROFILE:
-			rv->Assign(17, BuildQoS_Profile(ie));
-			break;
-		case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
-			rv->Assign(18, BuildTrafficFlowTemplate(ie));
-			break;
-		case GTPv1::TYPE_TRIGGER_ID:
-			rv->Assign(19, BuildTriggerID(ie));
-			break;
-		case GTPv1::TYPE_OMC_ID:
-			rv->Assign(20, BuildOMC_ID(ie));
-			break;
-		case GTPv1::TYPE_PRIVATE_EXT:
-			rv->Assign(21, BuildPrivateExt(ie));
-			break;
-		default:
-			a->Weird("gtp_invalid_info_element", zeek::util::fmt("%d", (*v)[i]->type()));
-			break;
-		}
-		}
-
-	zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_request(a, a->Conn(),
-	                                               BuildGTPv1Hdr(pdu), std::move(rv));
-	}
-
-void CreatePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
-	{
-	if ( ! ::gtpv1_create_pdp_ctx_response )
-	    return;
-
-	auto rv = zeek::make_intrusive<zeek::RecordVal>(
-	  zeek::BifType::Record::gtp_create_pdp_ctx_response_elements);
-
-	const vector<InformationElement *> * v = pdu->create_pdp_ctx_response();
-
-	bool second_gsn_addr = false;
-
-	for ( size_t i = 0; i < v->size(); ++i )
-		{
-		const InformationElement* ie = (*v)[i];
-
-		switch ( ie->type() ) {
-		case GTPv1::TYPE_CAUSE:
-			rv->Assign(0, BuildCause(ie));
-			break;
-		case GTPv1::TYPE_REORDER_REQ:
-			rv->Assign(1, BuildReorderReq(ie));
-			break;
-		case GTPv1::TYPE_RECOVERY:
-			rv->Assign(2, BuildRecovery(ie));
-			break;
-		case GTPv1::TYPE_TEID1:
-			rv->Assign(3, BuildTEID1(ie));
-			break;
-		case GTPv1::TYPE_TEID_CONTROL_PLANE:
-			rv->Assign(4, BuildTEID_ControlPlane(ie));
-			break;
-		case GTPv1::TYPE_CHARGING_ID:
-			rv->Assign(5, BuildChargingID(ie));
-			break;
-		case GTPv1::TYPE_END_USER_ADDR:
-			rv->Assign(6, BuildEndUserAddr(ie));
-			break;
-		case GTPv1::TYPE_PROTO_CONFIG_OPTIONS:
-			rv->Assign(7, BuildProtoConfigOptions(ie));
-			break;
-		case GTPv1::TYPE_GSN_ADDR:
-			if ( second_gsn_addr )
-				rv->Assign(9, BuildGSN_Addr(ie));
-			else
-				{
-				second_gsn_addr = true;
-				rv->Assign(8, BuildGSN_Addr(ie));
-				}
-			break;
-		case GTPv1::TYPE_QOS_PROFILE:
-			rv->Assign(10, BuildQoS_Profile(ie));
-			break;
-		case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
-			rv->Assign(11, BuildChargingGatewayAddr(ie));
-			break;
-		case GTPv1::TYPE_PRIVATE_EXT:
-			rv->Assign(12, BuildPrivateExt(ie));
-			break;
-		default:
-			a->Weird("gtp_invalid_info_element", zeek::util::fmt("%d", (*v)[i]->type()));
-			break;
-		}
-		}
-
-	zeek::BifEvent::enqueue_gtpv1_create_pdp_ctx_response(a, a->Conn(),
-	                                                BuildGTPv1Hdr(pdu), std::move(rv));
-	}
-
-void UpdatePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
-	{
-	if ( ! ::gtpv1_update_pdp_ctx_request )
-	    return;
-
-	auto rv = zeek::make_intrusive<zeek::RecordVal>(
-	  zeek::BifType::Record::gtp_update_pdp_ctx_request_elements);
-
-	const vector<InformationElement *> * v = pdu->update_pdp_ctx_request();
-
-	bool second_gsn_addr = false;
-
-	for ( size_t i = 0; i < v->size(); ++i )
-		{
-		const InformationElement* ie = (*v)[i];
-
-		switch ( ie->type() ) {
-		case GTPv1::TYPE_IMSI:
-			rv->Assign(0, BuildIMSI(ie));
-			break;
-		case GTPv1::TYPE_RAI:
-			rv->Assign(1, BuildRAI(ie));
-			break;
-		case GTPv1::TYPE_RECOVERY:
-			rv->Assign(2, BuildRecovery(ie));
-			break;
-		case GTPv1::TYPE_TEID1:
-			rv->Assign(3, BuildTEID1(ie));
-			break;
-		case GTPv1::TYPE_TEID_CONTROL_PLANE:
-			rv->Assign(4, BuildTEID_ControlPlane(ie));
-			break;
-		case GTPv1::TYPE_NSAPI:
-			rv->Assign(5, BuildNSAPI(ie));
-			break;
-		case GTPv1::TYPE_TRACE_REFERENCE:
-			rv->Assign(6, BuildTraceReference(ie));
-			break;
-		case GTPv1::TYPE_TRACE_TYPE:
-			rv->Assign(7, BuildTraceType(ie));
-			break;
-		case GTPv1::TYPE_GSN_ADDR:
-			if ( second_gsn_addr )
-				rv->Assign(9, BuildGSN_Addr(ie));
-			else
-				{
-				second_gsn_addr = true;
-				rv->Assign(8, BuildGSN_Addr(ie));
-				}
-			break;
-		case GTPv1::TYPE_QOS_PROFILE:
-			rv->Assign(10, BuildQoS_Profile(ie));
-			break;
-		case GTPv1::TYPE_TRAFFIC_FLOW_TEMPLATE:
-			rv->Assign(11, BuildTrafficFlowTemplate(ie));
-			break;
-		case GTPv1::TYPE_TRIGGER_ID:
-			rv->Assign(12, BuildTriggerID(ie));
-			break;
-		case GTPv1::TYPE_OMC_ID:
-			rv->Assign(13, BuildOMC_ID(ie));
-			break;
-		case GTPv1::TYPE_PRIVATE_EXT:
-			rv->Assign(14, BuildPrivateExt(ie));
-			break;
-		case GTPv1::TYPE_END_USER_ADDR:
-			rv->Assign(15, BuildEndUserAddr(ie));
-			break;
-		default:
-			a->Weird("gtp_invalid_info_element", zeek::util::fmt("%d", (*v)[i]->type()));
-			break;
-		}
-		}
-
-	zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_request(a, a->Conn(),
-	                                               BuildGTPv1Hdr(pdu), std::move(rv));
-	}
-
-void UpdatePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
-	{
-	if ( ! ::gtpv1_update_pdp_ctx_response )
-	    return;
-
-	auto rv = zeek::make_intrusive<zeek::RecordVal>(
-	  zeek::BifType::Record::gtp_update_pdp_ctx_response_elements);
-
-	const vector<InformationElement *> * v = pdu->update_pdp_ctx_response();
-
-	bool second_gsn_addr = false;
-
-	for ( size_t i = 0; i < v->size(); ++i )
-		{
-		const InformationElement* ie = (*v)[i];
-
-		switch ( ie->type() ) {
-		case GTPv1::TYPE_CAUSE:
-			rv->Assign(0, BuildCause(ie));
-			break;
-		case GTPv1::TYPE_RECOVERY:
-			rv->Assign(1, BuildRecovery(ie));
-			break;
-		case GTPv1::TYPE_TEID1:
-			rv->Assign(2, BuildTEID1(ie));
-			break;
-		case GTPv1::TYPE_TEID_CONTROL_PLANE:
-			rv->Assign(3, BuildTEID_ControlPlane(ie));
-			break;
-		case GTPv1::TYPE_CHARGING_ID:
-			rv->Assign(4, BuildChargingID(ie));
-			break;
-		case GTPv1::TYPE_GSN_ADDR:
-			if ( second_gsn_addr )
-				rv->Assign(6, BuildGSN_Addr(ie));
-			else
-				{
-				second_gsn_addr = true;
-				rv->Assign(5, BuildGSN_Addr(ie));
-				}
-			break;
-		case GTPv1::TYPE_QOS_PROFILE:
-			rv->Assign(7, BuildQoS_Profile(ie));
-			break;
-		case GTPv1::TYPE_CHARGING_GATEWAY_ADDR:
-			rv->Assign(8, BuildChargingGatewayAddr(ie));
-			break;
-		case GTPv1::TYPE_PRIVATE_EXT:
-			rv->Assign(9, BuildPrivateExt(ie));
-			break;
-		default:
-			a->Weird("gtp_invalid_info_element", zeek::util::fmt("%d", (*v)[i]->type()));
-			break;
-		}
-		}
-
-	zeek::BifEvent::enqueue_gtpv1_update_pdp_ctx_response(a, a->Conn(),
-	                                                BuildGTPv1Hdr(pdu), std::move(rv));
-	}
-
-void DeletePDP_Request(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
-	{
-	if ( ! ::gtpv1_delete_pdp_ctx_request )
-	    return;
-
-	auto rv = zeek::make_intrusive<zeek::RecordVal>(
-	  zeek::BifType::Record::gtp_delete_pdp_ctx_request_elements);
-
-	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_request();
-
-	for ( size_t i = 0; i < v->size(); ++i )
-		{
-		const InformationElement* ie = (*v)[i];
-
-		switch ( ie->type() ) {
-		case GTPv1::TYPE_TEARDOWN_IND:
-			rv->Assign(0, BuildTeardownInd(ie));
-			break;
-		case GTPv1::TYPE_NSAPI:
-			rv->Assign(1, BuildNSAPI(ie));
-			break;
-		case GTPv1::TYPE_PRIVATE_EXT:
-			rv->Assign(2, BuildPrivateExt(ie));
-			break;
-		default:
-			a->Weird("gtp_invalid_info_element", zeek::util::fmt("%d", (*v)[i]->type()));
-			break;
-		}
-		}
-
-	zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_request(a, a->Conn(),
-	                                               BuildGTPv1Hdr(pdu), std::move(rv));
-	}
-
-void DeletePDP_Response(const ZeekAnalyzer& a, const GTPv1_Header* pdu)
-	{
-	if ( ! ::gtpv1_delete_pdp_ctx_response )
-	    return;
-
-	auto rv = zeek::make_intrusive<zeek::RecordVal>(
-	  zeek::BifType::Record::gtp_delete_pdp_ctx_response_elements);
-
-	const vector<InformationElement *> * v = pdu->delete_pdp_ctx_response();
-
-	for ( size_t i = 0; i < v->size(); ++i )
-		{
-		const InformationElement* ie = (*v)[i];
-
-		switch ( ie->type() ) {
-		case GTPv1::TYPE_CAUSE:
-			rv->Assign(0, BuildCause(ie));
-			break;
-		case GTPv1::TYPE_PRIVATE_EXT:
-			rv->Assign(1, BuildPrivateExt(ie));
-			break;
-		default:
-			a->Weird("gtp_invalid_info_element", zeek::util::fmt("%d", (*v)[i]->type()));
-			break;
-		}
-		}
-
-	zeek::BifEvent::enqueue_gtpv1_delete_pdp_ctx_response(a, a->Conn(),
-	                                                BuildGTPv1Hdr(pdu), std::move(rv));
-	}
-%}
-
-connection GTPv1_Conn(zeek_analyzer: ZeekAnalyzer)
-	{
-	upflow = GTPv1_Flow(true);
-	downflow = GTPv1_Flow(false);
-
-	%member{
-		bool valid_orig;
-		bool valid_resp;
-	%}
-
-	%init{
-		valid_orig = valid_resp = false;
-	%}
-
-	function valid(orig: bool): bool
-		%{
-		return orig ? valid_orig : valid_resp;
-		%}
-
-	function set_valid(orig: bool, val: bool): void
-		%{
-		if ( orig )
-			valid_orig = val;
-		else
-			valid_resp = val;
-		%}
-	}
-
-flow GTPv1_Flow(is_orig: bool)
-	{
-	datagram = GTPv1_Header withcontext(connection, this);
-
-	function violate(r: string, pdu: GTPv1_Header): void
-		%{
-		ZeekAnalyzer a = connection()->zeek_analyzer();
-		const_bytestring b = ${pdu.sourcedata};
-		a->AnalyzerViolation(r.c_str(), (const char*) b.begin(), b.length());
-		%}
-
-	function process_gtpv1(pdu: GTPv1_Header): bool
-		%{
-		ZeekAnalyzer a = connection()->zeek_analyzer();
-		zeek::Connection* c = a->Conn();
-		const std::shared_ptr<zeek::EncapsulationStack> e = c->GetEncapsulation();
-
-		connection()->set_valid(is_orig(), false);
-
-		if ( e && e->Depth() >= zeek::BifConst::Tunnel::max_depth )
-			{
-			a->Weird("tunnel_depth");
-			return false;
-			}
-
-		if ( e && e->LastType() == BifEnum::Tunnel::GTPv1 )
-			{
-			// GTP is never tunneled in GTP so, this must be a regular packet
-			violate("GTP-in-GTP", pdu);
-			return false;
-			}
-
-		if ( ${pdu.version} != 1 )
-			{
-			// Only know of GTPv1 with Version == 1
-			violate("GTPv1 bad Version", pdu);
-			return false;
-			}
-
-		if ( ! ${pdu.pt_flag} )
-			{
-			// Not interested in GTP'
-			return false;
-			}
-
-		if ( ::gtpv1_message )
-			zeek::BifEvent::enqueue_gtpv1_message(a, c, BuildGTPv1Hdr(pdu));
-
-		switch ( ${pdu.msg_type} ) {
-		case 16:
-			CreatePDP_Request(a, pdu);
-			return true;
-		case 17:
-			CreatePDP_Response(a, pdu);
-			return true;
-		case 18:
-			UpdatePDP_Request(a, pdu);
-			return true;
-		case 19:
-			UpdatePDP_Response(a, pdu);
-			return true;
-		case 20:
-			DeletePDP_Request(a, pdu);
-			return true;
-		case 21:
-			DeletePDP_Response(a, pdu);
-			return true;
-		case 255:
-			return process_g_pdu(pdu);
-		default:
-			return false;
-		}
-
-		return false;
-		%}
-
-	function process_g_pdu(pdu: GTPv1_Header): bool
-		%{
-		ZeekAnalyzer a = connection()->zeek_analyzer();
-		zeek::Connection* c = a->Conn();
-
-		if ( ${pdu.packet}.length() < (int)sizeof(struct ip) )
-			{
-			violate("Truncated GTPv1", pdu);
-			return false;
-			}
-
-		const struct ip* ip = (const struct ip*) ${pdu.packet}.data();
-
-		if ( ip->ip_v != 4 && ip->ip_v != 6 )
-			{
-			violate("non-IP packet in GTPv1", pdu);
-			return false;
-			}
-
-		int hdr_len = 8;
-
-		if ( pdu->has_opt() )
-			hdr_len += 4;
-
-		if ( pdu->e_flag() && pdu->ext_hdrs() )
-			for ( const auto& eh : *pdu->ext_hdrs() )
-				hdr_len += 2 + eh->contents().length();
-
-		auto next_hdr = ip->ip_v == 6 ? IPPROTO_IPV6 : IPPROTO_IPV4;
-		zeek::RecordValPtr hdr_val;
-
-		if ( ::gtpv1_g_pdu_packet )
-			hdr_val = BuildGTPv1Hdr(pdu);
-
-		static_cast<zeek::analyzer::gtpv1::GTPv1_Analyzer*>(
-			connection()->zeek_analyzer())->SetInnerInfo(
-				hdr_len, next_hdr, std::move(hdr_val));
-
-		return true;
-		%}
-	};
-
-refine typeattr GTPv1_Header += &let { proc_gtpv1 = $context.flow.process_gtpv1(this); };
diff --git a/src/analyzer/protocol/gtpv1/gtpv1-protocol.pac b/src/analyzer/protocol/gtpv1/gtpv1-protocol.pac
deleted file mode 100644
index 0a87665fd2..0000000000
--- a/src/analyzer/protocol/gtpv1/gtpv1-protocol.pac
+++ /dev/null
@@ -1,496 +0,0 @@
-
-type GTPv1_Header = record {
-	flags:     uint8;
-	msg_type:  uint8;
-	length:    uint16;
-	teid:      uint32;
-
-	opt:       case has_opt of {
-		true  -> opt_hdr: GTPv1_Opt_Header;
-		false -> no_opt:  empty;
-	};
-
-	ext:       case e_flag of {
-		true  -> ext_hdrs: GTPv1_Ext_Header[] &until($element.next_type == 0);
-		false -> no_ext:   empty;
-	};
-
-	msg:       case msg_type of {
-		16      -> create_pdp_ctx_request:  InformationElement[];
-		17      -> create_pdp_ctx_response: InformationElement[];
-		18      -> update_pdp_ctx_request:  InformationElement[];
-		19      -> update_pdp_ctx_response: InformationElement[];
-		20      -> delete_pdp_ctx_request:  InformationElement[];
-		21      -> delete_pdp_ctx_response: InformationElement[];
-		255     -> packet:  bytestring &restofdata;
-		default -> unknown: bytestring &restofdata;
-	};
-
-} &let {
-	version:  uint8 = (flags & 0xE0) >> 5;
-	pt_flag:  bool  = flags & 0x10;
-	rsv:      bool  = flags & 0x08;
-	e_flag:   bool  = flags & 0x04;
-	s_flag:   bool  = flags & 0x02;
-	pn_flag:  bool  = flags & 0x01;
-	has_opt:  bool  = flags & 0x07;
-} &byteorder = bigendian, &exportsourcedata;
-
-type GTPv1_Opt_Header = record {
-	seq:       uint16;
-	n_pdu:     uint8;
-	next_type: uint8;
-};
-
-type GTPv1_Ext_Header = record {
-	length:    uint8;
-	contents:  bytestring &length=(length * 4 - 2);
-	next_type: uint8;
-};
-
-enum InfoElementType {
-	TYPE_CAUSE                       = 1,
-	TYPE_IMSI                        = 2,
-	TYPE_RAI                         = 3,
-	TYPE_TLLI                        = 4,
-	TYPE_P_TMSI                      = 5,
-	TYPE_REORDER_REQ                 = 8,
-	TYPE_AUTHN_TRIPLET               = 9,
-	TYPE_MAP_CAUSE                   = 11,
-	TYPE_P_TMSI_SIG                  = 12,
-	TYPE_MS_VALID                    = 13,
-	TYPE_RECOVERY                    = 14,
-	TYPE_SELECTION_MODE              = 15,
-	TYPE_TEID1                       = 16,
-	TYPE_TEID_CONTROL_PLANE          = 17,
-	TYPE_TEID2                       = 18,
-	TYPE_TEARDOWN_IND                = 19,
-	TYPE_NSAPI                       = 20,
-	TYPE_RANAP_CAUSE                 = 21,
-	TYPE_RAB_CTX                     = 22,
-	TYPE_RADIO_PRIORITY_SMS          = 23,
-	TYPE_RADIO_PRIORITY              = 24,
-	TYPE_PACKET_FLOW_ID              = 25,
-	TYPE_CHARGING_CHARACTERISTICS    = 26,
-	TYPE_TRACE_REFERENCE             = 27,
-	TYPE_TRACE_TYPE                  = 28,
-	TYPE_MS_NOT_REACHABLE_REASON     = 29,
-	TYPE_CHARGING_ID                 = 127,
-	TYPE_END_USER_ADDR               = 128,
-	TYPE_MM_CTX                      = 129,
-	TYPE_PDP_CTX                     = 130,
-	TYPE_ACCESS_POINT_NAME           = 131,
-	TYPE_PROTO_CONFIG_OPTIONS        = 132,
-	TYPE_GSN_ADDR                    = 133,
-	TYPE_MSISDN                      = 134,
-	TYPE_QOS_PROFILE                 = 135,
-	TYPE_AUTHN_QUINTUPLET            = 136,
-	TYPE_TRAFFIC_FLOW_TEMPLATE       = 137,
-	TYPE_TARGET_ID                   = 138,
-	TYPE_UTRAN_TRANSPARENT_CONTAINER = 139,
-	TYPE_RAB_SETUP_INFO              = 140,
-	TYPE_EXT_HEADER_TYPE_LIST        = 141,
-	TYPE_TRIGGER_ID                  = 142,
-	TYPE_OMC_ID                      = 143,
-	TYPE_CHARGING_GATEWAY_ADDR       = 251,
-	TYPE_PRIVATE_EXT                 = 255,
-};
-
-type InformationElement = record {
-	type: uint8;
-
-	len: case is_tlv of {
-		true  -> tlv_len: uint16;
-		false -> no_len:  empty;
-	};
-
-	value: case type of {
-		TYPE_CAUSE -> cause: Cause;
-		TYPE_IMSI -> imsi: IMSI;
-		TYPE_RAI -> rai: RAI;
-		TYPE_TLLI -> tlli: TLLI;
-		TYPE_P_TMSI -> p_tmsi: P_TMSI;
-		TYPE_REORDER_REQ -> reorder_req: ReorderReq;
-		TYPE_AUTHN_TRIPLET -> authn_triplet: AuthN_Triplet;
-		TYPE_MAP_CAUSE -> map_cause: MAP_Cause;
-		TYPE_P_TMSI_SIG -> p_tmsi_sig: P_TMSI_Sig;
-		TYPE_MS_VALID -> ms_valid: MS_Valid;
-		TYPE_RECOVERY -> recovery: Recovery;
-		TYPE_SELECTION_MODE -> selection_mode: SelectionMode;
-		TYPE_TEID1 -> teid1: TEID1;
-		TYPE_TEID_CONTROL_PLANE -> teidcp: TEID_ControlPlane;
-		TYPE_TEID2 -> teid2: TEID2;
-		TYPE_TEARDOWN_IND -> teardown_ind: TeardownInd;
-		TYPE_NSAPI -> nsapi: NSAPI;
-		TYPE_RANAP_CAUSE -> ranap_cause: RANAP_Cause;
-		TYPE_RAB_CTX -> rab_ctx: RAB_Ctx;
-		TYPE_RADIO_PRIORITY_SMS -> radio_priority_sms: RadioPrioritySMS;
-		TYPE_RADIO_PRIORITY -> radio_priority: RadioPriority;
-		TYPE_PACKET_FLOW_ID -> packet_flow_id: PacketFlowID;
-		TYPE_CHARGING_CHARACTERISTICS -> charging_characteristics: ChargingCharacteristics;
-		TYPE_TRACE_REFERENCE -> trace_reference: TraceReference;
-		TYPE_TRACE_TYPE -> trace_type: TraceType;
-		TYPE_MS_NOT_REACHABLE_REASON -> ms_not_reachable_reason: MS_Not_Reachable_Reason;
-		TYPE_CHARGING_ID -> charging_id: ChargingID;
-		TYPE_END_USER_ADDR -> end_user_addr: EndUserAddr(length);
-		TYPE_MM_CTX -> mm_ctx: MM_Ctx(length);
-		TYPE_PDP_CTX -> pdp_ctx: PDP_Ctx(length);
-		TYPE_ACCESS_POINT_NAME -> ap_name: AP_Name(length);
-		TYPE_PROTO_CONFIG_OPTIONS -> proto_config_opts: ProtoConfigOpts(length);
-		TYPE_GSN_ADDR -> gsn_addr: GSN_Addr(length);
-		TYPE_MSISDN -> msisdn: MSISDN(length);
-		TYPE_QOS_PROFILE -> qos_profile: QoS_Profile(length);
-		TYPE_AUTHN_QUINTUPLET -> authn_quintuplet: AuthN_Quintuplet(length);
-		TYPE_TRAFFIC_FLOW_TEMPLATE -> traffic_flow_template: TrafficFlowTemplate(length);
-		TYPE_TARGET_ID -> target_id: TargetID(length);
-		TYPE_UTRAN_TRANSPARENT_CONTAINER -> utran_transparent_container: UTRAN_TransparentContainer(length);
-		TYPE_RAB_SETUP_INFO -> rab_setup_info: RAB_SetupInfo(length);
-		TYPE_EXT_HEADER_TYPE_LIST -> ext_hdr_type_list: ExtHdrTypeList(length);
-		TYPE_TRIGGER_ID -> trigger_id: TriggerID(length);
-		TYPE_OMC_ID -> omc_id: OMC_ID(length);
-		TYPE_CHARGING_GATEWAY_ADDR -> charging_gateway_addr: ChargingGatewayAddr(length);
-		TYPE_PRIVATE_EXT -> private_ext: PrivateExt(length);
-		default -> unknown: bytestring &length=length;
-	} &requires(length);
-
-} &let {
-	is_tlv: bool = (type & 0x80);
-	length: uint16 = is_tlv ? tlv_len : Get_IE_Len(type);
-};
-
-type Cause = record {
-	value: uint8;
-};
-
-function decode_imsi(v: uint8[8]): uint64
-	%{
-	uint64 rval = 0;
-	uint8 digits[16];
-	for ( size_t i = 0; i < v->size(); ++i )
-		{
-		digits[2 * i + 1] = ((*v)[i] & 0xf0) >> 4;
-		digits[2 * i] = (*v)[i] & 0x0f;
-		}
-	int power = 0;
-	for ( int i = 15; i >= 0; --i )
-		{
-		if ( digits[i] == 0x0f ) continue;
-		rval += digits[i] * pow(10, power);
-		++power;
-		}
-	return rval;
-	%}
-
-type IMSI = record {
-	tbcd_encoded_value: uint8[8];
-} &let {
-	value: uint64 = decode_imsi(tbcd_encoded_value);
-};
-
-type RAI = record {
-	mcc2_mcc1: uint8;
-	mnc3_mcc3: uint8;
-	mnc2_mnc1: uint8;
-	lac: uint16;
-	rac: uint8;
-} &let {
-	mcc1: uint8 = (mcc2_mcc1 & 0x0f);
-	mcc2: uint8 = ((mcc2_mcc1 & 0xf0)>>4);
-	mcc3: uint8 = (mnc3_mcc3 & 0x0f);
-	mcc: uint16 = mcc1 * 100 + mcc2 * 10 + mcc3;
-	mnc1: uint8 = (mnc2_mnc1 & 0x0f);
-	mnc2: uint8 = ((mnc2_mnc1 & 0xf0)>>4);
-	mnc3: uint8 = (mnc3_mcc3 & 0xf0)>>4;
-	mnc: uint16 = (mnc3 & 0x0f) ? mnc1 * 10 + mnc2 : mnc1 * 100 + mnc2 * 10 + mnc3;
-};
-
-type TLLI = record {
-	value: uint32;
-};
-
-type P_TMSI = record {
-	value: uint32;
-};
-
-type ReorderReq = record {
-	value: uint8;
-} &let {
-	req: bool = value & 0x01;
-};
-
-type AuthN_Triplet = record {
-	rand: bytestring &length=16;
-	sres: uint32;
-	kc: uint64;
-};
-
-type MAP_Cause = record {
-	value: uint8;
-};
-
-type P_TMSI_Sig = record {
-	value: bytestring &length=3;
-};
-
-type MS_Valid = record {
-	value: uint8;
-};
-
-type Recovery = record {
-	restart_counter: uint8;
-};
-
-type SelectionMode = record {
-	value: uint8;
-} &let {
-	mode: uint8 = value & 0x01;
-};
-
-type TEID1 = record {
-	value: uint32;
-};
-
-type TEID_ControlPlane = record {
-	value: uint32;
-};
-
-type TEID2 = record {
-	spare_nsapi: uint8;
-	teid2: uint32;
-};
-
-type TeardownInd = record {
-	value: uint8;
-} &let {
-	ind: bool = value & 0x01;
-};
-
-type NSAPI = record {
-	xxxx_nsapi: uint8;
-} &let {
-	nsapi: uint8 = xxxx_nsapi & 0x0f;
-};
-
-type RANAP_Cause = record {
-	value: uint8;
-};
-
-type RAB_Ctx = record {
-	spare_nsapi: uint8;
-	dl_gtpu_seq_num: uint16;
-	ul_gtpu_seq_num: uint16;
-	dl_pdcp_seq_num: uint16;
-	ul_pdcp_seq_num: uint16;
-};
-
-type RadioPrioritySMS = record {
-	value: uint8;
-};
-
-type RadioPriority = record {
-	nsapi_radio_priority: uint8;
-};
-
-type PacketFlowID = record {
-	rsv_nsapi: uint8;
-	packet_flow_id: uint8;
-};
-
-type ChargingCharacteristics = record {
-	value: uint16;
-};
-
-type TraceReference = record {
-	value: uint16;
-};
-
-type TraceType = record {
-	value: uint16;
-};
-
-type MS_Not_Reachable_Reason = record {
-	value: uint8;
-};
-
-type ChargingID = record {
-	value: uint32;
-};
-
-type EndUserAddr(n: uint16) = record {
-	spare_pdp_type_org: uint8;
-	pdp_type_num: uint8;
-	pdp_addr: bytestring &length=(n-2);
-} &let {
-	pdp_type_org: uint8 = spare_pdp_type_org & 0x0f;
-};
-
-type MM_Ctx(n: uint16) = record {
-	spare_cksn_ksi: uint8;
-	security_params: uint8;
-
-	keys: case gsm_keys of {
-		true  -> kc: uint64;
-		false -> ck_ik: bytestring &length=32;
-	};
-
-	vector_len: case have_triplets of {
-		true  -> no_quint_len: empty;
-		false -> quint_len: uint16;
-	};
-
-	vectors: case have_triplets of {
-		true  -> triplets: AuthN_Triplet[num_vectors];
-		false -> quintuplets: AuthN_Quintuplet(quint_len)[num_vectors];
-	} &requires(num_vectors);
-
-	drx_param: uint16;
-	ms_net_capability_len: uint8;
-	ms_net_capability: bytestring &length=ms_net_capability_len;
-	container_len: uint16;
-	container: bytestring &length=container_len;
-
-} &let {
-	security_mode: uint8 = security_params >> 6;
-	gsm_keys: bool = security_mode & 0x01;
-	have_triplets: bool = (security_mode == 1);
-	num_vectors: uint8 = (security_params & 0x38) >> 3;
-};
-
-type PDP_Ctx(n: uint16) = record {
-	rsv_nsapi:	uint8;
-	xxxx_sapi: uint8;
-	qos_sub_len: uint8;
-	qos_sub: QoS_Profile(qos_sub_len);
-	qos_req_len: uint8;
-	qos_req: QoS_Profile(qos_req_len);
-	qos_neg_len: uint8;
-	qos_neg: QoS_Profile(qos_neg_len);
-	snd: uint16;
-	snu: uint16;
-	send_npdu_num: uint8;
-	recv_npdu_num: uint8;
-	ul_teid_cp: TEID_ControlPlane;
-	ul_teid_data1: TEID1;
-	pdp_ctx_id: uint8;
-	spare_pdp_type_org: uint8;
-	pdp_type_num: uint8;
-	pdp_addr_len: uint8;
-	pdp_addr: bytestring &length=pdp_addr_len;
-	ggsn_addr_control_plane_len: uint8;
-	ggsn_addr_control_plane: bytestring &length=ggsn_addr_control_plane_len;
-	ggsn_addr_user_traffic_len: uint8;
-	ggsn_addr_user_traffic: bytestring &length=ggsn_addr_user_traffic_len;
-	apn_len: uint8;
-	apn: AP_Name(apn_len);
-	spare_transaction_id: uint8;
-	transaction_id: uint8;
-};
-
-type AP_Name(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type ProtoConfigOpts(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type GSN_Addr(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type MSISDN(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type QoS_Profile(n: uint16) = record {
-	alloc_retention_priority: uint8;
-	data: bytestring &length=n-1;
-};
-
-type AuthN_Quintuplet(n: uint16) = record {
-	rand: bytestring &length=16;
-	xres_len: uint8;
-	xres: bytestring &length=xres_len;
-	ck: bytestring &length=16;
-	ik: bytestring &length=16;
-	autn_len: uint8;
-	autn: bytestring &length=autn_len;
-};
-
-type TrafficFlowTemplate(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type TargetID(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type UTRAN_TransparentContainer(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type RAB_SetupInfo(n: uint16) = record {
-	xxxx_nsapi: uint8;
-
-	have_teid: case n of {
-		1 -> no_teid: empty;
-		default -> teid: TEID1;
-	};
-
-	have_addr: case n of {
-		1 -> no_addr: empty;
-		default -> rnc_addr: bytestring &length=n-5;
-	};
-};
-
-type ExtHdrTypeList(n: uint16) = record {
-	value: uint8[n];
-};
-
-type TriggerID(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type OMC_ID(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type ChargingGatewayAddr(n: uint16) = record {
-	value: bytestring &length=n;
-};
-
-type PrivateExt(n: uint16) = record {
-	id: uint16;
-	value: bytestring &length=n-2;
-};
-
-function Get_IE_Len(t: uint8): uint16 =
-	case t of {
-	TYPE_CAUSE -> 1;
-	TYPE_IMSI -> 8;
-	TYPE_RAI -> 6;
-	TYPE_TLLI -> 4;
-	TYPE_P_TMSI -> 4;
-	TYPE_REORDER_REQ -> 1;
-	TYPE_AUTHN_TRIPLET -> 28;
-	TYPE_MAP_CAUSE -> 1;
-	TYPE_P_TMSI_SIG -> 3;
-	TYPE_MS_VALID -> 1;
-	TYPE_RECOVERY -> 1;
-	TYPE_SELECTION_MODE -> 1;
-	TYPE_TEID1 -> 4;
-	TYPE_TEID_CONTROL_PLANE -> 4;
-	TYPE_TEID2 -> 5;
-	TYPE_TEARDOWN_IND -> 1;
-	TYPE_NSAPI -> 1;
-	TYPE_RANAP_CAUSE -> 1;
-	TYPE_RAB_CTX -> 9;
-	TYPE_RADIO_PRIORITY_SMS -> 1;
-	TYPE_RADIO_PRIORITY -> 1;
-	TYPE_PACKET_FLOW_ID -> 2;
-	TYPE_CHARGING_CHARACTERISTICS -> 2;
-	TYPE_TRACE_REFERENCE -> 2;
-	TYPE_TRACE_TYPE -> 2;
-	TYPE_MS_NOT_REACHABLE_REASON -> 1;
-	TYPE_CHARGING_ID -> 4;
-	};
diff --git a/src/analyzer/protocol/gtpv1/gtpv1.pac b/src/analyzer/protocol/gtpv1/gtpv1.pac
deleted file mode 100644
index a98d4e046f..0000000000
--- a/src/analyzer/protocol/gtpv1/gtpv1.pac
+++ /dev/null
@@ -1,18 +0,0 @@
-%include binpac.pac
-%include zeek.pac
-
-%extern{
-#include "zeek/IP.h"
-#include "zeek/TunnelEncapsulation.h"
-#include "zeek/Reporter.h"
-
-#include "zeek/analyzer/protocol/gtpv1/events.bif.h"
-%}
-
-analyzer GTPv1 withcontext {
-	connection:	GTPv1_Conn;
-	flow:		GTPv1_Flow;
-};
-
-%include gtpv1-protocol.pac
-%include gtpv1-analyzer.pac
diff --git a/src/analyzer/protocol/teredo/CMakeLists.txt b/src/analyzer/protocol/teredo/CMakeLists.txt
deleted file mode 100644
index da23152c3d..0000000000
--- a/src/analyzer/protocol/teredo/CMakeLists.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek Teredo)
-zeek_plugin_cc(Teredo.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_end()
diff --git a/src/analyzer/protocol/teredo/Plugin.cc b/src/analyzer/protocol/teredo/Plugin.cc
deleted file mode 100644
index 1e2cd4e121..0000000000
--- a/src/analyzer/protocol/teredo/Plugin.cc
+++ /dev/null
@@ -1,26 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#include "zeek/plugin/Plugin.h"
-
-#include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/teredo/Teredo.h"
-
-namespace zeek::plugin::detail::Zeek_Teredo
-	{
-
-class Plugin : public zeek::plugin::Plugin
-	{
-public:
-	zeek::plugin::Configuration Configure() override
-		{
-		AddComponent(new zeek::analyzer::Component(
-			"Teredo", zeek::analyzer::teredo::Teredo_Analyzer::Instantiate));
-
-		zeek::plugin::Configuration config;
-		config.name = "Zeek::Teredo";
-		config.description = "Teredo analyzer";
-		return config;
-		}
-	} plugin;
-
-	} // namespace zeek::plugin::detail::Zeek_Teredo
diff --git a/src/analyzer/protocol/teredo/Teredo.cc b/src/analyzer/protocol/teredo/Teredo.cc
deleted file mode 100644
index 32d123c4e3..0000000000
--- a/src/analyzer/protocol/teredo/Teredo.cc
+++ /dev/null
@@ -1,237 +0,0 @@
-#include "zeek/analyzer/protocol/teredo/Teredo.h"
-
-#include "zeek/Conn.h"
-#include "zeek/IP.h"
-#include "zeek/Reporter.h"
-#include "zeek/RunState.h"
-#include "zeek/TunnelEncapsulation.h"
-#include "zeek/ZeekString.h"
-#include "zeek/analyzer/protocol/teredo/events.bif.h"
-#include "zeek/packet_analysis/protocol/ip/IP.h"
-#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
-
-namespace zeek::analyzer::teredo
-	{
-
-namespace detail
-	{
-
-bool TeredoEncapsulation::DoParse(const u_char* data, int& len, bool found_origin, bool found_auth)
-	{
-	if ( len < 2 )
-		{
-		Weird("truncated_Teredo");
-		return false;
-		}
-
-	uint16_t tag = ntohs((*((const uint16_t*)data)));
-
-	if ( tag == 0 )
-		{
-		// Origin Indication
-		if ( found_origin )
-			// can't have multiple origin indications
-			return false;
-
-		if ( len < 8 )
-			{
-			Weird("truncated_Teredo_origin_indication");
-			return false;
-			}
-
-		origin_indication = data;
-		len -= 8;
-		data += 8;
-		return DoParse(data, len, true, found_auth);
-		}
-
-	else if ( tag == 1 )
-		{
-		// Authentication
-		if ( found_origin || found_auth )
-			// can't have multiple authentication headers and can't come after
-			// an origin indication
-			return false;
-
-		if ( len < 4 )
-			{
-			Weird("truncated_Teredo_authentication");
-			return false;
-			}
-
-		uint8_t id_len = data[2];
-		uint8_t au_len = data[3];
-		uint16_t tot_len = 4 + id_len + au_len + 8 + 1;
-
-		if ( len < tot_len )
-			{
-			Weird("truncated_Teredo_authentication");
-			return false;
-			}
-
-		auth = data;
-		len -= tot_len;
-		data += tot_len;
-		return DoParse(data, len, found_origin, true);
-		}
-
-	else if ( ((tag & 0xf000) >> 12) == 6 )
-		{
-		// IPv6
-		if ( len < 40 )
-			{
-			Weird("truncated_IPv6_in_Teredo");
-			return false;
-			}
-
-		// There's at least a possible IPv6 header, we'll decide what to do
-		// later if the payload length field doesn't match the actual length
-		// of the packet.
-		inner_ip = data;
-		return true;
-		}
-
-	return false;
-	}
-
-RecordValPtr TeredoEncapsulation::BuildVal(const std::shared_ptr<IP_Hdr>& inner) const
-	{
-	static auto teredo_hdr_type = id::find_type<RecordType>("teredo_hdr");
-	static auto teredo_auth_type = id::find_type<RecordType>("teredo_auth");
-	static auto teredo_origin_type = id::find_type<RecordType>("teredo_origin");
-
-	auto teredo_hdr = make_intrusive<RecordVal>(teredo_hdr_type);
-
-	if ( auth )
-		{
-		auto teredo_auth = make_intrusive<RecordVal>(teredo_auth_type);
-		uint8_t id_len = *((uint8_t*)(auth + 2));
-		uint8_t au_len = *((uint8_t*)(auth + 3));
-		uint64_t nonce = ntohll(*((uint64_t*)(auth + 4 + id_len + au_len)));
-		uint8_t conf = *((uint8_t*)(auth + 4 + id_len + au_len + 8));
-		teredo_auth->Assign(0, new String(auth + 4, id_len, true));
-		teredo_auth->Assign(1, new String(auth + 4 + id_len, au_len, true));
-		teredo_auth->Assign(2, nonce);
-		teredo_auth->Assign(3, conf);
-		teredo_hdr->Assign(0, std::move(teredo_auth));
-		}
-
-	if ( origin_indication )
-		{
-		auto teredo_origin = make_intrusive<RecordVal>(teredo_origin_type);
-		uint16_t port = ntohs(*((uint16_t*)(origin_indication + 2))) ^ 0xFFFF;
-		uint32_t addr = ntohl(*((uint32_t*)(origin_indication + 4))) ^ 0xFFFFFFFF;
-		teredo_origin->Assign(0, val_mgr->Port(port, TRANSPORT_UDP));
-		teredo_origin->Assign(1, make_intrusive<AddrVal>(htonl(addr)));
-		teredo_hdr->Assign(1, std::move(teredo_origin));
-		}
-
-	teredo_hdr->Assign(2, inner->ToPktHdrVal());
-	return teredo_hdr;
-	}
-
-	} // namespace detail
-
-void Teredo_Analyzer::Done()
-	{
-	Analyzer::Done();
-	Event(udp_session_done);
-	}
-
-void Teredo_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
-                                    const IP_Hdr* ip, int caplen)
-	{
-	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-
-	if ( orig )
-		valid_orig = false;
-	else
-		valid_resp = false;
-
-	detail::TeredoEncapsulation te(this);
-
-	if ( ! te.Parse(data, len) )
-		{
-		AnalyzerViolation("Bad Teredo encapsulation", (const char*)data, len);
-		return;
-		}
-
-	std::shared_ptr<EncapsulationStack> e = Conn()->GetEncapsulation();
-
-	if ( e && e->Depth() >= BifConst::Tunnel::max_depth )
-		{
-		Weird("tunnel_depth", true);
-		return;
-		}
-
-	std::shared_ptr<IP_Hdr> inner = nullptr;
-	int rslt = packet_analysis::IP::ParsePacket(len, te.InnerIP(), IPPROTO_IPV6, inner);
-
-	if ( rslt > 0 )
-		{
-		if ( inner->NextProto() == IPPROTO_NONE && inner->PayloadLen() == 0 )
-			// Teredo bubbles having data after IPv6 header isn't strictly a
-			// violation, but a little weird.
-			Weird("Teredo_bubble_with_payload", true);
-		else
-			{
-			AnalyzerViolation("Teredo payload length", (const char*)data, len);
-			return;
-			}
-		}
-
-	if ( rslt == 0 || rslt > 0 )
-		{
-		if ( orig )
-			valid_orig = true;
-		else
-			valid_resp = true;
-
-		Confirm();
-		}
-
-	else
-		{
-		AnalyzerViolation("Truncated Teredo or invalid inner IP version", (const char*)data, len);
-		return;
-		}
-
-	ValPtr teredo_hdr;
-
-	if ( teredo_packet )
-		{
-		teredo_hdr = te.BuildVal(inner);
-		Conn()->EnqueueEvent(teredo_packet, nullptr, ConnVal(), teredo_hdr);
-		}
-
-	if ( te.Authentication() && teredo_authentication )
-		{
-		if ( ! teredo_hdr )
-			teredo_hdr = te.BuildVal(inner);
-
-		Conn()->EnqueueEvent(teredo_authentication, nullptr, ConnVal(), teredo_hdr);
-		}
-
-	if ( te.OriginIndication() && teredo_origin_indication )
-		{
-		if ( ! teredo_hdr )
-			teredo_hdr = te.BuildVal(inner);
-
-		Conn()->EnqueueEvent(teredo_origin_indication, nullptr, ConnVal(), teredo_hdr);
-		}
-
-	if ( inner->NextProto() == IPPROTO_NONE && teredo_bubble )
-		{
-		if ( ! teredo_hdr )
-			teredo_hdr = te.BuildVal(inner);
-
-		Conn()->EnqueueEvent(teredo_bubble, nullptr, ConnVal(), teredo_hdr);
-		}
-
-	EncapsulatingConn ec(Conn(), BifEnum::Tunnel::TEREDO);
-
-	packet_analysis::IPTunnel::ip_tunnel_analyzer->ProcessEncapsulatedPacket(
-		run_state::network_time, nullptr, inner, e, ec);
-	}
-
-	} // namespace zeek::analyzer::teredo
diff --git a/src/analyzer/protocol/teredo/Teredo.h b/src/analyzer/protocol/teredo/Teredo.h
deleted file mode 100644
index ecd6c1f4ff..0000000000
--- a/src/analyzer/protocol/teredo/Teredo.h
+++ /dev/null
@@ -1,93 +0,0 @@
-#pragma once
-
-#include "zeek/NetVar.h"
-#include "zeek/Reporter.h"
-#include "zeek/analyzer/Analyzer.h"
-
-namespace zeek::analyzer::teredo
-	{
-
-class Teredo_Analyzer final : public analyzer::Analyzer
-	{
-public:
-	explicit Teredo_Analyzer(Connection* conn)
-		: Analyzer("TEREDO", conn), valid_orig(false), valid_resp(false)
-		{
-		}
-
-	~Teredo_Analyzer() override = default;
-
-	void Done() override;
-
-	void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip,
-	                   int caplen) override;
-
-	static analyzer::Analyzer* Instantiate(Connection* conn) { return new Teredo_Analyzer(conn); }
-
-	/**
-	 * Emits a weird only if the analyzer has previously been able to
-	 * decapsulate a Teredo packet in both directions or if *force* param is
-	 * set, since otherwise the weirds could happen frequently enough to be less
-	 * than helpful.  The *force* param is meant for cases where just one side
-	 * has a valid encapsulation and so the weird would be informative.
-	 */
-	void Weird(const char* name, bool force = false) const
-		{
-		if ( AnalyzerConfirmed() || force )
-			reporter->Weird(Conn(), name, "", GetAnalyzerName());
-		}
-
-	/**
-	 * If the delayed confirmation option is set, then a valid encapsulation
-	 * seen from both end points is required before confirming.
-	 */
-	void Confirm()
-		{
-		if ( ! BifConst::Tunnel::delay_teredo_confirmation || (valid_orig && valid_resp) )
-			AnalyzerConfirmation();
-		}
-
-protected:
-	bool valid_orig;
-	bool valid_resp;
-	};
-
-namespace detail
-	{
-
-class TeredoEncapsulation
-	{
-public:
-	explicit TeredoEncapsulation(const Teredo_Analyzer* ta)
-		: inner_ip(nullptr), origin_indication(nullptr), auth(nullptr), analyzer(ta)
-		{
-		}
-
-	/**
-	 * Returns whether input data parsed as a valid Teredo encapsulation type.
-	 * If it was valid, the len argument is decremented appropriately.
-	 */
-	bool Parse(const u_char* data, int& len) { return DoParse(data, len, false, false); }
-
-	const u_char* InnerIP() const { return inner_ip; }
-
-	const u_char* OriginIndication() const { return origin_indication; }
-
-	const u_char* Authentication() const { return auth; }
-
-	RecordValPtr BuildVal(const std::shared_ptr<IP_Hdr>& inner) const;
-
-protected:
-	bool DoParse(const u_char* data, int& len, bool found_orig, bool found_au);
-
-	void Weird(const char* name) const { analyzer->Weird(name); }
-
-	const u_char* inner_ip;
-	const u_char* origin_indication;
-	const u_char* auth;
-	const Teredo_Analyzer* analyzer;
-	};
-
-	} // namespace detail
-
-	} // namespace zeek::analyzer::teredo
diff --git a/src/analyzer/protocol/teredo/events.bif b/src/analyzer/protocol/teredo/events.bif
deleted file mode 100644
index 080eb1bf6e..0000000000
--- a/src/analyzer/protocol/teredo/events.bif
+++ /dev/null
@@ -1,55 +0,0 @@
-## Generated for any IPv6 packet encapsulated in a Teredo tunnel.
-## See :rfc:`4380` for more information about the Teredo protocol.
-##
-## outer: The Teredo tunnel connection.
-##
-## inner: The Teredo-encapsulated IPv6 packet header and transport header.
-##
-## .. zeek:see:: teredo_authentication teredo_origin_indication teredo_bubble
-##
-## .. note:: Since this event may be raised on a per-packet basis, handling
-##    it may become particularly expensive for real-time analysis.
-event teredo_packet%(outer: connection, inner: teredo_hdr%);
-
-## Generated for IPv6 packets encapsulated in a Teredo tunnel that
-## use the Teredo authentication encapsulation method.
-## See :rfc:`4380` for more information about the Teredo protocol.
-##
-## outer: The Teredo tunnel connection.
-##
-## inner: The Teredo-encapsulated IPv6 packet header and transport header.
-##
-## .. zeek:see:: teredo_packet teredo_origin_indication teredo_bubble
-##
-## .. note:: Since this event may be raised on a per-packet basis, handling
-##    it may become particularly expensive for real-time analysis.
-event teredo_authentication%(outer: connection, inner: teredo_hdr%);
-
-## Generated for IPv6 packets encapsulated in a Teredo tunnel that
-## use the Teredo origin indication encapsulation method.
-## See :rfc:`4380` for more information about the Teredo protocol.
-##
-## outer: The Teredo tunnel connection.
-##
-## inner: The Teredo-encapsulated IPv6 packet header and transport header.
-##
-## .. zeek:see:: teredo_packet teredo_authentication teredo_bubble
-##
-## .. note:: Since this event may be raised on a per-packet basis, handling
-##    it may become particularly expensive for real-time analysis.
-event teredo_origin_indication%(outer: connection, inner: teredo_hdr%);
-
-## Generated for Teredo bubble packets.  That is, IPv6 packets encapsulated
-## in a Teredo tunnel that have a Next Header value of :zeek:id:`IPPROTO_NONE`.
-## See :rfc:`4380` for more information about the Teredo protocol.
-##
-## outer: The Teredo tunnel connection.
-##
-## inner: The Teredo-encapsulated IPv6 packet header and transport header.
-##
-## .. zeek:see:: teredo_packet teredo_authentication teredo_origin_indication
-##
-## .. note:: Since this event may be raised on a per-packet basis, handling
-##    it may become particularly expensive for real-time analysis.
-event teredo_bubble%(outer: connection, inner: teredo_hdr%);
-
diff --git a/src/analyzer/protocol/vxlan/CMakeLists.txt b/src/analyzer/protocol/vxlan/CMakeLists.txt
deleted file mode 100644
index 64c8600844..0000000000
--- a/src/analyzer/protocol/vxlan/CMakeLists.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-
-include(ZeekPlugin)
-
-include_directories(BEFORE ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR})
-
-zeek_plugin_begin(Zeek VXLAN)
-zeek_plugin_cc(VXLAN.cc Plugin.cc)
-zeek_plugin_bif(events.bif)
-zeek_plugin_end()
diff --git a/src/analyzer/protocol/vxlan/Plugin.cc b/src/analyzer/protocol/vxlan/Plugin.cc
deleted file mode 100644
index 3b7ed31ccd..0000000000
--- a/src/analyzer/protocol/vxlan/Plugin.cc
+++ /dev/null
@@ -1,26 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#include "zeek/plugin/Plugin.h"
-
-#include "zeek/analyzer/Component.h"
-#include "zeek/analyzer/protocol/vxlan/VXLAN.h"
-
-namespace zeek::plugin::detail::Zeek_VXLAN
-	{
-
-class Plugin : public zeek::plugin::Plugin
-	{
-public:
-	zeek::plugin::Configuration Configure() override
-		{
-		AddComponent(new zeek::analyzer::Component(
-			"VXLAN", zeek::analyzer::vxlan::VXLAN_Analyzer::Instantiate));
-
-		zeek::plugin::Configuration config;
-		config.name = "Zeek::VXLAN";
-		config.description = "VXLAN analyzer";
-		return config;
-		}
-	} plugin;
-
-	} // namespace zeek::plugin::detail::Zeek_VXLAN
diff --git a/src/analyzer/protocol/vxlan/VXLAN.cc b/src/analyzer/protocol/vxlan/VXLAN.cc
deleted file mode 100644
index 4eeb409f4b..0000000000
--- a/src/analyzer/protocol/vxlan/VXLAN.cc
+++ /dev/null
@@ -1,102 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#include "zeek/analyzer/protocol/vxlan/VXLAN.h"
-
-extern "C"
-	{
-#include <pcap.h> // for the DLT_EN10MB constant definition
-	}
-
-#include "zeek/Conn.h"
-#include "zeek/IP.h"
-#include "zeek/Reporter.h"
-#include "zeek/RunState.h"
-#include "zeek/TunnelEncapsulation.h"
-#include "zeek/analyzer/protocol/vxlan/events.bif.h"
-#include "zeek/packet_analysis/Manager.h"
-#include "zeek/packet_analysis/protocol/iptunnel/IPTunnel.h"
-
-namespace zeek::analyzer::vxlan
-	{
-
-void VXLAN_Analyzer::Done()
-	{
-	Analyzer::Done();
-	Event(udp_session_done);
-	}
-
-void VXLAN_Analyzer::DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq,
-                                   const IP_Hdr* ip, int caplen)
-	{
-	Analyzer::DeliverPacket(len, data, orig, seq, ip, caplen);
-
-	// Outer Ethernet, IP, and UDP layers already skipped.
-	// Also, generic UDP analyzer already checked/guarantees caplen >= len.
-
-	constexpr auto vxlan_len = 8;
-
-	if ( len < vxlan_len )
-		{
-		AnalyzerViolation("VXLAN header truncation", (const char*)data, len);
-		return;
-		}
-
-	if ( (data[0] & 0x08) == 0 )
-		{
-		AnalyzerViolation("VXLAN 'I' flag not set", (const char*)data, len);
-		return;
-		}
-
-	std::shared_ptr<EncapsulationStack> outer = Conn()->GetEncapsulation();
-
-	if ( outer && outer->Depth() >= BifConst::Tunnel::max_depth )
-		{
-		Weird("tunnel_depth");
-		return;
-		}
-
-	if ( ! outer )
-		outer = std::make_shared<EncapsulationStack>();
-
-	EncapsulatingConn inner(Conn(), BifEnum::Tunnel::VXLAN);
-	outer->Add(inner);
-	int encap_index = outer->Depth();
-
-	int vni = (data[4] << 16) + (data[5] << 8) + (data[6] << 0);
-
-	// Skip over the VXLAN header and create a new packet.
-	data += vxlan_len;
-	caplen -= vxlan_len;
-	len -= vxlan_len;
-
-	pkt_timeval ts;
-	ts.tv_sec = (time_t)run_state::current_timestamp;
-	ts.tv_usec = (suseconds_t)((run_state::current_timestamp - (double)ts.tv_sec) * 1000000);
-	Packet pkt(DLT_EN10MB, &ts, caplen, len, data);
-	pkt.encap = outer;
-
-	if ( ! packet_mgr->ProcessInnerPacket(&pkt) )
-		{
-		AnalyzerViolation("VXLAN invalid inner packet");
-		return;
-		}
-
-	// This isn't really an error. It's just that the inner packet wasn't an IP packet (like ARP).
-	// Just return without reporting a violation.
-	if ( ! pkt.ip_hdr )
-		return;
-
-	AnalyzerConfirmation();
-
-	if ( vxlan_packet )
-		{
-		EncapsulatingConn* ec = pkt.encap->At(encap_index);
-		if ( ec && ec->ip_hdr )
-			{
-			Conn()->EnqueueEvent(vxlan_packet, nullptr, ConnVal(), ec->ip_hdr->ToPktHdrVal(),
-			                     val_mgr->Count(vni));
-			}
-		}
-	}
-
-	} // namespace zeek::analyzer::vxlan
diff --git a/src/analyzer/protocol/vxlan/VXLAN.h b/src/analyzer/protocol/vxlan/VXLAN.h
deleted file mode 100644
index 86f6d60fc3..0000000000
--- a/src/analyzer/protocol/vxlan/VXLAN.h
+++ /dev/null
@@ -1,23 +0,0 @@
-// See the file  in the main distribution directory for copyright.
-
-#pragma once
-
-#include "zeek/analyzer/Analyzer.h"
-
-namespace zeek::analyzer::vxlan
-	{
-
-class VXLAN_Analyzer final : public analyzer::Analyzer
-	{
-public:
-	explicit VXLAN_Analyzer(Connection* conn) : Analyzer("VXLAN", conn) { }
-
-	void Done() override;
-
-	void DeliverPacket(int len, const u_char* data, bool orig, uint64_t seq, const IP_Hdr* ip,
-	                   int caplen) override;
-
-	static analyzer::Analyzer* Instantiate(Connection* conn) { return new VXLAN_Analyzer(conn); }
-	};
-
-	} // namespace zeek::analyzer::vxlan
diff --git a/src/analyzer/protocol/vxlan/events.bif b/src/analyzer/protocol/vxlan/events.bif
deleted file mode 100644
index d05c74dfbe..0000000000
--- a/src/analyzer/protocol/vxlan/events.bif
+++ /dev/null
@@ -1,12 +0,0 @@
-## Generated for any packet encapsulated in a VXLAN tunnel.
-## See :rfc:`7348` for more information about the VXLAN protocol.
-##
-## outer: The VXLAN tunnel connection.
-##
-## inner: The VXLAN-encapsulated Ethernet packet header and transport header.
-##
-## vni: VXLAN Network Identifier.
-##
-## .. note:: Since this event may be raised on a per-packet basis, handling
-##    it may become particularly expensive for real-time analysis.
-event vxlan_packet%(outer: connection, inner: pkt_hdr, vni: count%);

From e82a78616bbcd1056ad169eda65b047251aef2c6 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 23 Nov 2021 13:11:16 -0700
Subject: [PATCH 103/210] Update NEWS and some minor fixes for docs/zeekygen

---
 NEWS                                       | 27 ++++++++++++++++++++++
 scripts/base/frameworks/analyzer/main.zeek |  2 +-
 src/zeekygen/Target.cc                     |  1 +
 3 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index c29e0ff754..dd3c9b377c 100644
--- a/NEWS
+++ b/NEWS
@@ -55,6 +55,24 @@ New Functionality
   rebuilds.  Previously, updates to included Zeek scripts didn't reliably
   trigger a rebuild.
 
+- Added PacketAnalyzer::register_for_port(s) functions to the packet analyzer
+  framework in script-land. This allows a packet analyzer to register a port
+  mapping with a parent analyzer just like any other numeric identifier, while
+  also adding that port to the now-global Analyzer::ports table used by BPF
+  filtering.
+
+- Added AllAnalyzers::Tag enum type that combines the existing Analyzer::Tag,
+  PacketAnalyzer::Tag, and Files::Tags into a single enum. The existing types
+  still exist, but the new type can be used as an argument for
+  functions/hooks/events that need to handle any of the analyzer types.
+
+- Added protocol detection functionality to the packet analyzer framework.
+  Packet analyzers can register for protocol detection using the
+  ``PacketAnalyzer::register_protocol_detection`` script function and implement
+  the ``PacketAnalyzer::DetectProtocol`` method in C++. This allows packet
+  analyzer plugins to detect a protocol via byte matching or other heuristics
+  instead of relying solely on a numeric identifier for forwarding.
+
 Changed Functionality
 ---------------------
 
@@ -81,12 +99,21 @@ Changed Functionality
   on the local NIC - which typically causes the total-length of affected packets to be set to
   zero.
 
+- The existing tunnel analyzers for AYIYA, Geneve, GTPv1, Teredo, and VXLAN
+  are now packet analyzers.
+
 Removed Functionality
 ---------------------
 
 Deprecated Functionality
 ------------------------
 
+- The ``protocol_confirmation`` and ``protocol_violation`` events along with
+  the corresponding ``Analyzer::ProtocolConfirmation` and
+  ``Analyzer::ProtocolViolation`` C++ methods are marked as deprecated. They are
+  replaced by ``analyzer_confirmation`` and ``analyzer_violation`` which can also
+  now be implemented in packet analyzers.
+
 Zeek 4.1.0
 ==========
 
diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek
index 20c4bcad10..919a71b0c8 100644
--- a/scripts/base/frameworks/analyzer/main.zeek
+++ b/scripts/base/frameworks/analyzer/main.zeek
@@ -10,7 +10,7 @@
 ##! the analyzers themselves, and documented in their analyzer-specific
 ##! description along with the events that they generate.
 ##!
-##! Analyzer tags are also inserted into a global :zeek:type:`AllAnalyzers` enum
+##! Analyzer tags are also inserted into a global :zeek:type:`AllAnalyzers::Tag` enum
 ##! type. This type contains duplicates of all of the :zeek:type:`Analyzer::Tag`,
 ##! :zeek:type:`PacketAnalyzer::Tag` and :zeek:type:`Files::Tag` enum values
 ##! and can be used for arguments to function/hook/event definitions where they
diff --git a/src/zeekygen/Target.cc b/src/zeekygen/Target.cc
index b03d7b8e2b..a4e62b742d 100644
--- a/src/zeekygen/Target.cc
+++ b/src/zeekygen/Target.cc
@@ -282,6 +282,7 @@ void ProtoAnalyzerTarget::DoCreateAnalyzerDoc(FILE* f) const
 	fprintf(f, "==================\n\n");
 
 	WriteAnalyzerTagDefn(f, "Analyzer");
+	WriteAnalyzerTagDefn(f, "AllAnalyzers");
 
 	plugin::Manager::plugin_list plugins = plugin_mgr->ActivePlugins();
 	plugin::Manager::plugin_list::const_iterator it;

From 06bbd167cd402daf2dc6e3397774abad42f18013 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Tue, 16 Nov 2021 12:11:30 -0800
Subject: [PATCH 104/210] fixes for constructing and assigning records with
 fields that are empty vectors

---
 src/Expr.cc                                   | 22 ++++++++++++++++---
 src/Val.cc                                    |  1 +
 .../out                                       |  4 ++--
 .../Baseline/language.record-empty-vector/out |  2 ++
 ...-orphan.zeek => record-coerce-orphan.zeek} |  0
 .../btest/language/record-empty-vector.zeek   | 13 +++++++++++
 6 files changed, 37 insertions(+), 5 deletions(-)
 rename testing/btest/Baseline/{language.record-ceorce-orphan => language.record-coerce-orphan}/out (67%)
 create mode 100644 testing/btest/Baseline/language.record-empty-vector/out
 rename testing/btest/language/{record-ceorce-orphan.zeek => record-coerce-orphan.zeek} (100%)
 create mode 100644 testing/btest/language/record-empty-vector.zeek

diff --git a/src/Expr.cc b/src/Expr.cc
index 41ae5bca3c..b1d7ebb153 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -3405,12 +3405,21 @@ ValPtr RecordConstructorExpr::Eval(Frame* f) const
 	if ( ! map && exprs.length() != rt->NumFields() )
 		RuntimeErrorWithCallStack("inconsistency evaluating record constructor");
 
-	auto rv = make_intrusive<RecordVal>(std::move(rt));
+	auto rv = make_intrusive<RecordVal>(rt);
 
 	for ( int i = 0; i < exprs.length(); ++i )
 		{
+		auto v_i = exprs[i]->Eval(f);
 		int ind = map ? (*map)[i] : i;
-		rv->Assign(ind, exprs[i]->Eval(f));
+
+		if ( v_i && v_i->GetType()->Tag() == TYPE_VECTOR &&
+		     v_i->GetType<VectorType>()->IsUnspecifiedVector() )
+			{
+			const auto& t_ind = rt->GetFieldType(ind);
+			v_i->AsVectorVal()->Concretize(t_ind->Yield());
+			}
+
+		rv->Assign(ind, v_i);
 		}
 
 	return rv;
@@ -4105,6 +4114,13 @@ RecordValPtr coerce_to_record(RecordTypePtr rt, Val* v, const std::vector<int>&
 						 cast_intrusive<RecordType>(field_type)) )
 					rhs = std::move(new_val);
 				}
+			else if ( rhs_type->Tag() == TYPE_VECTOR && field_type->Tag() == TYPE_VECTOR &&
+			          rhs_type->AsVectorType()->IsUnspecifiedVector() )
+				{
+				auto rhs_v = rhs->AsVectorVal();
+				if ( ! rhs_v->Concretize(field_type->Yield()) )
+					reporter->InternalError("could not concretize empty vector");
+				}
 			else if ( BothArithmetic(rhs_type->Tag(), field_type->Tag()) &&
 			          ! same_type(rhs_type, field_type) )
 				{
@@ -5049,7 +5065,7 @@ ValPtr ListExpr::InitVal(const zeek::Type* t, ValPtr aggr) const
 ValPtr ListExpr::AddSetInit(const zeek::Type* t, ValPtr aggr) const
 	{
 	if ( aggr->GetType()->Tag() != TYPE_TABLE )
-		Internal("bad aggregate in ListExpr::InitVal");
+		Internal("bad aggregate in ListExpr::AddSetInit");
 
 	TableVal* tv = aggr->AsTableVal();
 	const TableType* tt = tv->GetType()->AsTableType();
diff --git a/src/Val.cc b/src/Val.cc
index 09beec75c5..3ad6169149 100644
--- a/src/Val.cc
+++ b/src/Val.cc
@@ -3646,6 +3646,7 @@ bool VectorVal::Concretize(const TypePtr& t)
 		}
 
 	// Require that this vector be treated consistently in the future.
+	type = make_intrusive<VectorType>(t);
 	yield_type = t;
 	managed_yield = ZVal::IsManagedType(yield_type);
 	delete yield_types;
diff --git a/testing/btest/Baseline/language.record-ceorce-orphan/out b/testing/btest/Baseline/language.record-coerce-orphan/out
similarity index 67%
rename from testing/btest/Baseline/language.record-ceorce-orphan/out
rename to testing/btest/Baseline/language.record-coerce-orphan/out
index 0cdff0aebd..8939e74edf 100644
--- a/testing/btest/Baseline/language.record-ceorce-orphan/out
+++ b/testing/btest/Baseline/language.record-coerce-orphan/out
@@ -1,3 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in <...>/record-ceorce-orphan.zeek, line 19: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec))
-error in <...>/record-ceorce-orphan.zeek, line 21: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec))
+error in <...>/record-coerce-orphan.zeek, line 19: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec))
+error in <...>/record-coerce-orphan.zeek, line 21: orphaned field "wtf" in record coercion ((coerce [$a=test, $b=42, $wtf=1.0 sec] to myrec))
diff --git a/testing/btest/Baseline/language.record-empty-vector/out b/testing/btest/Baseline/language.record-empty-vector/out
new file mode 100644
index 0000000000..aaf5d521b3
--- /dev/null
+++ b/testing/btest/Baseline/language.record-empty-vector/out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[, 9]
diff --git a/testing/btest/language/record-ceorce-orphan.zeek b/testing/btest/language/record-coerce-orphan.zeek
similarity index 100%
rename from testing/btest/language/record-ceorce-orphan.zeek
rename to testing/btest/language/record-coerce-orphan.zeek
diff --git a/testing/btest/language/record-empty-vector.zeek b/testing/btest/language/record-empty-vector.zeek
new file mode 100644
index 0000000000..f64108ebfc
--- /dev/null
+++ b/testing/btest/language/record-empty-vector.zeek
@@ -0,0 +1,13 @@
+# @TEST-EXEC: zeek -b %INPUT >out 2>&1
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
+
+type r: record {
+	v: vector of int;
+};
+
+event zeek_init()
+	{
+	local l = r($v=vector());
+	l$v[1] = 9;
+	print l$v;
+	}

From a830c269ab55ec31cd67801039ab18007f6b6af3 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Wed, 24 Nov 2021 11:56:01 -0800
Subject: [PATCH 105/210] address clang 10 warnings

---
 src/script_opt/ZAM/Ops.in  | 2 +-
 src/script_opt/ZAM/Stmt.cc | 8 ++++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/script_opt/ZAM/Ops.in b/src/script_opt/ZAM/Ops.in
index e1516bce99..d74cacc9d5 100644
--- a/src/script_opt/ZAM/Ops.in
+++ b/src/script_opt/ZAM/Ops.in
@@ -1099,7 +1099,7 @@ eval	auto v = frame[z.v2].double_val;
 		ZAM_run_time_error(z.loc, "underflow converting double to count");
 		break;
 		}
-	if ( v > UINT64_MAX )
+	if ( v > static_cast<double>(UINT64_MAX) )
 		{
 		ZAM_run_time_error(z.loc, "overflow converting double to count");
 		break;
diff --git a/src/script_opt/ZAM/Stmt.cc b/src/script_opt/ZAM/Stmt.cc
index 84ca6598aa..f6af240c95 100644
--- a/src/script_opt/ZAM/Stmt.cc
+++ b/src/script_opt/ZAM/Stmt.cc
@@ -379,6 +379,13 @@ const ZAMStmt ZAMCompiler::GenCond(const Expr* e, int& branch_v)
 	else
 		branch_v = 2;
 
+// clang 10 gets perturbed that the indentation of the "default" in the
+// following switch block doesn't match that of the cases that we include
+// from "ZAM-Conds.h".  It really shouldn't worry about indentation mismatches
+// across included files since those are not indicative of possible
+// logic errors, but Oh Well.
+#pragma GCC diagnostic push
+#pragma GCC diagnostic ignored "-Wmisleading-indentation"
 	switch ( e->Tag() )
 		{
 #include "ZAM-Conds.h"
@@ -386,6 +393,7 @@ const ZAMStmt ZAMCompiler::GenCond(const Expr* e, int& branch_v)
 		default:
 			reporter->InternalError("bad expression type in ZAMCompiler::GenCond");
 		}
+#pragma GCC diagnostic pop
 
 	// Not reached.
 	}

From a2cec7463f8cade21f2310ea34cb925e69776cba Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Wed, 24 Nov 2021 12:17:16 -0800
Subject: [PATCH 106/210] suppress unneeded initializations

---
 src/script_opt/CPP/Driver.cc | 20 ++++++++++----------
 src/script_opt/CPP/Inits.cc  |  3 +++
 src/script_opt/ScriptOpt.cc  | 26 +++++++++++++-------------
 3 files changed, 26 insertions(+), 23 deletions(-)

diff --git a/src/script_opt/CPP/Driver.cc b/src/script_opt/CPP/Driver.cc
index dd7348ddca..5aec30b95a 100644
--- a/src/script_opt/CPP/Driver.cc
+++ b/src/script_opt/CPP/Driver.cc
@@ -64,6 +64,12 @@ void CPPCompile::Compile(bool report_uncompilable)
 	// previously compiled instances of those if present.
 	for ( const auto& func : funcs )
 		{
+		if ( func.ShouldSkip() )
+			{
+			not_fully_compilable.insert(func.Func()->Name());
+			continue;
+			}
+
 		if ( func.Func()->Flavor() != FUNC_FLAVOR_FUNCTION )
 			// Can't be called directly.
 			continue;
@@ -94,7 +100,6 @@ void CPPCompile::Compile(bool report_uncompilable)
 		{
 		TypePtr tp{NewRef{}, (Type*)(t)};
 		types.AddKey(tp, pfs.HashType(t));
-		(void)RegisterType(tp);
 		}
 
 	// ### This doesn't work for -O add-C++
@@ -102,13 +107,6 @@ void CPPCompile::Compile(bool report_uncompilable)
 
 	NL();
 
-#if 0
-	for ( auto gi : all_global_info )
-		Emit(gi->Declare());
-
-	NL();
-#endif
-
 	for ( auto& g : pfs.AllGlobals() )
 		CreateGlobal(g);
 
@@ -126,7 +124,8 @@ void CPPCompile::Compile(bool report_uncompilable)
 	// The scaffolding is now in place to go ahead and generate
 	// the functions & lambdas.  First declare them ...
 	for ( const auto& func : funcs )
-		DeclareFunc(func);
+		if ( ! func.ShouldSkip() )
+			DeclareFunc(func);
 
 	// We track lambdas by their internal names, because two different
 	// LambdaExpr's can wind up referring to the same underlying lambda
@@ -148,7 +147,8 @@ void CPPCompile::Compile(bool report_uncompilable)
 
 	// ... and now generate their bodies.
 	for ( const auto& func : funcs )
-		CompileFunc(func);
+		if ( ! func.ShouldSkip() )
+			CompileFunc(func);
 
 	lambda_names.clear();
 	for ( const auto& l : pfs.Lambdas() )
diff --git a/src/script_opt/CPP/Inits.cc b/src/script_opt/CPP/Inits.cc
index 2e51b95412..d462f19a82 100644
--- a/src/script_opt/CPP/Inits.cc
+++ b/src/script_opt/CPP/Inits.cc
@@ -240,6 +240,9 @@ void CPPCompile::GenStandaloneActivation()
 
 	for ( const auto& func : funcs )
 		{
+		if ( func.ShouldSkip() )
+			continue;
+
 		auto f = func.Func();
 		auto fname = BodyName(func);
 		auto bname = Canonicalize(fname.c_str()) + "_zf";
diff --git a/src/script_opt/ScriptOpt.cc b/src/script_opt/ScriptOpt.cc
index 2940b1b5ec..311f8d8e7b 100644
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@@ -382,19 +382,6 @@ static void generate_CPP(std::unique_ptr<ProfileFuncs>& pfs)
 
 	auto hm = std::make_unique<CPPHashManager>(hash_name.c_str());
 
-	if ( analysis_options.gen_CPP )
-		{
-		if ( analysis_options.only_func )
-			{ // deactivate all functions except the target one
-			for ( auto& func : funcs )
-				{
-				auto fn = func.Func()->Name();
-				if ( *analysis_options.only_func != fn )
-					func.SetSkip(true);
-				}
-			}
-		}
-
 	const auto gen_name = hash_dir + "CPP-gen.cc";
 	const auto addl_name = hash_dir + "CPP-gen-addl.h";
 
@@ -551,6 +538,19 @@ void analyze_scripts()
 		// No work to do, avoid profiling overhead.
 		return;
 
+	if ( analysis_options.gen_CPP )
+		{
+		if ( analysis_options.only_func )
+			{ // deactivate all functions except the target one
+			for ( auto& func : funcs )
+				{
+				auto fn = func.Func()->Name();
+				if ( *analysis_options.only_func != fn )
+					func.SetSkip(true);
+				}
+			}
+		}
+
 	// Now that everything's parsed and BiF's have been initialized,
 	// profile the functions.
 	auto pfs = std::make_unique<ProfileFuncs>(funcs, is_CPP_compilable, false);

From 1f388e3f400ae8257ef10db095d563e3ddeb018a Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Wed, 24 Nov 2021 22:48:46 +0100
Subject: [PATCH 107/210] Format shell scripts with shfmt.

All changes in this patch were performed automatically with `shfmt` with
configuration flags specified in `.pre-commit-config.yaml`.

In addition to fixing whitespace the roundtrip through shfmt's AST also
transforms command substitutions

    `cmd`
    # becomes
    $(cmd)

and some redirects

    >&2 echo "msg"
    # becomes
    echo >&2 "msg"
---
 .pre-commit-config.yaml                       |   6 +
 ci/build.sh                                   |   2 +-
 ci/common.sh                                  |   4 +-
 ci/freebsd/prepare.sh                         |   2 +-
 ci/init-external-repos.sh                     |   9 +-
 ci/test-fuzzers.sh                            |   5 +-
 ci/test.sh                                    |  43 +++--
 ci/update-zeekygen-docs.sh                    |  28 ++--
 configure                                     | 144 ++++++++---------
 src/script_opt/CPP/single-full-test.sh        |   2 +-
 src/script_opt/CPP/single-test.sh             |   2 +-
 src/script_opt/CPP/test-suite-build           |   2 +-
 src/script_opt/CPP/update-single-test.sh      |   2 +-
 testing/btest/coverage/zeekygen.sh            |  11 +-
 testing/btest/plugins/bifs-and-scripts.sh     |   1 -
 testing/coverage/code_coverage.sh             | 118 +++++++-------
 testing/coverage/lcov_html.sh                 |  76 ++++-----
 testing/external/scripts/create-new-repo      |  12 +-
 testing/external/scripts/diff-all             |  18 +--
 testing/external/scripts/find-git-repos       |   2 +-
 testing/external/scripts/update-traces        |  20 +--
 testing/scripts/diff-canonifier               |   2 +-
 testing/scripts/diff-canonifier-external      |  25 ++-
 testing/scripts/diff-remove-abspath           |  10 +-
 testing/scripts/diff-remove-fields            |   2 +-
 testing/scripts/diff-remove-fractions         |   1 -
 .../scripts/diff-remove-openclose-timestamps  |   6 +-
 testing/scripts/diff-remove-timestamps        |   8 +-
 testing/scripts/diff-sort                     |   4 +-
 testing/scripts/fake-sendmail                 |  10 +-
 .../scripts/update-external-repo-pointer.sh   |   4 +-
 testing/scripts/wait-for-file                 |  17 +-
 zeek-config.in                                | 148 +++++++++---------
 zeek-wrapper.in                               |   2 +-
 34 files changed, 369 insertions(+), 379 deletions(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f3f52012a1..38c18b5ccf 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -6,3 +6,9 @@ repos:
   rev: 'v13.0.0'
   hooks:
   - id: clang-format
+
+- repo: https://github.com/maxwinterstein/shfmt-py
+  rev: 3.3.1.8
+  hooks:
+    - id: shfmt
+      args: ["-w", "-i", "4", "-ci"]
diff --git a/ci/build.sh b/ci/build.sh
index 051d119f62..19a92743d1 100755
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -1,6 +1,6 @@
 #! /usr/bin/env bash
 
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &> /dev/null && pwd)"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
 . ${SCRIPT_DIR}/common.sh
 
 set -e
diff --git a/ci/common.sh b/ci/common.sh
index cc84e9a973..52949dcf73 100644
--- a/ci/common.sh
+++ b/ci/common.sh
@@ -3,10 +3,10 @@
 # On Cirrus, oversubscribe the CPUs when on Linux. This uses Cirrus' "greedy" feature.
 if [[ "${CIRRUS_OS}" == linux ]]; then
     if [[ -n "${ZEEK_CI_CPUS}" ]]; then
-        ZEEK_CI_CPUS=$(( 2 * ${ZEEK_CI_CPUS} ))
+        ZEEK_CI_CPUS=$((2 * ${ZEEK_CI_CPUS}))
     fi
 
     if [[ -n "${ZEEK_CI_BTEST_JOBS}" ]]; then
-        ZEEK_CI_BTEST_JOBS=$(( 2 * ${ZEEK_CI_BTEST_JOBS} ))
+        ZEEK_CI_BTEST_JOBS=$((2 * ${ZEEK_CI_BTEST_JOBS}))
     fi
 fi
diff --git a/ci/freebsd/prepare.sh b/ci/freebsd/prepare.sh
index 00b3965e2f..8a51a49461 100755
--- a/ci/freebsd/prepare.sh
+++ b/ci/freebsd/prepare.sh
@@ -8,6 +8,6 @@ set -x
 env ASSUME_ALWAYS_YES=YES pkg bootstrap
 pkg install -y bash git cmake swig bison python3 base64
 pkg upgrade -y curl
-pyver=`python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")'`
+pyver=$(python3 -c 'import sys; print(f"py{sys.version_info[0]}{sys.version_info[1]}")')
 pkg install -y $pyver-sqlite3 $pyver-pip
 pip install junit2html
diff --git a/ci/init-external-repos.sh b/ci/init-external-repos.sh
index 43814a69c5..b3684b0dcd 100755
--- a/ci/init-external-repos.sh
+++ b/ci/init-external-repos.sh
@@ -1,13 +1,12 @@
 #! /usr/bin/env bash
 
-function banner
-    {
+function banner {
     local msg="${1}"
     printf "+--------------------------------------------------------------+\n"
     printf "| %-60s |\n" "$(date)"
     printf "| %-60s |\n" "${msg}"
     printf "+--------------------------------------------------------------+\n"
-    }
+}
 
 set -e
 
@@ -52,8 +51,8 @@ if [[ -n "${CIRRUS_CI}" ]] && [[ "${CIRRUS_REPO_OWNER}" == "zeek" ]] && [[ ! -d
     fi
 
     banner "Trying to clone zeek-testing-private git repo"
-    echo "${ZEEK_TESTING_PRIVATE_SSH_KEY}" > cirrus_key.b64
-    base64 -d cirrus_key.b64 > cirrus_key
+    echo "${ZEEK_TESTING_PRIVATE_SSH_KEY}" >cirrus_key.b64
+    base64 -d cirrus_key.b64 >cirrus_key
     rm cirrus_key.b64
     chmod 600 cirrus_key
     git --version
diff --git a/ci/test-fuzzers.sh b/ci/test-fuzzers.sh
index c3ae93d469..389c272066 100755
--- a/ci/test-fuzzers.sh
+++ b/ci/test-fuzzers.sh
@@ -17,8 +17,8 @@ for fuzzer_path in ${fuzzers}; do
 
     if [[ -e ${corpus} ]]; then
         echo "Fuzzer: ${fuzzer_exe} ${corpus}"
-        ( rm -rf corpus && mkdir corpus ) || result=1
-        ( cd corpus && unzip ../${corpus} >/dev/null ) || result=1
+        (rm -rf corpus && mkdir corpus) || result=1
+        (cd corpus && unzip ../${corpus} >/dev/null) || result=1
         ${fuzzer_path} corpus/* >${fuzzer_exe}.out 2>${fuzzer_exe}.err
 
         if [[ $? -eq 0 ]]; then
@@ -36,5 +36,4 @@ for fuzzer_path in ${fuzzers}; do
     echo "-----------------------------------------"
 done
 
-
 exit ${result}
diff --git a/ci/test.sh b/ci/test.sh
index 50d0703dc9..ba407ffec6 100755
--- a/ci/test.sh
+++ b/ci/test.sh
@@ -16,47 +16,41 @@ if [[ -z "${CIRRUS_CI}" ]]; then
     ZEEK_CI_BTEST_RETRIES=2
 fi
 
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &> /dev/null && pwd)"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd)"
 . ${SCRIPT_DIR}/common.sh
 
-function pushd
-    {
-    command pushd "$@" > /dev/null || exit 1
-    }
+function pushd {
+    command pushd "$@" >/dev/null || exit 1
+}
 
-function popd
-    {
-    command popd "$@" > /dev/null || exit 1
-    }
+function popd {
+    command popd "$@" >/dev/null || exit 1
+}
 
-function banner
-    {
+function banner {
     local msg="${1}"
     printf "+--------------------------------------------------------------+\n"
     printf "| %-60s |\n" "$(date)"
     printf "| %-60s |\n" "${msg}"
     printf "+--------------------------------------------------------------+\n"
-    }
+}
 
-function run_unit_tests
-    {
+function run_unit_tests {
     banner "Running unit tests"
 
     pushd build
-    ( . ./zeek-path-dev.sh && zeek --test ) || result=1
+    (. ./zeek-path-dev.sh && zeek --test) || result=1
     popd
     return 0
-    }
+}
 
-function prep_artifacts
-    {
+function prep_artifacts {
     banner "Prepare artifacts"
     [[ -d .tmp ]] && rm -rf .tmp/script-coverage && tar -czf tmp.tar.gz .tmp
     junit2html btest-results.xml btest-results.html
-    }
+}
 
-function run_btests
-    {
+function run_btests {
     banner "Running baseline tests: zeek"
 
     pushd testing/btest
@@ -73,10 +67,9 @@ function run_btests
     prep_artifacts
     popd
     return 0
-    }
+}
 
-function run_external_btests
-    {
+function run_external_btests {
     # Commenting out this line in btest.cfg causes the script profiling/coverage
     # to be disabled. We do this for the sanitizer build right now because of a
     # fairly significant performance bug when running tests.
@@ -120,7 +113,7 @@ function run_external_btests
     else
         banner "Skipping private tests (not available for PRs)"
     fi
-    }
+}
 
 banner "Start tests: ${ZEEK_CI_CPUS} cpus, ${ZEEK_CI_BTEST_JOBS} btest jobs"
 
diff --git a/ci/update-zeekygen-docs.sh b/ci/update-zeekygen-docs.sh
index 1c0769bc9a..c4722237cb 100755
--- a/ci/update-zeekygen-docs.sh
+++ b/ci/update-zeekygen-docs.sh
@@ -1,15 +1,15 @@
 #! /usr/bin/env bash
 
-unset ZEEK_DISABLE_ZEEKYGEN;
+unset ZEEK_DISABLE_ZEEKYGEN
 
 # If running this from btest, unset any of the environment
 # variables that alter default script values.
-unset ZEEK_DEFAULT_LISTEN_ADDRESS;
-unset ZEEK_DEFAULT_LISTEN_RETRY;
-unset ZEEK_DEFAULT_CONNECT_RETRY;
+unset ZEEK_DEFAULT_LISTEN_ADDRESS
+unset ZEEK_DEFAULT_LISTEN_RETRY
+unset ZEEK_DEFAULT_CONNECT_RETRY
 
-dir="$( cd "$( dirname "$0" )" && pwd )"
-source_dir="$( cd $dir/.. && pwd )"
+dir="$(cd "$(dirname "$0")" && pwd)"
+source_dir="$(cd $dir/.. && pwd)"
 build_dir=$source_dir/build
 conf_file=$build_dir/zeekygen-test.conf
 output_dir=$source_dir/doc
@@ -21,15 +21,14 @@ fi
 
 case $output_dir in
     /*) ;;
-    *) output_dir=`pwd`/$output_dir ;;
+    *) output_dir=$(pwd)/$output_dir ;;
 esac
 
 cd $build_dir
 . zeek-path-dev.sh
 export ZEEK_SEED_FILE=$source_dir/testing/btest/random.seed
 
-function run_zeek
-    {
+function run_zeek {
     ZEEK_ALLOW_INIT_ERRORS=1 zeek -X $conf_file zeekygen >/dev/null 2>$zeek_error_file
 
     if [ $? -ne 0 ]; then
@@ -37,23 +36,22 @@ function run_zeek
         echo "See stderr in $zeek_error_file"
         exit 1
     fi
-    }
+}
 
 scripts_output_dir=$output_dir/scripts
 rm -rf $scripts_output_dir
-printf "script\t*\t$scripts_output_dir/" > $conf_file
+printf "script\t*\t$scripts_output_dir/" >$conf_file
 echo "Generating $scripts_output_dir/"
 run_zeek
 
 script_ref_dir=$output_dir/script-reference
 mkdir -p $script_ref_dir
 
-function generate_index
-    {
+function generate_index {
     echo "Generating $script_ref_dir/$2"
-    printf "$1\t*\t$script_ref_dir/$2\n" > $conf_file
+    printf "$1\t*\t$script_ref_dir/$2\n" >$conf_file
     run_zeek
-    }
+}
 
 generate_index "script_index" "autogenerated-script-index.rst"
 generate_index "package_index" "autogenerated-package-index.rst"
diff --git a/configure b/configure
index f40846bc43..5756c3448f 100755
--- a/configure
+++ b/configure
@@ -118,7 +118,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     CXXFLAGS               C++ compiler flags
 "
 
-sourcedir="$( cd "$( dirname "$0" )" && pwd )"
+sourcedir="$(cd "$(dirname "$0")" && pwd)"
 
 if [ ! -e "$sourcedir/cmake/COPYING" ] && [ -d "$sourcedir/.git" ]; then
     echo "\
@@ -128,8 +128,8 @@ This typically means that you performed a non-recursive git clone of
 Zeek. To check out the required subdirectories, please execute:
 
   ( cd $sourcedir && git submodule update --recursive --init )
-" >&2;
-    exit 1;
+" >&2
+    exit 1
 fi
 
 # Function to append a CMake cache entry definition to the
@@ -137,14 +137,14 @@ fi
 #   $1 is the cache entry variable name
 #   $2 is the cache entry variable type
 #   $3 is the cache entry variable value
-append_cache_entry () {
+append_cache_entry() {
     CMakeCacheEntries="$CMakeCacheEntries -D $1:$2=$3"
 }
 
 # Function to remove a CMake cache entry definition from the
 # CMakeCacheEntries variable
 #   $1 is the cache entry variable name
-remove_cache_entry () {
+remove_cache_entry() {
     CMakeCacheEntries="$CMakeCacheEntries -U $1"
 
     # Even with -U, cmake still warns by default if
@@ -156,22 +156,22 @@ remove_cache_entry () {
 builddir=build
 prefix=/usr/local/zeek
 CMakeCacheEntries=""
-append_cache_entry CMAKE_INSTALL_PREFIX PATH   $prefix
-append_cache_entry ZEEK_ROOT_DIR        PATH   $prefix
+append_cache_entry CMAKE_INSTALL_PREFIX PATH $prefix
+append_cache_entry ZEEK_ROOT_DIR PATH $prefix
 append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $prefix/share/zeek
-append_cache_entry ZEEK_ETC_INSTALL_DIR PATH   $prefix/etc
-append_cache_entry ENABLE_DEBUG         BOOL   false
-append_cache_entry ENABLE_PERFTOOLS     BOOL   false
-append_cache_entry ENABLE_JEMALLOC      BOOL   false
-append_cache_entry BUILD_SHARED_LIBS    BOOL   true
-append_cache_entry INSTALL_AUX_TOOLS    BOOL   true
-append_cache_entry INSTALL_BTEST        BOOL   true
-append_cache_entry INSTALL_BTEST_PCAPS  BOOL   true
-append_cache_entry INSTALL_ZEEK_ARCHIVER BOOL  true
-append_cache_entry INSTALL_ZEEKCTL      BOOL   true
-append_cache_entry INSTALL_ZKG          BOOL   true
+append_cache_entry ZEEK_ETC_INSTALL_DIR PATH $prefix/etc
+append_cache_entry ENABLE_DEBUG BOOL false
+append_cache_entry ENABLE_PERFTOOLS BOOL false
+append_cache_entry ENABLE_JEMALLOC BOOL false
+append_cache_entry BUILD_SHARED_LIBS BOOL true
+append_cache_entry INSTALL_AUX_TOOLS BOOL true
+append_cache_entry INSTALL_BTEST BOOL true
+append_cache_entry INSTALL_BTEST_PCAPS BOOL true
+append_cache_entry INSTALL_ZEEK_ARCHIVER BOOL true
+append_cache_entry INSTALL_ZEEKCTL BOOL true
+append_cache_entry INSTALL_ZKG BOOL true
 append_cache_entry CPACK_SOURCE_IGNORE_FILES STRING
-append_cache_entry ZEEK_SANITIZERS      STRING ""
+append_cache_entry ZEEK_SANITIZERS STRING ""
 append_cache_entry ZEEK_INCLUDE_PLUGINS STRING ""
 
 has_enable_mobile_ipv6=0
@@ -179,12 +179,12 @@ has_enable_mobile_ipv6=0
 # parse arguments
 while [ $# -ne 0 ]; do
     case "$1" in
-        -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+        -*=*) optarg=$(echo "$1" | sed 's/[-_a-zA-Z0-9]*=//') ;;
         *) optarg= ;;
     esac
 
     case "$1" in
-        --help|-h)
+        --help | -h)
             echo "${usage}" 1>&2
             exit 1
             ;;
@@ -198,110 +198,110 @@ while [ $# -ne 0 ]; do
             builddir=$optarg
             ;;
         --build-type=*)
-            append_cache_entry CMAKE_BUILD_TYPE     STRING $optarg
+            append_cache_entry CMAKE_BUILD_TYPE STRING $optarg
 
             if [ $(echo "$optarg" | tr [:upper:] [:lower:]) = "debug" ]; then
-                append_cache_entry ENABLE_DEBUG         BOOL   true
+                append_cache_entry ENABLE_DEBUG BOOL true
             fi
             ;;
         --generator=*)
             CMakeGenerator="$optarg"
             ;;
         --ccache)
-            append_cache_entry ENABLE_CCACHE         BOOL   true
+            append_cache_entry ENABLE_CCACHE BOOL true
             ;;
         --toolchain=*)
-            append_cache_entry CMAKE_TOOLCHAIN_FILE  PATH   $optarg
+            append_cache_entry CMAKE_TOOLCHAIN_FILE PATH $optarg
             ;;
         --include-plugins=*)
-            append_cache_entry ZEEK_INCLUDE_PLUGINS  STRING   $optarg
+            append_cache_entry ZEEK_INCLUDE_PLUGINS STRING $optarg
             ;;
         --prefix=*)
             prefix=$optarg
-            append_cache_entry CMAKE_INSTALL_PREFIX PATH   $optarg
-            append_cache_entry ZEEK_ROOT_DIR PATH   $optarg
+            append_cache_entry CMAKE_INSTALL_PREFIX PATH $optarg
+            append_cache_entry ZEEK_ROOT_DIR PATH $optarg
             ;;
         --libdir=*)
-            append_cache_entry CMAKE_INSTALL_LIBDIR PATH   $optarg
+            append_cache_entry CMAKE_INSTALL_LIBDIR PATH $optarg
             ;;
         --plugindir=*)
-            append_cache_entry ZEEK_PLUGIN_DIR PATH   $optarg
+            append_cache_entry ZEEK_PLUGIN_DIR PATH $optarg
             ;;
         --python-dir=*)
-            append_cache_entry ZEEK_PYTHON_DIR PATH   $optarg
+            append_cache_entry ZEEK_PYTHON_DIR PATH $optarg
             ;;
         --python-prefix=*)
-            append_cache_entry ZEEK_PYTHON_PREFIX PATH   $optarg
+            append_cache_entry ZEEK_PYTHON_PREFIX PATH $optarg
             ;;
         --python-home=*)
-            append_cache_entry ZEEK_PYTHON_HOME PATH   $optarg
+            append_cache_entry ZEEK_PYTHON_HOME PATH $optarg
             ;;
         --scriptdir=*)
             append_cache_entry ZEEK_SCRIPT_INSTALL_PATH STRING $optarg
             user_set_scriptdir="true"
             ;;
         --conf-files-dir=*)
-            append_cache_entry ZEEK_ETC_INSTALL_DIR PATH   $optarg
+            append_cache_entry ZEEK_ETC_INSTALL_DIR PATH $optarg
             user_set_conffilesdir="true"
             ;;
         --localstatedir=*)
-            append_cache_entry ZEEK_LOCAL_STATE_DIR PATH   $optarg
+            append_cache_entry ZEEK_LOCAL_STATE_DIR PATH $optarg
             ;;
         --spooldir=*)
-            append_cache_entry ZEEK_SPOOL_DIR       PATH   $optarg
+            append_cache_entry ZEEK_SPOOL_DIR PATH $optarg
             ;;
         --logdir=*)
-            append_cache_entry ZEEK_LOG_DIR         PATH   $optarg
+            append_cache_entry ZEEK_LOG_DIR PATH $optarg
             ;;
         --mandir=*)
-            append_cache_entry ZEEK_MAN_INSTALL_PATH         PATH   $optarg
+            append_cache_entry ZEEK_MAN_INSTALL_PATH PATH $optarg
             ;;
         --enable-coverage)
-            append_cache_entry ENABLE_COVERAGE         BOOL   true
-            append_cache_entry ENABLE_DEBUG         BOOL   true
+            append_cache_entry ENABLE_COVERAGE BOOL true
+            append_cache_entry ENABLE_DEBUG BOOL true
             ;;
         --enable-fuzzers)
             append_cache_entry ZEEK_ENABLE_FUZZERS BOOL true
             ;;
         --enable-debug)
-            append_cache_entry ENABLE_DEBUG         BOOL   true
+            append_cache_entry ENABLE_DEBUG BOOL true
             ;;
         --enable-mobile-ipv6)
             has_enable_mobile_ipv6=1
             ;;
         --enable-perftools)
-            append_cache_entry ENABLE_PERFTOOLS     BOOL   true
+            append_cache_entry ENABLE_PERFTOOLS BOOL true
             ;;
         --enable-perftools-debug)
-            append_cache_entry ENABLE_PERFTOOLS     BOOL   true
-            append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL   true
+            append_cache_entry ENABLE_PERFTOOLS BOOL true
+            append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL true
             ;;
         --sanitizers=*)
-            append_cache_entry ZEEK_SANITIZERS    STRING    $optarg
+            append_cache_entry ZEEK_SANITIZERS STRING $optarg
             ;;
         --enable-jemalloc)
-            append_cache_entry ENABLE_JEMALLOC     BOOL   true
+            append_cache_entry ENABLE_JEMALLOC BOOL true
             ;;
         --enable-static-broker)
-            append_cache_entry BUILD_STATIC_BROKER    BOOL    true
+            append_cache_entry BUILD_STATIC_BROKER BOOL true
             ;;
         --enable-static-binpac)
-            append_cache_entry BUILD_STATIC_BINPAC    BOOL    true
+            append_cache_entry BUILD_STATIC_BINPAC BOOL true
             ;;
         --enable-cpp-tests)
-            append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL    true
+            append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL true
             ;;
         --enable-zeek-client)
-            append_cache_entry INSTALL_ZEEK_CLIENT    BOOL    true
+            append_cache_entry INSTALL_ZEEK_CLIENT BOOL true
             ;;
         --disable-zeekctl)
-            append_cache_entry INSTALL_ZEEKCTL       BOOL   false
+            append_cache_entry INSTALL_ZEEKCTL BOOL false
             ;;
         --disable-auxtools)
-            append_cache_entry INSTALL_AUX_TOOLS    BOOL   false
+            append_cache_entry INSTALL_AUX_TOOLS BOOL false
             ;;
         --disable-archiver)
-            append_cache_entry INSTALL_ZEEK_ARCHIVER    BOOL   false
+            append_cache_entry INSTALL_ZEEK_ARCHIVER BOOL false
             ;;
         --disable-btest)
             append_cache_entry INSTALL_BTEST BOOL false
@@ -310,10 +310,10 @@ while [ $# -ne 0 ]; do
             append_cache_entry INSTALL_BTEST_PCAPS BOOL false
             ;;
         --disable-python)
-            append_cache_entry DISABLE_PYTHON_BINDINGS     BOOL   true
+            append_cache_entry DISABLE_PYTHON_BINDINGS BOOL true
             ;;
         --disable-broker-tests)
-            append_cache_entry BROKER_DISABLE_TESTS        BOOL true
+            append_cache_entry BROKER_DISABLE_TESTS BOOL true
             append_cache_entry BROKER_DISABLE_DOC_EXAMPLES BOOL true
             ;;
         --disable-zkg)
@@ -329,10 +329,10 @@ while [ $# -ne 0 ]; do
             append_cache_entry PCAP_ROOT_DIR PATH $optarg
             ;;
         --with-binpac=*)
-            append_cache_entry BINPAC_EXE_PATH     PATH $optarg
+            append_cache_entry BINPAC_EXE_PATH PATH $optarg
             ;;
         --with-bifcl=*)
-            append_cache_entry BIFCL_EXE_PATH      PATH   $optarg
+            append_cache_entry BIFCL_EXE_PATH PATH $optarg
             ;;
         --with-flex=*)
             append_cache_entry FLEX_EXECUTABLE PATH $optarg
@@ -350,30 +350,30 @@ while [ $# -ne 0 ]; do
             append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
             ;;
         --with-jemalloc=*)
-            append_cache_entry JEMALLOC_ROOT_DIR    PATH    $optarg
-            append_cache_entry ENABLE_JEMALLOC      BOOL    true
+            append_cache_entry JEMALLOC_ROOT_DIR PATH $optarg
+            append_cache_entry ENABLE_JEMALLOC BOOL true
             ;;
         --with-python=*)
-            append_cache_entry PYTHON_EXECUTABLE    PATH    $optarg
+            append_cache_entry PYTHON_EXECUTABLE PATH $optarg
             ;;
         --with-python-lib=*)
-            append_cache_entry PYTHON_LIBRARY       PATH    $optarg
+            append_cache_entry PYTHON_LIBRARY PATH $optarg
             ;;
         --with-python-inc=*)
-            append_cache_entry PYTHON_INCLUDE_DIR   PATH    $optarg
-            append_cache_entry PYTHON_INCLUDE_PATH  PATH    $optarg
+            append_cache_entry PYTHON_INCLUDE_DIR PATH $optarg
+            append_cache_entry PYTHON_INCLUDE_PATH PATH $optarg
             ;;
         --with-swig=*)
-            append_cache_entry SWIG_EXECUTABLE      PATH    $optarg
+            append_cache_entry SWIG_EXECUTABLE PATH $optarg
             ;;
         --with-broker=*)
-            append_cache_entry BROKER_ROOT_DIR      PATH   $optarg
+            append_cache_entry BROKER_ROOT_DIR PATH $optarg
             ;;
         --with-caf=*)
-            append_cache_entry CAF_ROOT          PATH   $optarg
+            append_cache_entry CAF_ROOT PATH $optarg
             ;;
         --with-libkqueue=*)
-            append_cache_entry LIBKQUEUE_ROOT_DIR      PATH   $optarg
+            append_cache_entry LIBKQUEUE_ROOT_DIR PATH $optarg
             ;;
         --binary-package)
             append_cache_entry BINARY_PACKAGING_MODE BOOL true
@@ -400,15 +400,15 @@ done
 
 if [ -z "$CMakeCommand" ]; then
     # prefer cmake3 over "regular" cmake (cmake == cmake2 on RHEL)
-    if command -v cmake3 >/dev/null 2>&1 ; then
+    if command -v cmake3 >/dev/null 2>&1; then
         CMakeCommand="cmake3"
-    elif command -v cmake >/dev/null 2>&1 ; then
+    elif command -v cmake >/dev/null 2>&1; then
         CMakeCommand="cmake"
     else
         echo "This package requires CMake, please install it first."
         echo "Then you may use this script to configure the CMake build."
         echo "Note: pass --cmake=PATH to use cmake in non-standard locations."
-        exit 1;
+        exit 1
     fi
 fi
 
@@ -442,8 +442,8 @@ else
     "$CMakeCommand" $CMakeCacheEntries $sourcedir
 fi
 
-echo "# This is the command used to configure this build" > config.status
-echo $command >> config.status
+echo "# This is the command used to configure this build" >config.status
+echo $command >>config.status
 chmod u+x config.status
 
 if [ $has_enable_mobile_ipv6 -eq 1 ]; then
diff --git a/src/script_opt/CPP/single-full-test.sh b/src/script_opt/CPP/single-full-test.sh
index 84d9b21479..71fc927b27 100755
--- a/src/script_opt/CPP/single-full-test.sh
+++ b/src/script_opt/CPP/single-full-test.sh
@@ -16,7 +16,7 @@ cd $test
 grep -c '^namespace' $gen
 mv $gen $build/
 cd $build
-ninja >& errs || echo build for $1 failed
+ninja >&errs || echo build for $1 failed
 
 export -n ZEEK_GEN_CPP
 cd $test
diff --git a/src/script_opt/CPP/single-test.sh b/src/script_opt/CPP/single-test.sh
index 6d2a117e67..afc552ce03 100755
--- a/src/script_opt/CPP/single-test.sh
+++ b/src/script_opt/CPP/single-test.sh
@@ -15,7 +15,7 @@ cp $build/CPP-hashes.dat .
 grep -c '^namespace' $gen
 mv $gen $build
 cd $build
-ninja >& errs || echo build for $1 failed
+ninja >&errs || echo build for $1 failed
 
 export -n ZEEK_ADD_CPP
 cd $test
diff --git a/src/script_opt/CPP/test-suite-build b/src/script_opt/CPP/test-suite-build
index a79ffd88bb..0e06a7ba71 100755
--- a/src/script_opt/CPP/test-suite-build
+++ b/src/script_opt/CPP/test-suite-build
@@ -15,4 +15,4 @@ echo >$gen
 grep -c '^namespace' $gen
 mv $gen $so
 cd $build
-ninja >& errs || echo test suite build failed
+ninja >&errs || echo test suite build failed
diff --git a/src/script_opt/CPP/update-single-test.sh b/src/script_opt/CPP/update-single-test.sh
index aa521a053e..35fb2a2d77 100755
--- a/src/script_opt/CPP/update-single-test.sh
+++ b/src/script_opt/CPP/update-single-test.sh
@@ -13,7 +13,7 @@ cp $build/CPP-hashes.dat .
 grep -c '^namespace' $gen
 mv $gen $build/
 cd $build
-ninja >& errs || echo build for $1 failed
+ninja >&errs || echo build for $1 failed
 
 export -n ZEEK_ADD_CPP
 cd $test
diff --git a/testing/btest/coverage/zeekygen.sh b/testing/btest/coverage/zeekygen.sh
index 6bc43d9c90..ccde52d90c 100644
--- a/testing/btest/coverage/zeekygen.sh
+++ b/testing/btest/coverage/zeekygen.sh
@@ -10,11 +10,10 @@
 
 error_count=0
 
-error_msg()
-    {
-    error_count=$((error_count+1))
-    echo "$@" 1>&2;
-    }
+error_msg() {
+    error_count=$((error_count + 1))
+    echo "$@" 1>&2
+}
 
 if [ $# -ne 2 ]; then
     print "incorrect arguments"
@@ -29,7 +28,7 @@ for f in $all_loads; do
 done
 
 if [ $error_count -gt 0 ]; then
-    exit 1;
+    exit 1
 fi
 
 exit 0
diff --git a/testing/btest/plugins/bifs-and-scripts.sh b/testing/btest/plugins/bifs-and-scripts.sh
index 345c1faa8f..180b95c5c5 100644
--- a/testing/btest/plugins/bifs-and-scripts.sh
+++ b/testing/btest/plugins/bifs-and-scripts.sh
@@ -60,4 +60,3 @@ EOF
 cat >activate.zeek <<EOF
 @load-plugin Demo::Foo
 EOF
-
diff --git a/testing/coverage/code_coverage.sh b/testing/coverage/code_coverage.sh
index 79999abe19..edeef9cc3f 100755
--- a/testing/coverage/code_coverage.sh
+++ b/testing/coverage/code_coverage.sh
@@ -16,69 +16,69 @@
 #	4a. Analyze .gcov files generated and create summary file
 #	4b. Send .gcov files to appropriate path
 #
-CURR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" # Location of script
-BASE="$( cd "$CURR" && cd ../../ && pwd )"
+CURR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # Location of script
+BASE="$(cd "$CURR" && cd ../../ && pwd)"
 TMP="${CURR}/tmp.$$"
 mkdir -p $TMP
 
 # DEFINE CLEANUP PROCESS
 function finish {
-	rm -rf $TMP
+    rm -rf $TMP
 }
 trap finish EXIT
 
 # DEFINE CRUCIAL FUNCTIONS FOR COVERAGE CHECKING
 function check_file_coverage {
-	GCOVDIR="$1"
+    GCOVDIR="$1"
 
-	for i in $GCOVDIR/*.gcov; do
-		# Effective # of lines: starts with a number (# of runs in line) or ##### (line never run)
-		TOTAL=$(cut -d: -f 1 "$i" | sed 's/ //g' | grep -v "^[[:alpha:]]" | grep -v "-" | wc -l)
+    for i in $GCOVDIR/*.gcov; do
+        # Effective # of lines: starts with a number (# of runs in line) or ##### (line never run)
+        TOTAL=$(cut -d: -f 1 "$i" | sed 's/ //g' | grep -v "^[[:alpha:]]" | grep -v "-" | wc -l)
 
-		# Count number of lines never run
-		UNRUN=$(grep "#####" "$i" | wc -l)
+        # Count number of lines never run
+        UNRUN=$(grep "#####" "$i" | wc -l)
 
-		# Lines in code are either run or unrun
-		RUN=$(($TOTAL - $UNRUN))
+        # Lines in code are either run or unrun
+        RUN=$(($TOTAL - $UNRUN))
 
-                # Avoid division-by-zero problems:
-                PERCENTAGE=0.000
-                [ $RUN -gt 0 ] && PERCENTAGE=$(bc <<< "scale=3; 100*$RUN/$TOTAL")
+        # Avoid division-by-zero problems:
+        PERCENTAGE=0.000
+        [ $RUN -gt 0 ] && PERCENTAGE=$(bc <<<"scale=3; 100*$RUN/$TOTAL")
 
-		# Find correlation between % of lines run vs. "Runs"
-		echo -e "$PERCENTAGE\t$RUN\t$TOTAL\t$(grep "0:Runs" "$i" | sed 's/.*://')\t$i"
-	done
+        # Find correlation between % of lines run vs. "Runs"
+        echo -e "$PERCENTAGE\t$RUN\t$TOTAL\t$(grep "0:Runs" "$i" | sed 's/.*://')\t$i"
+    done
 }
 
 function check_group_coverage {
-	DATA="$1"	# FILE CONTAINING COVERAGE DATA
-	SRC_FOLDER="$2" # WHERE ZEEK WAS COMPILED
-	OUTPUT="$3"
+    DATA="$1"       # FILE CONTAINING COVERAGE DATA
+    SRC_FOLDER="$2" # WHERE ZEEK WAS COMPILED
+    OUTPUT="$3"
 
-	# Prints all the relevant directories
-	DIRS=$(for i in $(cut -f 5 "$DATA"); do basename "$i" | sed 's/#[^#]*$//'; done \
-		| sort | uniq | sed 's/^.*'"${SRC_FOLDER}"'//' | grep "^#s\+" )
-	# "Generalize" folders unless it's from analyzers
-	DIRS=$(for i in $DIRS; do
-		if !(echo "$i" | grep "src#analyzer"); then
-			echo "$i" | cut -d "#" -f 1,2,3
-		fi
-	done | sort | uniq )
+    # Prints all the relevant directories
+    DIRS=$(for i in $(cut -f 5 "$DATA"); do basename "$i" | sed 's/#[^#]*$//'; done |
+        sort | uniq | sed 's/^.*'"${SRC_FOLDER}"'//' | grep "^#s\+")
+    # "Generalize" folders unless it's from analyzers
+    DIRS=$(for i in $DIRS; do
+        if !(echo "$i" | grep "src#analyzer"); then
+            echo "$i" | cut -d "#" -f 1,2,3
+        fi
+    done | sort | uniq)
 
-	for i in $DIRS; do
-		# For elements in #src, we only care about the files direclty in the directory.
-		if [[ "$i" = "#src" ]]; then
-			RUN=$(echo $(grep "$i#[^#]\+$" $DATA | grep "$SRC_FOLDER$i\|build$i" | cut -f 2) | tr " " "+" | bc)
-			TOTAL=$(echo $(grep "$i#[^#]\+$" $DATA | grep "$SRC_FOLDER$i\|build$i" | cut -f 3) | tr " " "+" | bc)
-		else
-			RUN=$(echo $(grep "$i" $DATA | cut -f 2) | tr " " "+" | bc)
-			TOTAL=$(echo $(grep "$i" $DATA | cut -f 3) | tr " " "+" | bc)
-		fi
+    for i in $DIRS; do
+        # For elements in #src, we only care about the files direclty in the directory.
+        if [[ "$i" = "#src" ]]; then
+            RUN=$(echo $(grep "$i#[^#]\+$" $DATA | grep "$SRC_FOLDER$i\|build$i" | cut -f 2) | tr " " "+" | bc)
+            TOTAL=$(echo $(grep "$i#[^#]\+$" $DATA | grep "$SRC_FOLDER$i\|build$i" | cut -f 3) | tr " " "+" | bc)
+        else
+            RUN=$(echo $(grep "$i" $DATA | cut -f 2) | tr " " "+" | bc)
+            TOTAL=$(echo $(grep "$i" $DATA | cut -f 3) | tr " " "+" | bc)
+        fi
 
-		PERCENTAGE=$( echo "scale=3;100*$RUN/$TOTAL" | bc | tr "\n" " " )
-		printf "%-50s\t%12s\t%6s %%\n" "$i" "$RUN/$TOTAL" $PERCENTAGE \
-                       | sed 's|#|/|g' >>$OUTPUT
-	done
+        PERCENTAGE=$(echo "scale=3;100*$RUN/$TOTAL" | bc | tr "\n" " ")
+        printf "%-50s\t%12s\t%6s %%\n" "$i" "$RUN/$TOTAL" $PERCENTAGE |
+            sed 's|#|/|g' >>$OUTPUT
+    done
 }
 
 # 1. Run test suite
@@ -89,7 +89,7 @@ echo -n "Checking for coverage files... "
 for pat in gcda gcno; do
     if [ -z "$(find "$BASE" -name "*.$pat" 2>/dev/null)" ]; then
         echo "no .$pat files, nothing to do"
-	exit 0
+        exit 0
     fi
 done
 echo "ok"
@@ -97,24 +97,24 @@ echo "ok"
 # 3a. Run gcov (-p to preserve path) and move into tmp directory
 # ... if system does not have gcov installed, exit with message.
 echo -n "Creating coverage files... "
-if which gcov > /dev/null 2>&1; then
-	( cd "$TMP" && find "$BASE" -name "*.o" -exec gcov -p {} > /dev/null 2>&1 \; )
-	NUM_GCOVS=$(find "$TMP" -name *.gcov | wc -l)
-	if [ $NUM_GCOVS -eq 0 ]; then
-		echo "no gcov files produced, aborting"
-		exit 1
-	fi
+if which gcov >/dev/null 2>&1; then
+    (cd "$TMP" && find "$BASE" -name "*.o" -exec gcov -p {} \; >/dev/null 2>&1)
+    NUM_GCOVS=$(find "$TMP" -name *.gcov | wc -l)
+    if [ $NUM_GCOVS -eq 0 ]; then
+        echo "no gcov files produced, aborting"
+        exit 1
+    fi
 
-	# Account for '^' that occurs in macOS due to LLVM
-	# This character seems to be equivalent to ".." (up 1 dir)
-	for file in $(ls $TMP/*.gcov | grep '\^'); do
-		mv $file "$(sed 's/#[^#]*#\^//g' <<< "$file")"
-	done
+    # Account for '^' that occurs in macOS due to LLVM
+    # This character seems to be equivalent to ".." (up 1 dir)
+    for file in $(ls $TMP/*.gcov | grep '\^'); do
+        mv $file "$(sed 's/#[^#]*#\^//g' <<<"$file")"
+    done
 
-	echo "ok, $NUM_GCOVS coverage files"
+    echo "ok, $NUM_GCOVS coverage files"
 else
-	echo "gcov is not installed on system, aborting"
-	exit 1
+    echo "gcov is not installed on system, aborting"
+    exit 1
 fi
 
 # 3b. Prune gcov files that fall outside of the Zeek tree:
@@ -134,7 +134,7 @@ echo "ok, $NUM_GCOVS coverage files remain"
 echo -n "Creating summary file... "
 DATA="${TMP}/data.txt"
 SUMMARY="$CURR/coverage.log"
-check_file_coverage "$TMP" > "$DATA"
+check_file_coverage "$TMP" >"$DATA"
 check_group_coverage "$DATA" ${BASE##*/} $SUMMARY
 echo "ok"
 
diff --git a/testing/coverage/lcov_html.sh b/testing/coverage/lcov_html.sh
index 5f13e45365..1366c23f78 100755
--- a/testing/coverage/lcov_html.sh
+++ b/testing/coverage/lcov_html.sh
@@ -14,10 +14,10 @@ function finish {
     rm -rf "$TMP"
 }
 function verify_run {
-    if bash -c "$1" > /dev/null 2>&1; then
-	echo ${2:-"ok"}
+    if bash -c "$1" >/dev/null 2>&1; then
+        echo ${2:-"ok"}
     else
-	die ${3:-"error, abort"}
+        die ${3:-"error, abort"}
     fi
 }
 trap finish EXIT
@@ -50,37 +50,37 @@ Usage: $0 <options>
     exit 1
 }
 
-while (( "$#" )); do
+while (("$#")); do
     case "$1" in
-	--html)
-	    HTML_REPORT=1
-	    if [ ${#2} -eq 0 ]; then
-		COVERAGE_HTML_DIR="coverage-html"
-		shift 1
-	    else
-		COVERAGE_HTML_DIR=$2
-		shift 2
-	    fi
-	    ;;
-	--coveralls)
-	    if [ ${#2} -eq 0 ]; then
-		echo "ERROR: Coveralls repo token must be passed with --coveralls argument."
-		echo
-		usage
-	    fi
+        --html)
+            HTML_REPORT=1
+            if [ ${#2} -eq 0 ]; then
+                COVERAGE_HTML_DIR="coverage-html"
+                shift 1
+            else
+                COVERAGE_HTML_DIR=$2
+                shift 2
+            fi
+            ;;
+        --coveralls)
+            if [ ${#2} -eq 0 ]; then
+                echo "ERROR: Coveralls repo token must be passed with --coveralls argument."
+                echo
+                usage
+            fi
 
-	    HTML_REPORT=0
-	    COVERALLS_REPO_TOKEN=$2
-	    shift 2
-	    ;;
-	--help)
-	    usage
-	    shift 1
-	    ;;
-	*)
-	    COVERAGE_HTML_DIR="${1:-"coverage-html"}"
-	    shift 1
-	    ;;
+            HTML_REPORT=0
+            COVERALLS_REPO_TOKEN=$2
+            shift 2
+            ;;
+        --help)
+            usage
+            shift 1
+            ;;
+        *)
+            COVERAGE_HTML_DIR="${1:-"coverage-html"}"
+            shift 1
+            ;;
     esac
 done
 
@@ -96,7 +96,7 @@ fi
 REMOVE_TARGETS="*.yy *.ll *.y *.l \*/bro.dir/\* *.bif \*/zeek.dir/\* \*/src/3rdparty/\* \*/src/zeek/3rdparty/\* \*/auxil/\* "
 
 # 1. Move to base dir, create tmp dir
-cd ../../;
+cd ../../
 mkdir "$TMP"
 
 # 2. Check for .gcno and .gcda file presence
@@ -104,7 +104,7 @@ echo -n "Checking for coverage files... "
 for pat in gcda gcno; do
     if [ -z "$(find . -name "*.$pat" 2>/dev/null)" ]; then
         echo "no .$pat files, nothing to do"
-	exit 0
+        exit 0
     fi
 done
 echo "ok"
@@ -112,8 +112,8 @@ echo "ok"
 # 3. If lcov does not exist, abort process.
 echo -n "Checking for lcov... "
 verify_run "which lcov" \
-	"lcov installed on system, continue" \
-	"lcov not installed, abort"
+    "lcov installed on system, continue" \
+    "lcov not installed, abort"
 
 # 4. Create a "tracefile" through lcov, which is necessary to create output later on.
 echo -n "Creating tracefile for output generation... "
@@ -142,9 +142,9 @@ else
 
     # If we're being called by Cirrus, add some additional information to the output.
     if [ -n "${CIRRUS_BUILD_ID}" ]; then
-	coveralls_cmd="${coveralls_cmd} --service-name=cirrus --service-job-id=${CIRRUS_BUILD_ID}"
+        coveralls_cmd="${coveralls_cmd} --service-name=cirrus --service-job-id=${CIRRUS_BUILD_ID}"
     else
-	coveralls_cmd="${coveralls_cmd} --service-name=local"
+        coveralls_cmd="${coveralls_cmd} --service-name=local"
     fi
 
     coveralls_cmd="${coveralls_cmd} ${COVERAGE_FILE_CLEAN}"
diff --git a/testing/external/scripts/create-new-repo b/testing/external/scripts/create-new-repo
index 7ea5be13a4..9c625128b3 100755
--- a/testing/external/scripts/create-new-repo
+++ b/testing/external/scripts/create-new-repo
@@ -3,14 +3,14 @@
 # Helper script for creating new external testing repos. See the
 # README for details.
 
-cwd=`pwd`
+cwd=$(pwd)
 
 if [ -z "$1" ]; then
     echo "usage: $0 <name> [<dst-repo-url>]"
     exit 1
 fi
 
-name=`pwd`/$1
+name=$(pwd)/$1
 repo=$2
 
 if [ -e $name ]; then
@@ -29,10 +29,10 @@ done
 
 ln -s ../subdir-btest.cfg ./btest.cfg
 
-cp $cwd/`dirname $0`/skel/test.skeleton tests
-cp $cwd/`dirname $0`/skel/traces.cfg .
-cp $cwd/`dirname $0`/skel/Makefile .
-cp $cwd/`dirname $0`/skel/.gitignore .
+cp $cwd/$(dirname $0)/skel/test.skeleton tests
+cp $cwd/$(dirname $0)/skel/traces.cfg .
+cp $cwd/$(dirname $0)/skel/Makefile .
+cp $cwd/$(dirname $0)/skel/.gitignore .
 
 git add * .gitignore
 
diff --git a/testing/external/scripts/diff-all b/testing/external/scripts/diff-all
index da4333e10e..7718465ab2 100755
--- a/testing/external/scripts/diff-all
+++ b/testing/external/scripts/diff-all
@@ -16,12 +16,12 @@ else
     rm -f $diag
 fi
 
-rc=0;
+rc=0
 
-files_cwd=`ls $@`
-files_baseline=`cd $TEST_BASELINE && ls $@`
+files_cwd=$(ls $@)
+files_baseline=$(cd $TEST_BASELINE && ls $@)
 
-for i in `echo $files_cwd $files_baseline | sort | uniq`; do
+for i in $(echo $files_cwd $files_baseline | sort | uniq); do
     if [[ "$i" != "loaded_scripts.log" && "$i" != "prof.log" && "$i" != "debug.log" && "$i" != "stats.log" && "$i" != broker_*.log ]]; then
 
         if [[ "$i" == "reporter.log" ]]; then
@@ -33,11 +33,11 @@ for i in `echo $files_cwd $files_baseline | sort | uniq`; do
         fi
 
         if ! btest-diff $i; then
-           echo "" >>$diag
-           echo "#### btest-diff $i" >>$diag
-           echo "" >>$diag
-           cat $diag.tmp >>$diag
-           rc=1
+            echo "" >>$diag
+            echo "#### btest-diff $i" >>$diag
+            echo "" >>$diag
+            cat $diag.tmp >>$diag
+            rc=1
         fi
     fi
 done
diff --git a/testing/external/scripts/find-git-repos b/testing/external/scripts/find-git-repos
index 5efd3346d6..f448d9e31c 100755
--- a/testing/external/scripts/find-git-repos
+++ b/testing/external/scripts/find-git-repos
@@ -3,6 +3,6 @@
 # Returns a list of git repositories found in subdirs of the
 # current directory.
 
-for i in `find . -type d`; do
+for i in $(find . -type d); do
     test -e $i/.git && echo $i
 done
diff --git a/testing/external/scripts/update-traces b/testing/external/scripts/update-traces
index 44cb33cc0e..44c7487125 100755
--- a/testing/external/scripts/update-traces
+++ b/testing/external/scripts/update-traces
@@ -5,7 +5,7 @@
 # traces.cfg must consist of lines of the form "<url> [<http-user>[:<http-password>]]"
 
 if [ "$1" == "" ]; then
-    echo "usage: `basename $0` <traces-directory>"
+    echo "usage: $(basename $0) <traces-directory>"
     exit 1
 fi
 
@@ -18,7 +18,7 @@ cfg=traces.cfg
 
 for p in .proxy ../.proxy; do
     if [ -e $p ]; then
-        proxy=`cat $p | head -1 | awk '{print $1}'`
+        proxy=$(cat $p | head -1 | awk '{print $1}')
         echo Using proxy $proxy ...
         proxy="ALL_PROXY=$proxy"
         break
@@ -37,16 +37,16 @@ cat $cfg | while read line; do
         continue
     fi
 
-    url=`echo $line | awk '{print $1}'`
-    auth=`echo $line | awk '{print $2}'`
+    url=$(echo $line | awk '{print $1}')
+    auth=$(echo $line | awk '{print $2}')
 
-    file=$1/`echo $url | sed 's#^.*/##g'`
+    file=$1/$(echo $url | sed 's#^.*/##g')
     fp=$file.md5sum
 
     if [ "$auth" != "" ]; then
         auth="-u $auth"
         # Hide the hostname and directory names in output messages
-        safe_url=`echo $url | sed 's#/[A-Za-z].*/#/[hidden]/#'`
+        safe_url=$(echo $url | sed 's#/[A-Za-z].*/#/[hidden]/#')
     else
         safe_url=$url
     fi
@@ -66,7 +66,7 @@ cat $cfg | while read line; do
             download=1
         fi
     else
-       download=1
+        download=1
     fi
 
     if [ "$download" = "1" ]; then
@@ -77,9 +77,9 @@ cat $cfg | while read line; do
         }
         echo
         mv $fp.tmp $fp
-     #else
-     #  echo "`basename $file` already available."
-     fi
+    #else
+    #  echo "`basename $file` already available."
+    fi
 
     rm -f $fp.tmp
 
diff --git a/testing/scripts/diff-canonifier b/testing/scripts/diff-canonifier
index 3cb213a3f7..5bfcac4d5f 100755
--- a/testing/scripts/diff-canonifier
+++ b/testing/scripts/diff-canonifier
@@ -2,4 +2,4 @@
 #
 # Default canonifier used with the tests in testing/btest/*.
 
-`dirname $0`/diff-remove-timestamps
+$(dirname $0)/diff-remove-timestamps
diff --git a/testing/scripts/diff-canonifier-external b/testing/scripts/diff-canonifier-external
index 99520adbb4..43d2182fbd 100755
--- a/testing/scripts/diff-canonifier-external
+++ b/testing/scripts/diff-canonifier-external
@@ -3,28 +3,27 @@
 # Default canonifier used with the trace-based tests in testing/external/*.
 
 if [ $# != 1 ]; then
-    echo "usage: `basename $0` <filename>"
+    echo "usage: $(basename $0) <filename>"
     exit 1
 fi
 
-filename=`basename $1`
+filename=$(basename $1)
 
 addl="cat"
 
 if [ "$filename" == "capture_loss.log" ]; then
-    addl="`dirname $0`/diff-remove-fractions"
+    addl="$(dirname $0)/diff-remove-fractions"
 fi
 
 if [ "$filename" == "ssh.log" ]; then
-    addl="`dirname $0`/diff-remove-fields remote_location"
+    addl="$(dirname $0)/diff-remove-fields remote_location"
 fi
 
-`dirname $0`/diff-remove-timestamps \
-    | `dirname $0`/diff-remove-uids \
-    | `dirname $0`/diff-remove-file-ids \
-    | `dirname $0`/diff-remove-x509-names \
-    | `dirname $0`/diff-sort-conn-service \
-    | `dirname $0`/diff-sort-set-elements \
-    | `dirname $0`/diff-sort \
-    | eval $addl
-
+$(dirname $0)/diff-remove-timestamps |
+    $(dirname $0)/diff-remove-uids |
+    $(dirname $0)/diff-remove-file-ids |
+    $(dirname $0)/diff-remove-x509-names |
+    $(dirname $0)/diff-sort-conn-service |
+    $(dirname $0)/diff-sort-set-elements |
+    $(dirname $0)/diff-sort |
+    eval $addl
diff --git a/testing/scripts/diff-remove-abspath b/testing/scripts/diff-remove-abspath
index 14d5fca052..e08d64d5e2 100755
--- a/testing/scripts/diff-remove-abspath
+++ b/testing/scripts/diff-remove-abspath
@@ -2,11 +2,11 @@
 #
 # Replace absolute paths with the basename.
 
-if [ `uname` == "Linux" ]; then
-   sed="sed -r"
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
 else
-   sed="sed -E"
+    sed="sed -E"
 fi
 
-$sed 's#/+#/#g' | \
-$sed 's#/([^	 :/]{1,}/){1,}([^	 :/]{1,})#<...>/\2#g'
+$sed 's#/+#/#g' |
+    $sed 's#/([^	 :/]{1,}/){1,}([^	 :/]{1,})#<...>/\2#g'
diff --git a/testing/scripts/diff-remove-fields b/testing/scripts/diff-remove-fields
index 3b20425f72..762288a505 100755
--- a/testing/scripts/diff-remove-fields
+++ b/testing/scripts/diff-remove-fields
@@ -4,7 +4,7 @@
 # prefix.
 
 if [ $# != 1 ]; then
-    echo "usage: `basename $0` <field prefix>"
+    echo "usage: $(basename $0) <field prefix>"
     exit 1
 fi
 
diff --git a/testing/scripts/diff-remove-fractions b/testing/scripts/diff-remove-fractions
index 975157913c..fc8b0345f6 100755
--- a/testing/scripts/diff-remove-fractions
+++ b/testing/scripts/diff-remove-fractions
@@ -3,4 +3,3 @@
 # Replace fractions of double value (i.e., 3.14 -> 3.x).
 
 sed 's/\.[0-9]\{1,\}/.X/g'
-
diff --git a/testing/scripts/diff-remove-openclose-timestamps b/testing/scripts/diff-remove-openclose-timestamps
index e3e0a201be..a70989540f 100755
--- a/testing/scripts/diff-remove-openclose-timestamps
+++ b/testing/scripts/diff-remove-openclose-timestamps
@@ -3,10 +3,10 @@
 # Replace timestamps in the #start/end markers in logs.
 
 # Get us "modern" regexps with sed.
-if [ `uname` == "Linux" ]; then
-   sed="sed -r"
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
 else
-   sed="sed -E"
+    sed="sed -E"
 fi
 
 $sed 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g'
diff --git a/testing/scripts/diff-remove-timestamps b/testing/scripts/diff-remove-timestamps
index 0bcc458739..46f3f34e00 100755
--- a/testing/scripts/diff-remove-timestamps
+++ b/testing/scripts/diff-remove-timestamps
@@ -3,10 +3,10 @@
 # Replace anything which looks like timestamps with XXXs (including the #start/end markers in logs).
 
 # Get us "modern" regexps with sed.
-if [ `uname` == "Linux" ]; then
-   sed="sed -r"
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
 else
-   sed="sed -E"
+    sed="sed -E"
 fi
 
-$sed -e 's/(^|[^0-9])([0-9]{9,10}\.[0-9]{1,8})/\1XXXXXXXXXX.XXXXXX/g' -e  's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g'
+$sed -e 's/(^|[^0-9])([0-9]{9,10}\.[0-9]{1,8})/\1XXXXXXXXXX.XXXXXX/g' -e 's/^ *#(open|close).(19|20)..-..-..-..-..-..$/#\1 XXXX-XX-XX-XX-XX-XX/g'
diff --git a/testing/scripts/diff-sort b/testing/scripts/diff-sort
index 08b36c79bf..66e2893c80 100755
--- a/testing/scripts/diff-sort
+++ b/testing/scripts/diff-sort
@@ -8,11 +8,11 @@ if [ "$TMP" == "" ]; then
     TMP=/tmp
 fi
 
-tmp=$TMP/`basename $0`.$$.tmp
+tmp=$TMP/$(basename $0).$$.tmp
 
 cat >$tmp
 
-echo "### NOTE: This file has been sorted with `basename $0`."
+echo "### NOTE: This file has been sorted with $(basename $0)."
 cat $tmp | grep ^#
 cat $tmp | grep -v ^# | sort -s
 
diff --git a/testing/scripts/fake-sendmail b/testing/scripts/fake-sendmail
index 4483460261..4cc09f6b2f 100755
--- a/testing/scripts/fake-sendmail
+++ b/testing/scripts/fake-sendmail
@@ -2,14 +2,14 @@
 #
 # Just writes the arguments and stdin to a file, to compare with diff
 
-echo "------- cmdline args -----------" >> sendmail.out
-echo "$*" >> sendmail.out
-echo "----------- stdin --------------" >> sendmail.out
+echo "------- cmdline args -----------" >>sendmail.out
+echo "$*" >>sendmail.out
+echo "----------- stdin --------------" >>sendmail.out
 while IFS= read -r line; do
     # Strip out the user agent, which is version dependent
     if [[ $line == "User-Agent: Zeek/"* ]]; then
-        printf 'User-Agent: Zeek/$zeek_version()\n' >> sendmail.out
+        printf 'User-Agent: Zeek/$zeek_version()\n' >>sendmail.out
     else
-        printf '%s\n' "$line" >> sendmail.out
+        printf '%s\n' "$line" >>sendmail.out
     fi
 done
diff --git a/testing/scripts/update-external-repo-pointer.sh b/testing/scripts/update-external-repo-pointer.sh
index e6711a0d9d..bbd400a4c1 100755
--- a/testing/scripts/update-external-repo-pointer.sh
+++ b/testing/scripts/update-external-repo-pointer.sh
@@ -41,8 +41,8 @@ if [ "$file_hash" != "$head_hash" ]; then
     read -p "[Y/n] " choice
 
     case "$choice" in
-        n|N) echo "Skipped '$repo_base'";;
-        *) echo $head_hash > $hash_file  && git add $hash_file && echo "Updated '$file_base'";;
+        n | N) echo "Skipped '$repo_base'" ;;
+        *) echo $head_hash >$hash_file && git add $hash_file && echo "Updated '$file_base'" ;;
     esac
 else
     echo " none"
diff --git a/testing/scripts/wait-for-file b/testing/scripts/wait-for-file
index 7a0a6f6874..d1b1ae7ced 100755
--- a/testing/scripts/wait-for-file
+++ b/testing/scripts/wait-for-file
@@ -3,8 +3,8 @@
 # Sleeps until a file comes into existence.
 
 if [[ $# -ne 2 ]]; then
-  >&2 echo "usage: $0 <file to wait for> <max secs to wait>"
-  exit 1
+    echo >&2 "usage: $0 <file to wait for> <max secs to wait>"
+    exit 1
 fi
 
 wait_file=$1
@@ -12,13 +12,12 @@ max_wait=$2
 wait_count=0
 
 while [[ ! -e $wait_file ]]; do
-  let "wait_count += 1"
+    let "wait_count += 1"
 
-  if [[ $wait_count -ge $max_wait ]]; then
-    >&2 echo "error: file '$wait_file' does not exist after $max_wait seconds"
-    exit 1
-  fi
+    if [[ $wait_count -ge $max_wait ]]; then
+        echo >&2 "error: file '$wait_file' does not exist after $max_wait seconds"
+        exit 1
+    fi
 
-  sleep 1
+    sleep 1
 done
-
diff --git a/zeek-config.in b/zeek-config.in
index 8aa200db73..20c3e22475 100755
--- a/zeek-config.in
+++ b/zeek-config.in
@@ -22,9 +22,9 @@ add_path() {
     # $1: existing path
     # $2: path to add
     if test -z "$2" || test "$1" = "$2" ||
-       echo "$1" | grep -q "^$2:" 2>/dev/null ||
-       echo "$1" | grep -q ":$2:" 2>/dev/null ||
-       echo "$1" | grep -q ":$2$" 2>/dev/null; then
+        echo "$1" | grep -q "^$2:" 2>/dev/null ||
+        echo "$1" | grep -q ":$2:" 2>/dev/null ||
+        echo "$1" | grep -q ":$2$" 2>/dev/null; then
         echo "$1"
         return
     fi
@@ -69,81 +69,81 @@ Toplevel installation directories for third-party components:
 "
 }
 
-if [ $# -eq 0 ] ; then
-      usage 1>&2
-      exit 1
+if [ $# -eq 0 ]; then
+    usage 1>&2
+    exit 1
 fi
 
 while [ $# -ne 0 ]; do
-  case "$1" in
-  -*=*) optarg=`echo "$1" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
-  *) optarg= ;;
-  esac
+    case "$1" in
+        -*=*) optarg=$(echo "$1" | sed 's/[-_a-zA-Z0-9]*=//') ;;
+        *) optarg= ;;
+    esac
 
-  case $1 in
-    --binpac_root)
-      echo $binpac_root
-      ;;
-    --bro_dist)  # For compatibility with legacy Bro plugins.
-      echo $zeek_dist
-      ;;
-    --broker_root)
-      echo $broker_root
-      ;;
-    --bropath)   # For compatibility with legacy Bro plugins.
-      echo $zeekpath
-      ;;
-    --btest_tools_dir)
-      echo $btest_tools_dir
-      ;;
-    --build_type)
-      echo $build_type
-      ;;
-    --caf_root)
-      echo $caf_root
-      ;;
-    --cmake_dir)
-      echo $cmake_dir
-      ;;
-    --config_dir)
-      echo $config_dir
-      ;;
-    --include_dir)
-      echo $include_dir
-      ;;
-    --lib_dir)
-      echo $lib_dir
-      ;;
-    --plugin_dir)
-      echo $plugin_dir
-      ;;
-    --prefix)
-      echo $prefix
-      ;;
-    --python_dir)
-      echo $python_dir
-      ;;
-    --script_dir)
-      echo $script_dir
-      ;;
-    --site_dir)
-      echo $site_dir
-      ;;
-    --version)
-      echo $version
-      ;;
-    --zeek_dist)
-      echo $zeek_dist
-      ;;
-    --zeekpath)
-      echo $zeekpath
-      ;;
-    *)
-      usage 1>&2
-      exit 1
-      ;;
-  esac
-  shift
+    case $1 in
+        --binpac_root)
+            echo $binpac_root
+            ;;
+        --bro_dist) # For compatibility with legacy Bro plugins.
+            echo $zeek_dist
+            ;;
+        --broker_root)
+            echo $broker_root
+            ;;
+        --bropath) # For compatibility with legacy Bro plugins.
+            echo $zeekpath
+            ;;
+        --btest_tools_dir)
+            echo $btest_tools_dir
+            ;;
+        --build_type)
+            echo $build_type
+            ;;
+        --caf_root)
+            echo $caf_root
+            ;;
+        --cmake_dir)
+            echo $cmake_dir
+            ;;
+        --config_dir)
+            echo $config_dir
+            ;;
+        --include_dir)
+            echo $include_dir
+            ;;
+        --lib_dir)
+            echo $lib_dir
+            ;;
+        --plugin_dir)
+            echo $plugin_dir
+            ;;
+        --prefix)
+            echo $prefix
+            ;;
+        --python_dir)
+            echo $python_dir
+            ;;
+        --script_dir)
+            echo $script_dir
+            ;;
+        --site_dir)
+            echo $site_dir
+            ;;
+        --version)
+            echo $version
+            ;;
+        --zeek_dist)
+            echo $zeek_dist
+            ;;
+        --zeekpath)
+            echo $zeekpath
+            ;;
+        *)
+            usage 1>&2
+            exit 1
+            ;;
+    esac
+    shift
 done
 
 exit 0
diff --git a/zeek-wrapper.in b/zeek-wrapper.in
index 939424d28b..0f13f7fe63 100755
--- a/zeek-wrapper.in
+++ b/zeek-wrapper.in
@@ -6,7 +6,7 @@
 # exit code.
 
 function deprecated {
-cat >&2 <<EOF
+    cat >&2 <<EOF
 Error: Use of '$1' is no longer supported. Please use '$2' instead.
 
 EOF

From fd56eddcfbd6f9d89c6d4277bace883b6074560d Mon Sep 17 00:00:00 2001
From: Benjamin Bannier <benjamin.bannier@corelight.com>
Date: Wed, 24 Nov 2021 23:01:26 +0100
Subject: [PATCH 108/210] Format Python scripts with yapf.

We also add a very basic yapf configuration file. Most of the changes in
this patch were performed automatically, but we broke one overly long
string into multiple components on `src/make_dbg_constants.py`.
---
 .pre-commit-config.yaml       |  5 +++++
 .style.yapf                   |  2 ++
 src/make_dbg_constants.py     | 25 +++++++++++++++++++------
 testing/scripts/coverage-calc |  3 ++-
 testing/scripts/httpd.py      | 18 +++++++++++-------
 5 files changed, 39 insertions(+), 14 deletions(-)
 create mode 100644 .style.yapf

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 38c18b5ccf..50844cf58b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -12,3 +12,8 @@ repos:
   hooks:
     - id: shfmt
       args: ["-w", "-i", "4", "-ci"]
+
+- repo: https://github.com/pre-commit/mirrors-yapf
+  rev: v0.31.0
+  hooks:
+  - id: yapf
diff --git a/.style.yapf b/.style.yapf
new file mode 100644
index 0000000000..b05085101b
--- /dev/null
+++ b/.style.yapf
@@ -0,0 +1,2 @@
+[style]
+column_limit=100
diff --git a/src/make_dbg_constants.py b/src/make_dbg_constants.py
index 51a9c4c3b7..3b5d7f2da6 100644
--- a/src/make_dbg_constants.py
+++ b/src/make_dbg_constants.py
@@ -53,11 +53,15 @@ namespace zeek::detail {\n
 void init_global_dbg_constants () {
 ''' % inputfile
 
+
 def outputrecord():
     global init_str, enum_str
 
     if dbginfo["names"]:
-        dbginfo["name_init"] = "const char * const names[] = {\n\t\t\t%s\n\t\t};\n" % ",\n\t\t\t".join(dbginfo["names"])
+        dbginfo["name_init"] = "const char * const names[] = {\n"\
+                               "\t\t\t%s\n"\
+                               "\t\t};\n" \
+                               % ",\n\t\t\t".join(dbginfo["names"])
     else:
         dbginfo["name_init"] = "const char * const names[] = { };\n"
 
@@ -68,16 +72,25 @@ def outputrecord():
 
     enum_str += "\t%s,\n" % dbginfo["cmd"]
 
+
 def initdbginfo():
-    return {"cmd": "", "name_init": "", "num_names": 0, "names": [],
-            "resume": "false", "help": "", "repeatable": "false"}
+    return {
+        "cmd": "",
+        "name_init": "",
+        "num_names": 0,
+        "names": [],
+        "resume": "false",
+        "help": "",
+        "repeatable": "false"
+    }
+
 
 dbginfo = initdbginfo()
 
 inputf = open(inputfile, "r")
 for line in inputf:
     line = line.strip()
-    if not line or line.startswith("//"):	# skip empty lines and comments
+    if not line or line.startswith("//"):  # skip empty lines and comments
         continue
 
     fields = line.split(":", 1)
@@ -95,9 +108,9 @@ for line in inputf:
         dbginfo[f1] = f2
     elif f1 == "names":
         # put quotes around the strings
-        dbginfo[f1] = [ '"%s"' % n for n in f2.split() ]
+        dbginfo[f1] = ['"%s"' % n for n in f2.split()]
     elif f1 == "help":
-        dbginfo[f1] = f2.replace('"', '\\"') # escape quotation marks
+        dbginfo[f1] = f2.replace('"', '\\"')  # escape quotation marks
     elif f1 in ("resume", "repeatable"):
         dbginfo[f1] = f2
     else:
diff --git a/testing/scripts/coverage-calc b/testing/scripts/coverage-calc
index 016cfff5c4..0d5f2d8269 100755
--- a/testing/scripts/coverage-calc
+++ b/testing/scripts/coverage-calc
@@ -56,4 +56,5 @@ for k in stats:
         num_covered += 1
 
 if len(stats) > 0:
-    print("%s/%s (%.1f%%) Zeek script statements covered." % (num_covered, len(stats), float(num_covered)/len(stats)*100))
+    print("%s/%s (%.1f%%) Zeek script statements covered." %
+          (num_covered, len(stats), float(num_covered) / len(stats) * 100))
diff --git a/testing/scripts/httpd.py b/testing/scripts/httpd.py
index 7ecfb636e9..00d7143165 100755
--- a/testing/scripts/httpd.py
+++ b/testing/scripts/httpd.py
@@ -2,8 +2,8 @@
 
 import http.server as BaseHTTPServer
 
-class MyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
 
+class MyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
     def do_GET(self):
         self.send_response(200)
         self.send_header("Content-type", "text/plain")
@@ -34,17 +34,21 @@ class MyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
 if __name__ == "__main__":
     from optparse import OptionParser
     p = OptionParser()
-    p.add_option("-a", "--addr", type="string", default="localhost",
+    p.add_option("-a",
+                 "--addr",
+                 type="string",
+                 default="localhost",
                  help=("listen on given address (numeric IP or host name), "
                        "an empty string (the default) means INADDR_ANY"))
-    p.add_option("-p", "--port", type="int", default=32123,
-                 help="listen on given TCP port number")
-    p.add_option("-m", "--max", type="int", default=-1,
+    p.add_option("-p", "--port", type="int", default=32123, help="listen on given TCP port number")
+    p.add_option("-m",
+                 "--max",
+                 type="int",
+                 default=-1,
                  help="max number of requests to respond to, -1 means no max")
     options, args = p.parse_args()
 
-    httpd = BaseHTTPServer.HTTPServer((options.addr, options.port),
-                                      MyRequestHandler)
+    httpd = BaseHTTPServer.HTTPServer((options.addr, options.port), MyRequestHandler)
     if options.max == -1:
         httpd.serve_forever()
     else:

From f865897cac44d2e25e442b6adcbefd314875062b Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Wed, 24 Nov 2021 15:18:40 -0800
Subject: [PATCH 109/210] AST profiles track the associated
 function/body/expression

---
 src/script_opt/ProfileFunc.cc | 17 +++++++++++------
 src/script_opt/ProfileFunc.h  | 12 ++++++++++++
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/src/script_opt/ProfileFunc.cc b/src/script_opt/ProfileFunc.cc
index da6802ff99..b7ccae6f68 100644
--- a/src/script_opt/ProfileFunc.cc
+++ b/src/script_opt/ProfileFunc.cc
@@ -60,12 +60,23 @@ p_hash_type script_specific_hash(const StmtPtr& body, p_hash_type generic_hash)
 
 ProfileFunc::ProfileFunc(const Func* func, const StmtPtr& body, bool _abs_rec_fields)
 	{
+	profiled_func = func;
+	profiled_body = body.get();
 	abs_rec_fields = _abs_rec_fields;
 	Profile(func->GetType().get(), body);
 	}
 
+ProfileFunc::ProfileFunc(const Stmt* s, bool _abs_rec_fields)
+	{
+	profiled_body = s;
+	abs_rec_fields = _abs_rec_fields;
+	s->Traverse(this);
+	}
+
 ProfileFunc::ProfileFunc(const Expr* e, bool _abs_rec_fields)
 	{
+	profiled_expr = e;
+
 	abs_rec_fields = _abs_rec_fields;
 
 	if ( e->Tag() == EXPR_LAMBDA )
@@ -84,12 +95,6 @@ ProfileFunc::ProfileFunc(const Expr* e, bool _abs_rec_fields)
 		e->Traverse(this);
 	}
 
-ProfileFunc::ProfileFunc(const Stmt* s, bool _abs_rec_fields)
-	{
-	abs_rec_fields = _abs_rec_fields;
-	s->Traverse(this);
-	}
-
 void ProfileFunc::Profile(const FuncType* ft, const StmtPtr& body)
 	{
 	num_params = ft->Params()->NumFields();
diff --git a/src/script_opt/ProfileFunc.h b/src/script_opt/ProfileFunc.h
index dbc275eb66..2ccb47f6d6 100644
--- a/src/script_opt/ProfileFunc.h
+++ b/src/script_opt/ProfileFunc.h
@@ -100,6 +100,12 @@ public:
 	ProfileFunc(const Stmt* body, bool abs_rec_fields = false);
 	ProfileFunc(const Expr* func, bool abs_rec_fields = false);
 
+	// Returns the function, body, or expression profiled.  Each can be
+	// null depending on the constructor used.
+	const Func* ProfiledFunc() const { return profiled_func; }
+	const Stmt* ProfiledBody() const { return profiled_body; }
+	const Expr* ProfiledExpr() const { return profiled_expr; }
+
 	// See the comments for the associated member variables for each
 	// of these accessors.
 	const std::unordered_set<const ID*>& Globals() const { return globals; }
@@ -157,6 +163,12 @@ protected:
 	// Take note of an assignment to an identifier.
 	void TrackAssignment(const ID* id);
 
+	// The function, body, or expression profiled.  Can be null
+	// depending on which constructor was used.
+	const Func* profiled_func = nullptr;
+	const Stmt* profiled_body = nullptr;
+	const Expr* profiled_expr = nullptr;
+
 	// Globals seen in the function.
 	//
 	// Does *not* include globals solely seen as the function being

From e73351a6e1881da6615b99ee1c190c35fb4c798d Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Wed, 24 Nov 2021 15:19:01 -0800
Subject: [PATCH 110/210] track the use of conditionals in functions and files

---
 src/Var.cc                   |   5 +-
 src/Var.h                    |   2 +-
 src/parse.y                  |  27 +++++++--
 src/scan.l                   | 113 ++++++++++++++++++++++-------------
 src/script_opt/StmtOptInfo.h |   4 ++
 5 files changed, 103 insertions(+), 48 deletions(-)

diff --git a/src/Var.cc b/src/Var.cc
index 4067f17e4c..dc8a04251b 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -18,6 +18,7 @@
 #include "zeek/Val.h"
 #include "zeek/module_util.h"
 #include "zeek/script_opt/ScriptOpt.h"
+#include "zeek/script_opt/StmtOptInfo.h"
 
 namespace zeek::detail
 	{
@@ -717,7 +718,7 @@ TraversalCode OuterIDBindingFinder::PostExpr(const Expr* expr)
 
 static bool duplicate_ASTs = getenv("ZEEK_DUPLICATE_ASTS");
 
-void end_func(StmtPtr body)
+void end_func(StmtPtr body, bool free_of_conditionals)
 	{
 	if ( duplicate_ASTs && reporter->Errors() == 0 )
 		// Only try duplication in the absence of errors.  If errors
@@ -729,6 +730,8 @@ void end_func(StmtPtr body)
 		// by duplicating can itself be correctly duplicated.
 		body = body->Duplicate()->Duplicate();
 
+	body->GetOptInfo()->is_free_of_conditionals = free_of_conditionals;
+
 	auto ingredients = std::make_unique<function_ingredients>(pop_scope(), std::move(body));
 
 	if ( ingredients->id->HasVal() )
diff --git a/src/Var.h b/src/Var.h
index 2950afa2bf..85f62f4d0f 100644
--- a/src/Var.h
+++ b/src/Var.h
@@ -45,7 +45,7 @@ extern void add_type(ID* id, TypePtr t, std::unique_ptr<std::vector<AttrPtr>> at
 extern void begin_func(IDPtr id, const char* module_name, FunctionFlavor flavor, bool is_redef,
                        FuncTypePtr t, std::unique_ptr<std::vector<AttrPtr>> attrs = nullptr);
 
-extern void end_func(StmtPtr body);
+extern void end_func(StmtPtr body, bool free_of_conditionals);
 
 // Gather all IDs referenced inside a body that aren't part of a given scope.
 extern IDPList gather_outer_ids(ScopePtr scope, StmtPtr body);
diff --git a/src/parse.y b/src/parse.y
index d3d3710840..e7bf8fddac 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -105,6 +105,11 @@ extern const char* last_filename; // Absolute path of last file parsed.
 extern const char* last_tok_filename;
 extern const char* last_last_tok_filename;
 
+extern int conditional_epoch; // let's us track embedded conditionals
+
+// Whether the file we're currently parsing includes @if conditionals.
+extern bool current_file_has_conditionals;
+
 YYLTYPE GetCurrentLocation();
 extern int yyerror(const char[]);
 extern int brolex();
@@ -138,6 +143,7 @@ bool defining_global_ID = false;
 std::vector<int> saved_in_init;
 
 static Location func_hdr_location;
+static int func_hdr_cond_epoch = 0;
 EnumType* cur_enum_type = nullptr;
 static ID* cur_decl_type_id = nullptr;
 
@@ -1214,16 +1220,19 @@ decl:
 			zeekygen_mgr->Identifier(std::move(id));
 			}
 
-	|	func_hdr { func_hdr_location = @1; } func_body
-
-	|	func_hdr { func_hdr_location = @1; } conditional_list func_body
+	|	func_hdr
+			{
+			func_hdr_location = @1;
+			func_hdr_cond_epoch = conditional_epoch;
+			}
+		conditional_list func_body
 
 	|	conditional
 	;
 
 conditional_list:
-		conditional
-	|	conditional conditional_list
+	|	conditional_list conditional
+	;
 
 conditional:
 		TOK_ATIF '(' expr ')'
@@ -1296,7 +1305,13 @@ func_body:
 		'}'
 			{
 			set_location(func_hdr_location, @5);
-			end_func({AdoptRef{}, $3});
+
+			bool free_of_conditionals = true;
+			if ( current_file_has_conditionals ||
+			     conditional_epoch > func_hdr_cond_epoch )
+				free_of_conditionals = false;
+
+			end_func({AdoptRef{}, $3}, free_of_conditionals);
 			}
 	;
 
diff --git a/src/scan.l b/src/scan.l
index 0301494e2f..6b1c7bf138 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -48,7 +48,22 @@ extern YYLTYPE yylloc;	// holds start line and column of token
 extern zeek::EnumType* cur_enum_type;
 
 // Track the @if... depth.
-std::intptr_t current_depth = 0;
+static std::intptr_t conditional_depth = 0;
+
+zeek::detail::int_list entry_cond_depth; // @if depth upon starting file
+
+// Tracks how many conditionals there have been.  This value only
+// increases.  Its value is to support logic such as figuring out
+// whether a function body has a conditional within it by comparing
+// the epoch at the beginning of parsing the body with that at the end.
+int conditional_epoch = 0;
+
+// Whether the current file has included conditionals (so far).
+bool current_file_has_conditionals = false;
+
+// The files that include conditionals.  Not currently used, but will be
+// in the future once we add --optimize-files=/pat/.
+std::unordered_set<std::string> files_with_conditionals;
 
 zeek::detail::int_list if_stack;
 
@@ -99,6 +114,18 @@ static std::string find_relative_script_file(const std::string& filename)
 		return zeek::util::find_script_file(filename, zeek::util::zeek_path());
 	}
 
+static void start_conditional()
+	{
+	++conditional_depth;
+	++conditional_epoch;
+
+	if ( ! current_file_has_conditionals )
+		// First time we've observed that this file includes conditionals.
+		files_with_conditionals.insert(::filename);
+
+	current_file_has_conditionals = true;
+	}
+
 class FileInfo {
 public:
 	FileInfo(std::string restore_module = "");
@@ -418,11 +445,11 @@ when	return TOK_WHEN;
 @ifdef	return TOK_ATIFDEF;
 @ifndef	return TOK_ATIFNDEF;
 @else   return TOK_ATELSE;
-@endif	--current_depth;
+@endif	do_atendif();
 
-<IGNORE>@if	++current_depth;
-<IGNORE>@ifdef	++current_depth;
-<IGNORE>@ifndef	++current_depth;
+<IGNORE>@if	start_conditional();
+<IGNORE>@ifdef	start_conditional();
+<IGNORE>@ifndef	start_conditional();
 <IGNORE>@else   return TOK_ATELSE;
 <IGNORE>@endif	return TOK_ATENDIF;
 <IGNORE>[^@\r\n]+	/* eat */
@@ -639,17 +666,19 @@ static int load_files(const char* orig_file)
 
 	zeek::detail::zeekygen_mgr->Script(file_path);
 
-	// "orig_file", could be an alias for yytext, which is ephemeral
+	// "orig_file" could be an alias for yytext, which is ephemeral
 	//  and will be zapped after the yy_switch_to_buffer() below.
 	YY_BUFFER_STATE buffer;
 
-	if ( rc.first == 1 ) {
+	if ( rc.first == 1 )
+		{
 		// Parse code provided by plugin.
 		assert(rc.second);
 		DBG_LOG(zeek::DBG_SCRIPTS, "Loading %s from code supplied by plugin ", file_path.c_str());
 		buffer = yy_scan_bytes(rc.second->data(), rc.second->size()); // this copies the data
 		}
-	else {
+	else
+		{
 		// Parse from file.
 		assert(f);
 		DBG_LOG(zeek::DBG_SCRIPTS, "Loading %s", file_path.c_str());
@@ -663,6 +692,8 @@ static int load_files(const char* orig_file)
 	// every Obj created when parsing it.
 	yylloc.filename = filename = zeek::util::copy_string(file_path.c_str());
 
+	entry_cond_depth.push_back(conditional_depth);
+
 	return 1;
 	}
 
@@ -693,9 +724,21 @@ public:
 	std::vector<const zeek::detail::NameExpr*> local_names;
 };
 
+static void begin_ignoring()
+	{
+	if_stack.push_back(conditional_depth);
+	BEGIN(IGNORE);
+	}
+
+static void resume_processing()
+	{
+	if_stack.pop_back();
+	BEGIN(INITIAL);
+	}
+
 void do_atif(zeek::detail::Expr* expr)
 	{
-	++current_depth;
+	start_conditional();
 
 	LocalNameFinder cb;
 	expr->Traverse(&cb);
@@ -716,70 +759,52 @@ void do_atif(zeek::detail::Expr* expr)
 		}
 
 	if ( ! val->AsBool() )
-		{
-		if_stack.push_back(current_depth);
-		BEGIN(IGNORE);
-		}
+		begin_ignoring();
 	}
 
 void do_atifdef(const char* id)
 	{
-	++current_depth;
+	start_conditional();
 
 	const auto& i = zeek::detail::lookup_ID(id, zeek::detail::current_module.c_str());
 
 	if ( ! i )
-		{
-		if_stack.push_back(current_depth);
-		BEGIN(IGNORE);
-		}
+		begin_ignoring();
 	}
 
 void do_atifndef(const char *id)
 	{
-	++current_depth;
+	start_conditional();
 
 	const auto& i = zeek::detail::lookup_ID(id, zeek::detail::current_module.c_str());
 
 	if ( i )
-		{
-		if_stack.push_back(current_depth);
-		BEGIN(IGNORE);
-		}
+		begin_ignoring();
 	}
 
 void do_atelse()
 	{
-	if ( current_depth == 0 )
+	if ( conditional_depth == 0 )
 		zeek::reporter->Error("@else without @if...");
 
-	if ( ! if_stack.empty() && current_depth > if_stack.back() )
+	if ( ! if_stack.empty() && conditional_depth > if_stack.back() )
 		return;
 
 	if ( YY_START == INITIAL )
-		{
-		if_stack.push_back(current_depth);
-		BEGIN(IGNORE);
-		}
+		begin_ignoring();
 	else
-		{
-		if_stack.pop_back();
-		BEGIN(INITIAL);
-		}
+		resume_processing();
 	}
 
 void do_atendif()
 	{
-	if ( current_depth == 0 )
+	if ( conditional_depth <= entry_cond_depth.back() )
 		zeek::reporter->Error("unbalanced @if... @endif");
 
-	if ( current_depth == if_stack.back() )
-		{
-		BEGIN(INITIAL);
-		if_stack.pop_back();
-		}
+	if ( ! if_stack.empty() && conditional_depth == if_stack.back() )
+		resume_processing();
 
-	--current_depth;
+	--conditional_depth;
 	}
 
 // Be careful to never delete things from this list, as the strings
@@ -840,7 +865,15 @@ void add_to_name_list(char* s, char delim, zeek::name_list& nl)
 
 int yywrap()
 	{
+	if ( entry_cond_depth.size() > 0 )
+		{
+		if ( conditional_depth > entry_cond_depth.back() )
+			zeek::reporter->FatalError("unbalanced @if... @endif");
+		entry_cond_depth.pop_back();
+		}
+
 	last_filename = ::filename;
+	current_file_has_conditionals = false;
 
 	if ( zeek::reporter->Errors() > 0 )
 		return 1;
diff --git a/src/script_opt/StmtOptInfo.h b/src/script_opt/StmtOptInfo.h
index 2edcb47e7e..449ecc0e61 100644
--- a/src/script_opt/StmtOptInfo.h
+++ b/src/script_opt/StmtOptInfo.h
@@ -22,6 +22,10 @@ public:
 	// True if we observe that there is a branch out of the statement
 	// to just beyond its extent, such as due to a "break".
 	bool contains_branch_beyond = false;
+
+	// Whether this statement is free of the possible influence
+	// of conditional code.
+	bool is_free_of_conditionals = true;
 	};
 
 	} // namespace zeek::detail

From a4b9218771516345ffc08606a5fb76572f150587 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Wed, 24 Nov 2021 15:19:21 -0800
Subject: [PATCH 111/210] avoid compiling-to-C++ for functions potentially
 influenced by conditionals

---
 src/script_opt/CPP/Util.cc | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/script_opt/CPP/Util.cc b/src/script_opt/CPP/Util.cc
index 1c64c9af21..f41f225a41 100644
--- a/src/script_opt/CPP/Util.cc
+++ b/src/script_opt/CPP/Util.cc
@@ -1,5 +1,6 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
+#include "zeek/script_opt/StmtOptInfo.h"
 #include "zeek/script_opt/CPP/Util.h"
 
 #include <errno.h>
@@ -50,6 +51,14 @@ bool is_CPP_compilable(const ProfileFunc* pf, const char** reason)
 		return false;
 		}
 
+	auto body = pf->ProfiledBody();
+	if ( body && ! body->GetOptInfo()->is_free_of_conditionals )
+		{
+		if ( reason )
+			*reason = "body may be affected by @if conditional";
+		return false;
+		}
+
 	return true;
 	}
 

From 8f8c5942208b75905df3b22b6ed75b85b425367f Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Wed, 24 Nov 2021 15:19:44 -0800
Subject: [PATCH 112/210] btests for erroneous script conditionals

---
 testing/btest/Baseline/language.dangling-at/.stderr  | 2 ++
 testing/btest/Baseline/language.orphan-endif/.stderr | 2 ++
 testing/btest/language/dangling-at.zeek              | 8 ++++++++
 testing/btest/language/orphan-endif.zeek             | 9 +++++++++
 4 files changed, 21 insertions(+)
 create mode 100644 testing/btest/Baseline/language.dangling-at/.stderr
 create mode 100644 testing/btest/Baseline/language.orphan-endif/.stderr
 create mode 100644 testing/btest/language/dangling-at.zeek
 create mode 100644 testing/btest/language/orphan-endif.zeek

diff --git a/testing/btest/Baseline/language.dangling-at/.stderr b/testing/btest/Baseline/language.dangling-at/.stderr
new file mode 100644
index 0000000000..dac4eed6f6
--- /dev/null
+++ b/testing/btest/Baseline/language.dangling-at/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+fatal error in <...>/dangling-at.zeek, line 9: unbalanced @if... @endif
diff --git a/testing/btest/Baseline/language.orphan-endif/.stderr b/testing/btest/Baseline/language.orphan-endif/.stderr
new file mode 100644
index 0000000000..087a9dd1ed
--- /dev/null
+++ b/testing/btest/Baseline/language.orphan-endif/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+error in <...>/orphan-endif.zeek, line 8: unbalanced @if... @endif
diff --git a/testing/btest/language/dangling-at.zeek b/testing/btest/language/dangling-at.zeek
new file mode 100644
index 0000000000..f8e7eceef7
--- /dev/null
+++ b/testing/btest/language/dangling-at.zeek
@@ -0,0 +1,8 @@
+# @TEST-EXEC-FAIL: zeek -b %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+# Check that dangling conditionals are detected.
+
+@if ( 1==1 )
+print "it's true!";
+@else
+lalala
diff --git a/testing/btest/language/orphan-endif.zeek b/testing/btest/language/orphan-endif.zeek
new file mode 100644
index 0000000000..0e612e52ff
--- /dev/null
+++ b/testing/btest/language/orphan-endif.zeek
@@ -0,0 +1,9 @@
+# @TEST-EXEC-FAIL: zeek -b %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+# Check that dangling conditionals are detected.
+
+@if ( T )
+print "so far, so good";
+@endif
+@endif
+print "whoops!";

From d2a9fcda0c77e1586a289cc0aac9278e3f9509d6 Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Thu, 25 Nov 2021 04:26:38 +0000
Subject: [PATCH 113/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 78252acaee..cb6d494f1d 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 78252acaeed8e2dee433c34ee8e2facb6d9cf845
+Subproject commit cb6d494f1dd1e1bf634930ee4169154ad5eb68ea

From 72604f866b8d7b7e4edf2ae1b55d11cad72a50ba Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 29 Nov 2021 10:43:34 -0700
Subject: [PATCH 114/210] Fix a number of Coverity findings

1466460: Uninitialized field in gtp-analyzer.pac
1462465: Null pointer dereference in CompositeHash::SingleValHash
1462463: Copy/paste error in TCPSessionAdapter::build_syn_packet_val
1462067: Uninitialized fields in Zinst
---
 src/CompHash.cc                                       | 7 ++++++-
 src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac | 4 +++-
 src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc | 2 +-
 src/script_opt/ZAM/ZInst.h                            | 8 ++++----
 4 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/src/CompHash.cc b/src/CompHash.cc
index 89b5201238..56b626fa7f 100644
--- a/src/CompHash.cc
+++ b/src/CompHash.cc
@@ -501,6 +501,11 @@ bool CompositeHash::SingleValHash(HashKey& hk, const Val* v, Type* bt, bool type
 			return true;
 		}
 
+	// All of the rest of the code here depends on v not being null, since it needs
+	// to get values from it.
+	if ( ! v )
+		return false;
+
 	switch ( t )
 		{
 		case TYPE_INTERNAL_INT:
@@ -695,7 +700,7 @@ bool CompositeHash::SingleValHash(HashKey& hk, const Val* v, Type* bt, bool type
 			}
 			break;
 
-		case TYPE_INTERNAL_ERROR:
+		default:
 			return false;
 		}
 
diff --git a/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac b/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac
index 6fc18befea..7b81126469 100644
--- a/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac
+++ b/src/packet_analysis/protocol/gtpv1/gtpv1-analyzer.pac
@@ -610,7 +610,9 @@ connection GTPv1_Conn(zeek_analyzer: ZeekPacketAnalyzer)
 	%}
 
 	%init{
-		valid_orig = valid_resp = false;
+		valid_orig = false;
+		valid_resp = false;
+		packet = nullptr;
 	%}
 
 	function valid(orig: bool): bool
diff --git a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
index 53027538e8..3e04adb844 100644
--- a/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
+++ b/src/packet_analysis/protocol/tcp/TCPSessionAdapter.cc
@@ -422,7 +422,7 @@ static zeek::RecordValPtr build_syn_packet_val(bool is_orig, const zeek::IP_Hdr*
 	if ( TSval )
 		v->Assign(8, *TSval);
 
-	if ( TSval )
+	if ( TSecr )
 		v->Assign(9, *TSecr);
 
 	return v;
diff --git a/src/script_opt/ZAM/ZInst.h b/src/script_opt/ZAM/ZInst.h
index 9bc41cd72a..b1dc751ea1 100644
--- a/src/script_opt/ZAM/ZInst.h
+++ b/src/script_opt/ZAM/ZInst.h
@@ -64,9 +64,9 @@ public:
 		}
 
 	// Create a stub instruction that will be populated later.
-	ZInst() { }
+	ZInst() = default;
 
-	virtual ~ZInst() { }
+	virtual ~ZInst() = default;
 
 	// Methods for printing out the instruction for debugging/maintenance.
 	void Dump(bro_uint_t inst_num, const FrameReMap* mappings) const;
@@ -93,8 +93,8 @@ public:
 	// Returns a string describing the constant.
 	std::string ConstDump() const;
 
-	ZOp op;
-	ZAMOpType op_type;
+	ZOp op = OP_NOP;
+	ZAMOpType op_type = OP_X;
 
 	// Usually indices into frame, though sometimes hold integer constants.
 	// When an instruction has both frame slots and integer constants,

From 46f46e780344d61446816fbb61a6e760ed68bf7f Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Mon, 29 Nov 2021 13:17:46 -0800
Subject: [PATCH 115/210] clang-format issue

---
 src/script_opt/CPP/Util.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/script_opt/CPP/Util.cc b/src/script_opt/CPP/Util.cc
index f41f225a41..8c6e6d0a91 100644
--- a/src/script_opt/CPP/Util.cc
+++ b/src/script_opt/CPP/Util.cc
@@ -1,12 +1,13 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include "zeek/script_opt/StmtOptInfo.h"
 #include "zeek/script_opt/CPP/Util.h"
 
 #include <errno.h>
 #include <sys/file.h>
 #include <unistd.h>
 
+#include "zeek/script_opt/StmtOptInfo.h"
+
 namespace zeek::detail
 	{
 

From 417f9ffe98fe4b5c4213b2aa6bdbc084364a2ddb Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Mon, 29 Nov 2021 13:17:57 -0800
Subject: [PATCH 116/210] fix btest comment to more accurately describe the
 test

---
 testing/btest/language/orphan-endif.zeek | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/btest/language/orphan-endif.zeek b/testing/btest/language/orphan-endif.zeek
index 0e612e52ff..ecead2e6a2 100644
--- a/testing/btest/language/orphan-endif.zeek
+++ b/testing/btest/language/orphan-endif.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC-FAIL: zeek -b %INPUT
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
-# Check that dangling conditionals are detected.
+# Check that orphan endif's are detected.
 
 @if ( T )
 print "so far, so good";

From 94ee837398f399e2b238075cb220c14da4011215 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Tue, 30 Nov 2021 18:24:03 +0000
Subject: [PATCH 117/210] Fix for the recent patch that allows segment
 offloaded packets.

We recently added support for segment offloaded packets. It turns out
that this can lead to problems in UDP/ICMP based parsers since I missed
correctly also updating the payloadlength there, and using the capture
length instead when segment offloading is enabled.

Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41391
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41394
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41395
(Link to details becomes public 30 days after patch release)
---
 CHANGES                                   | 15 +++++++++++++++
 VERSION                                   |  2 +-
 src/packet_analysis/protocol/icmp/ICMP.cc |  4 ++++
 src/packet_analysis/protocol/udp/UDP.cc   |  4 ++++
 4 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 933322ab15..17b0879d95 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,18 @@
+4.2.0-dev.394 | 2021-11-30 11:53:35 -0700
+
+  * Fix for the recent patch that allows segment offloaded packets. (Johanna Amann, Corelight)
+
+    We recently added support for segment offloaded packets. It turns out
+    that this can lead to problems in UDP/ICMP based parsers since I missed
+    correctly also updating the payloadlength there, and using the capture
+    length instead when segment offloading is enabled.
+
+    Credit to OSS-Fuzz for discovery
+    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41391
+    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41394
+    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=41395
+    (Link to details becomes public 30 days after patch release)
+
 4.2.0-dev.393 | 2021-11-29 13:46:59 -0700
 
   * Fix a number of Coverity findings (Tim Wojtulewicz, Corelight)
diff --git a/VERSION b/VERSION
index 916edc35be..265e9a036d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.2.0-dev.393
+4.2.0-dev.394
diff --git a/src/packet_analysis/protocol/icmp/ICMP.cc b/src/packet_analysis/protocol/icmp/ICMP.cc
index 4b24d3be95..d71af5edd4 100644
--- a/src/packet_analysis/protocol/icmp/ICMP.cc
+++ b/src/packet_analysis/protocol/icmp/ICMP.cc
@@ -67,6 +67,10 @@ void ICMPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int rema
 
 	const u_char* data = pkt->ip_hdr->Payload();
 	int len = pkt->ip_hdr->PayloadLen();
+	// If segment offloading or similar is enabled, the payload len will return 0.
+	// Thus, let's ignore that case.
+	if ( len == 0 )
+		len = remaining;
 
 	if ( packet_contents && len > 0 )
 		adapter->PacketContents(data + 8, std::min(len, remaining) - 8);
diff --git a/src/packet_analysis/protocol/udp/UDP.cc b/src/packet_analysis/protocol/udp/UDP.cc
index b0cb1683a7..f7362fbc41 100644
--- a/src/packet_analysis/protocol/udp/UDP.cc
+++ b/src/packet_analysis/protocol/udp/UDP.cc
@@ -84,6 +84,10 @@ void UDPAnalyzer::DeliverPacket(Connection* c, double t, bool is_orig, int remai
 
 	const u_char* data = pkt->ip_hdr->Payload();
 	int len = pkt->ip_hdr->PayloadLen();
+	// If segment offloading or similar is enabled, the payload len will return 0.
+	// Thus, let's ignore that case.
+	if ( len == 0 )
+		len = remaining;
 
 	const struct udphdr* up = (const struct udphdr*)data;
 	const std::shared_ptr<IP_Hdr>& ip = pkt->ip_hdr;

From 328411e8072acc5d9bec5726eb92bf5a2ff93040 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 29 Nov 2021 16:36:58 -0700
Subject: [PATCH 118/210] GH-1873: Deprecate the tag types differently to avoid
 type clashes

---
 src/Tag.cc                |   2 +-
 src/Tag.h                 |  42 ++++++------
 src/analyzer/Tag.h        | 140 +++++++++++++++++++++++++++++++++++++-
 src/file_analysis/Tag.h   | 140 +++++++++++++++++++++++++++++++++++++-
 src/input/Tag.h           | 140 +++++++++++++++++++++++++++++++++++++-
 src/logging/Tag.h         | 140 +++++++++++++++++++++++++++++++++++++-
 src/packet_analysis/Tag.h | 140 +++++++++++++++++++++++++++++++++++++-
 7 files changed, 717 insertions(+), 27 deletions(-)

diff --git a/src/Tag.cc b/src/Tag.cc
index c3593b59c3..53d8901d74 100644
--- a/src/Tag.cc
+++ b/src/Tag.cc
@@ -62,7 +62,7 @@ Tag& Tag::operator=(const Tag& other)
 	return *this;
 	}
 
-Tag& Tag::operator=(const Tag&& other) noexcept
+Tag& Tag::operator=(Tag&& other) noexcept
 	{
 	if ( this != &other )
 		{
diff --git a/src/Tag.h b/src/Tag.h
index 9b59c93c59..1be9275618 100644
--- a/src/Tag.h
+++ b/src/Tag.h
@@ -19,19 +19,19 @@ class EnumType;
 using EnumTypePtr = IntrusivePtr<EnumType>;
 
 /**
- * Class to identify an analyzer type.
+ * Class to identify an plugin component type.
  *
- * Each analyzer type gets a tag consisting of a main type and subtype. The
- * former is an identifier that's unique across all analyzer classes. The latter is
- * passed through to the analyzer instances for their use, yet not further
- * interpreted by the analyzer infrastructure; it allows an analyzer to
- * branch out into a set of sub-analyzers internally. Jointly, main type and
- * subtype form an analyzer "tag". Each unique tag corresponds to a single
- * "analyzer" from the user's perspective. At the script layer, these tags
- * are mapped into enums of type \c Analyzer::Tag or Files::Tag. Internally,
- * the analyzer::Manager and file_analysis::Manager maintain the mapping of tag
- * to analyzer (and it also assigns them their main types), and
- * analyzer::Component and file_analysis::Component create new tag.
+ * Each component type gets a tag consisting of a main type and subtype. The
+ * former is an identifier that's unique across all component classes. The latter is
+ * passed through to the component instances for their use, yet not further
+ * interpreted by the component infrastructure; it allows a component to
+ * branch out into a set of sub-components internally. Jointly, main type and
+ * subtype form a component "tag". Each unique tag corresponds to a single
+ * "component" from the user's perspective. At the script layer, these tags
+ * are mapped into enums of type \c Component::Tag or Files::Tag. Internally,
+ * the component::Manager and file_analysis::Manager maintain the mapping of tag
+ * to component (and it also assigns them their main types), and
+ * component::Component and file_analysis::Component create new tag.
  *
  * The Tag class supports all operations necessary to act as an index in a
  * \c std::map.
@@ -40,12 +40,12 @@ class Tag
 	{
 public:
 	/**
-	 * Type for the analyzer's main type.
+	 * Type for the component's main type.
 	 */
 	using type_t = uint32_t;
 
 	/**
-	 * Type for the analyzer's subtype.
+	 * Type for the component's subtype.
 	 */
 	using subtype_t = uint32_t;
 
@@ -73,7 +73,7 @@ public:
 	 * @param type The main type. Note that the manager class manages the
 	 * the value space internally, so noone else should assign main types.
 	 *
-	 * @param subtype The sub type, which is left to an analyzer for
+	 * @param subtype The sub type, which is left to a component for
 	 * interpretation. By default it's set to zero.
 	 */
 	Tag(const EnumTypePtr& etype, type_t type, subtype_t subtype = 0);
@@ -81,11 +81,11 @@ public:
 	/**
 	 * Constructor.
 	 *
-	 * @param type The main type. Note that the \a analyzer::Manager
+	 * @param type The main type. Note that the \a component::Manager
 	 * manages the value space internally, so noone else should assign
 	 * any main types.
 	 *
-	 * @param subtype The sub type, which is left to an analyzer for
+	 * @param subtype The sub type, which is left to an component for
 	 * interpretation. By default it's set to zero.
 	 */
 	explicit Tag(type_t type, subtype_t subtype = 0);
@@ -93,7 +93,7 @@ public:
 	/**
 	 * Constructor.
 	 *
-	 * @param val An enum value of script type \c Analyzer::Tag.
+	 * @param val An enum value of script type \c Component::Tag.
 	 */
 	explicit Tag(EnumValPtr val);
 
@@ -105,7 +105,7 @@ public:
 	/**
 	 * Destructor.
 	 */
-	virtual ~Tag();
+	~Tag();
 
 	/**
 	 * Assignment operator.
@@ -115,7 +115,7 @@ public:
 	/**
 	 * Move assignment operator.
 	 */
-	Tag& operator=(const Tag&& other) noexcept;
+	Tag& operator=(Tag&& other) noexcept;
 
 	/**
 	 * Compares two tags for equality.
@@ -157,7 +157,7 @@ public:
 
 	/**
 	 * Returns false if the tag represents an error value rather than a
-	 * legal analyzer type.
+	 * legal component type.
 	 */
 	explicit operator bool() const { return *this != Error; }
 
diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h
index 56b5d58b19..6316381dc2 100644
--- a/src/analyzer/Tag.h
+++ b/src/analyzer/Tag.h
@@ -4,11 +4,149 @@
 
 #include "zeek/zeek-config.h"
 
+#include <string>
+
 #include "zeek/Tag.h"
+#include "zeek/Val.h"
 
 namespace zeek::analyzer
 	{
 
-using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
+/**
+ * This class implements a wrapper around zeek::Tag , presenting the same interface as that
+ * member object. It previously implemented a full tag object for this type of plugin
+ * component, but that functionality was merged into zeek::Tag and the separate tag types were
+ * deprecated. This class will eventually be removed per the Zeek deprecation policy.
+ */
+class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
+	{
+public:
+	/**
+	 * Type for the component's main type.
+	 */
+	using type_t = zeek::Tag::type_t;
+
+	/**
+	 * Type for the component's subtype.
+	 */
+	using subtype_t = zeek::Tag::subtype_t;
+
+	/**
+	 * Returns the tag's main type.
+	 */
+	zeek::Tag::type_t Type() const { return tag.Type(); }
+
+	/**
+	 * Returns the tag's subtype.
+	 */
+	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
+
+	/**
+	 * Default constructor. This initializes the tag with an error value
+	 * that will make \c operator \c bool return false.
+	 */
+	Tag() : tag() { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 *
+	 * @param type The main type. Note that the manager class manages the
+	 * the value space internally, so noone else should assign main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
+		: tag(etype, type, subtype)
+		{
+		}
+
+	/**
+	 * Constructor.
+	 *
+	 * @param type The main type. Note that the component's Manager
+	 * manages the value space internally, so noone else should assign
+	 * any main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param val An enum value of script type \c Analyzer::Tag.
+	 */
+	explicit Tag(EnumValPtr val) : tag(val) { }
+
+	/*
+	 * Copy constructor.
+	 */
+	Tag(const Tag& other) : tag(other.tag) { }
+
+	/**
+	 * Destructor.
+	 */
+	~Tag() { }
+
+	/**
+	 * Assignment operator.
+	 */
+	Tag& operator=(const Tag& other)
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Move assignment operator.
+	 */
+	Tag& operator=(Tag&& other) noexcept
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Compares two tags for equality.
+	 */
+	bool operator==(const Tag& other) const { return tag == other.tag; }
+
+	/**
+	 * Compares two tags for inequality.
+	 */
+	bool operator!=(const Tag& other) const { return tag != other.tag; }
+
+	/**
+	 * Compares two tags for less-than relationship.
+	 */
+	bool operator<(const Tag& other) const { return tag < other.tag; }
+
+	/**
+	 * Returns the numerical values for main and subtype inside a string
+	 * suitable for printing. This is primarily for debugging.
+	 */
+	std::string AsString() const { return tag.AsString(); }
+
+	/**
+	 * Returns the script-layer enum that corresponds to this tag.
+	 * The returned value does not have its ref-count increased.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 */
+	const EnumValPtr& AsVal() const { return tag.AsVal(); }
+
+	/**
+	 * Returns false if the tag represents an error value rather than a
+	 * legal component type.
+	 */
+	explicit operator bool() const { return static_cast<bool>(tag); }
+
+private:
+	zeek::Tag tag;
+	};
 
 	} // namespace zeek::analyzer
diff --git a/src/file_analysis/Tag.h b/src/file_analysis/Tag.h
index 3f3150bc5d..5f21276a0a 100644
--- a/src/file_analysis/Tag.h
+++ b/src/file_analysis/Tag.h
@@ -4,11 +4,149 @@
 
 #include "zeek/zeek-config.h"
 
+#include <string>
+
 #include "zeek/Tag.h"
+#include "zeek/Val.h"
 
 namespace zeek::file_analysis
 	{
 
-using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
+/**
+ * This class implements a wrapper around zeek::Tag , presenting the same interface as that
+ * member object. It previously implemented a full tag object for this type of plugin
+ * component, but that functionality was merged into zeek::Tag and the separate tag types were
+ * deprecated. This class will eventually be removed per the Zeek deprecation policy.
+ */
+class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
+	{
+public:
+	/**
+	 * Type for the component's main type.
+	 */
+	using type_t = zeek::Tag::type_t;
+
+	/**
+	 * Type for the component's subtype.
+	 */
+	using subtype_t = zeek::Tag::subtype_t;
+
+	/**
+	 * Returns the tag's main type.
+	 */
+	zeek::Tag::type_t Type() const { return tag.Type(); }
+
+	/**
+	 * Returns the tag's subtype.
+	 */
+	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
+
+	/**
+	 * Default constructor. This initializes the tag with an error value
+	 * that will make \c operator \c bool return false.
+	 */
+	Tag() : tag() { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 *
+	 * @param type The main type. Note that the manager class manages the
+	 * the value space internally, so noone else should assign main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
+		: tag(etype, type, subtype)
+		{
+		}
+
+	/**
+	 * Constructor.
+	 *
+	 * @param type The main type. Note that the component's Manager
+	 * manages the value space internally, so noone else should assign
+	 * any main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param val An enum value of script type \c Files::Tag.
+	 */
+	explicit Tag(EnumValPtr val) : tag(val) { }
+
+	/*
+	 * Copy constructor.
+	 */
+	Tag(const Tag& other) : tag(other.tag) { }
+
+	/**
+	 * Destructor.
+	 */
+	~Tag() { }
+
+	/**
+	 * Assignment operator.
+	 */
+	Tag& operator=(const Tag& other)
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Move assignment operator.
+	 */
+	Tag& operator=(Tag&& other) noexcept
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Compares two tags for equality.
+	 */
+	bool operator==(const Tag& other) const { return tag == other.tag; }
+
+	/**
+	 * Compares two tags for inequality.
+	 */
+	bool operator!=(const Tag& other) const { return tag != other.tag; }
+
+	/**
+	 * Compares two tags for less-than relationship.
+	 */
+	bool operator<(const Tag& other) const { return tag < other.tag; }
+
+	/**
+	 * Returns the numerical values for main and subtype inside a string
+	 * suitable for printing. This is primarily for debugging.
+	 */
+	std::string AsString() const { return tag.AsString(); }
+
+	/**
+	 * Returns the script-layer enum that corresponds to this tag.
+	 * The returned value does not have its ref-count increased.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 */
+	const EnumValPtr& AsVal() const { return tag.AsVal(); }
+
+	/**
+	 * Returns false if the tag represents an error value rather than a
+	 * legal component type.
+	 */
+	explicit operator bool() const { return static_cast<bool>(tag); }
+
+private:
+	zeek::Tag tag;
+	};
 
 	} // namespace zeek::file_analysis
diff --git a/src/input/Tag.h b/src/input/Tag.h
index 22da728f74..290728560b 100644
--- a/src/input/Tag.h
+++ b/src/input/Tag.h
@@ -4,11 +4,149 @@
 
 #include "zeek/zeek-config.h"
 
+#include <string>
+
 #include "zeek/Tag.h"
+#include "zeek/Val.h"
 
 namespace zeek::input
 	{
 
-using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
+/**
+ * This class implements a wrapper around zeek::Tag , presenting the same interface as that
+ * member object. It previously implemented a full tag object for this type of plugin
+ * component, but that functionality was merged into zeek::Tag and the separate tag types were
+ * deprecated. This class will eventually be removed per the Zeek deprecation policy.
+ */
+class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
+	{
+public:
+	/**
+	 * Type for the component's main type.
+	 */
+	using type_t = zeek::Tag::type_t;
+
+	/**
+	 * Type for the component's subtype.
+	 */
+	using subtype_t = zeek::Tag::subtype_t;
+
+	/**
+	 * Returns the tag's main type.
+	 */
+	zeek::Tag::type_t Type() const { return tag.Type(); }
+
+	/**
+	 * Returns the tag's subtype.
+	 */
+	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
+
+	/**
+	 * Default constructor. This initializes the tag with an error value
+	 * that will make \c operator \c bool return false.
+	 */
+	Tag() : tag() { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 *
+	 * @param type The main type. Note that the manager class manages the
+	 * the value space internally, so noone else should assign main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
+		: tag(etype, type, subtype)
+		{
+		}
+
+	/**
+	 * Constructor.
+	 *
+	 * @param type The main type. Note that the component's Manager
+	 * manages the value space internally, so noone else should assign
+	 * any main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param val An enum value of script type \c Input::Tag.
+	 */
+	explicit Tag(EnumValPtr val) : tag(val) { }
+
+	/*
+	 * Copy constructor.
+	 */
+	Tag(const Tag& other) : tag(other.tag) { }
+
+	/**
+	 * Destructor.
+	 */
+	~Tag() { }
+
+	/**
+	 * Assignment operator.
+	 */
+	Tag& operator=(const Tag& other)
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Move assignment operator.
+	 */
+	Tag& operator=(Tag&& other) noexcept
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Compares two tags for equality.
+	 */
+	bool operator==(const Tag& other) const { return tag == other.tag; }
+
+	/**
+	 * Compares two tags for inequality.
+	 */
+	bool operator!=(const Tag& other) const { return tag != other.tag; }
+
+	/**
+	 * Compares two tags for less-than relationship.
+	 */
+	bool operator<(const Tag& other) const { return tag < other.tag; }
+
+	/**
+	 * Returns the numerical values for main and subtype inside a string
+	 * suitable for printing. This is primarily for debugging.
+	 */
+	std::string AsString() const { return tag.AsString(); }
+
+	/**
+	 * Returns the script-layer enum that corresponds to this tag.
+	 * The returned value does not have its ref-count increased.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 */
+	const EnumValPtr& AsVal() const { return tag.AsVal(); }
+
+	/**
+	 * Returns false if the tag represents an error value rather than a
+	 * legal component type.
+	 */
+	explicit operator bool() const { return static_cast<bool>(tag); }
+
+private:
+	zeek::Tag tag;
+	};
 
 	} // namespace zeek::input
diff --git a/src/logging/Tag.h b/src/logging/Tag.h
index 05a8bd329e..ae8e17d7bb 100644
--- a/src/logging/Tag.h
+++ b/src/logging/Tag.h
@@ -4,11 +4,149 @@
 
 #include "zeek/zeek-config.h"
 
+#include <string>
+
 #include "zeek/Tag.h"
+#include "zeek/Val.h"
 
 namespace zeek::logging
 	{
 
-using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
+/**
+ * This class implements a wrapper around zeek::Tag , presenting the same interface as that
+ * member object. It previously implemented a full tag object for this type of plugin
+ * component, but that functionality was merged into zeek::Tag and the separate tag types were
+ * deprecated. This class will eventually be removed per the Zeek deprecation policy.
+ */
+class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
+	{
+public:
+	/**
+	 * Type for the component's main type.
+	 */
+	using type_t = zeek::Tag::type_t;
+
+	/**
+	 * Type for the component's subtype.
+	 */
+	using subtype_t = zeek::Tag::subtype_t;
+
+	/**
+	 * Returns the tag's main type.
+	 */
+	zeek::Tag::type_t Type() const { return tag.Type(); }
+
+	/**
+	 * Returns the tag's subtype.
+	 */
+	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
+
+	/**
+	 * Default constructor. This initializes the tag with an error value
+	 * that will make \c operator \c bool return false.
+	 */
+	Tag() : tag() { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 *
+	 * @param type The main type. Note that the manager class manages the
+	 * the value space internally, so noone else should assign main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
+		: tag(etype, type, subtype)
+		{
+		}
+
+	/**
+	 * Constructor.
+	 *
+	 * @param type The main type. Note that the \a logging::Manager
+	 * manages the value space internally, so noone else should assign
+	 * any main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param val An enum value of script type \c Logger::Tag.
+	 */
+	explicit Tag(EnumValPtr val) : tag(val) { }
+
+	/*
+	 * Copy constructor.
+	 */
+	Tag(const Tag& other) : tag(other.tag) { }
+
+	/**
+	 * Destructor.
+	 */
+	~Tag() { }
+
+	/**
+	 * Assignment operator.
+	 */
+	Tag& operator=(const Tag& other)
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Move assignment operator.
+	 */
+	Tag& operator=(Tag&& other) noexcept
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Compares two tags for equality.
+	 */
+	bool operator==(const Tag& other) const { return tag == other.tag; }
+
+	/**
+	 * Compares two tags for inequality.
+	 */
+	bool operator!=(const Tag& other) const { return tag != other.tag; }
+
+	/**
+	 * Compares two tags for less-than relationship.
+	 */
+	bool operator<(const Tag& other) const { return tag < other.tag; }
+
+	/**
+	 * Returns the numerical values for main and subtype inside a string
+	 * suitable for printing. This is primarily for debugging.
+	 */
+	std::string AsString() const { return tag.AsString(); }
+
+	/**
+	 * Returns the script-layer enum that corresponds to this tag.
+	 * The returned value does not have its ref-count increased.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 */
+	const EnumValPtr& AsVal() const { return tag.AsVal(); }
+
+	/**
+	 * Returns false if the tag represents an error value rather than a
+	 * legal component type.
+	 */
+	explicit operator bool() const { return static_cast<bool>(tag); }
+
+private:
+	zeek::Tag tag;
+	};
 
 	} // namespace zeek::logging
diff --git a/src/packet_analysis/Tag.h b/src/packet_analysis/Tag.h
index bf1ee1ef66..ffbdfee105 100644
--- a/src/packet_analysis/Tag.h
+++ b/src/packet_analysis/Tag.h
@@ -4,11 +4,149 @@
 
 #include "zeek/zeek-config.h"
 
+#include <string>
+
 #include "zeek/Tag.h"
+#include "zeek/Val.h"
 
 namespace zeek::packet_analysis
 	{
 
-using Tag [[deprecated("Remove in v5.1. Use zeek::Tag.")]] = zeek::Tag;
+/**
+ * This class implements a wrapper around zeek::Tag , presenting the same interface as that
+ * member object. It previously implemented a full tag object for this type of plugin
+ * component, but that functionality was merged into zeek::Tag and the separate tag types were
+ * deprecated. This class will eventually be removed per the Zeek deprecation policy.
+ */
+class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
+	{
+public:
+	/**
+	 * Type for the component's main type.
+	 */
+	using type_t = zeek::Tag::type_t;
+
+	/**
+	 * Type for the component's subtype.
+	 */
+	using subtype_t = zeek::Tag::subtype_t;
+
+	/**
+	 * Returns the tag's main type.
+	 */
+	zeek::Tag::type_t Type() const { return tag.Type(); }
+
+	/**
+	 * Returns the tag's subtype.
+	 */
+	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
+
+	/**
+	 * Default constructor. This initializes the tag with an error value
+	 * that will make \c operator \c bool return false.
+	 */
+	Tag() : tag() { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 *
+	 * @param type The main type. Note that the manager class manages the
+	 * the value space internally, so noone else should assign main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
+		: tag(etype, type, subtype)
+		{
+		}
+
+	/**
+	 * Constructor.
+	 *
+	 * @param type The main type. Note that the component's Manager
+	 * manages the value space internally, so noone else should assign
+	 * any main types.
+	 *
+	 * @param subtype The sub type, which is left to a component for
+	 * interpretation. By default it's set to zero.
+	 */
+	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
+
+	/**
+	 * Constructor.
+	 *
+	 * @param val An enum value of script type \c PacketAnalyzer::Tag.
+	 */
+	explicit Tag(EnumValPtr val) : tag(val) { }
+
+	/*
+	 * Copy constructor.
+	 */
+	Tag(const Tag& other) : tag(other.tag) { }
+
+	/**
+	 * Destructor.
+	 */
+	~Tag() { }
+
+	/**
+	 * Assignment operator.
+	 */
+	Tag& operator=(const Tag& other)
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Move assignment operator.
+	 */
+	Tag& operator=(Tag&& other) noexcept
+		{
+		tag = other.tag;
+		return *this;
+		}
+
+	/**
+	 * Compares two tags for equality.
+	 */
+	bool operator==(const Tag& other) const { return tag == other.tag; }
+
+	/**
+	 * Compares two tags for inequality.
+	 */
+	bool operator!=(const Tag& other) const { return tag != other.tag; }
+
+	/**
+	 * Compares two tags for less-than relationship.
+	 */
+	bool operator<(const Tag& other) const { return tag < other.tag; }
+
+	/**
+	 * Returns the numerical values for main and subtype inside a string
+	 * suitable for printing. This is primarily for debugging.
+	 */
+	std::string AsString() const { return tag.AsString(); }
+
+	/**
+	 * Returns the script-layer enum that corresponds to this tag.
+	 * The returned value does not have its ref-count increased.
+	 *
+	 * @param etype the script-layer enum type associated with the tag.
+	 */
+	const EnumValPtr& AsVal() const { return tag.AsVal(); }
+
+	/**
+	 * Returns false if the tag represents an error value rather than a
+	 * legal component type.
+	 */
+	explicit operator bool() const { return static_cast<bool>(tag); }
+
+private:
+	zeek::Tag tag;
+	};
 
 	} // namespace zeek::packet_analysis

From d50dade24cf7b59ba1f81dc89561139b3e9793a0 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 3 Dec 2021 13:46:22 -0700
Subject: [PATCH 119/210] GH-1768: Properly cleanup existing log stream when
 recreated on with the same ID

---
 src/logging/Manager.cc | 11 +++++++++--
 src/logging/Manager.h  |  2 ++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/logging/Manager.cc b/src/logging/Manager.cc
index 5966dd87d5..d35a92f2cf 100644
--- a/src/logging/Manager.cc
+++ b/src/logging/Manager.cc
@@ -311,8 +311,11 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval)
 		streams.push_back(nullptr);
 
 	if ( streams[idx] )
-		// We already know this one, delete the previous definition.
-		delete streams[idx];
+		{
+		// We already know this one. Clean up the old version before making
+		// a new one.
+		RemoveStream(idx);
+		}
 
 	// Create new stream.
 	streams[idx] = new Stream;
@@ -334,7 +337,11 @@ bool Manager::CreateStream(EnumVal* id, RecordVal* sval)
 bool Manager::RemoveStream(EnumVal* id)
 	{
 	unsigned int idx = id->AsEnum();
+	return RemoveStream(idx);
+	}
 
+bool Manager::RemoveStream(unsigned int idx)
+	{
 	if ( idx >= streams.size() || ! streams[idx] )
 		return false;
 
diff --git a/src/logging/Manager.h b/src/logging/Manager.h
index 81526b8a9e..cd194fc797 100644
--- a/src/logging/Manager.h
+++ b/src/logging/Manager.h
@@ -299,6 +299,8 @@ private:
 	bool CompareFields(const Filter* filter, const WriterFrontend* writer);
 	bool CheckFilterWriterConflict(const WriterInfo* winfo, const Filter* filter);
 
+	bool RemoveStream(unsigned int idx);
+
 	std::vector<Stream*> streams; // Indexed by stream enum.
 	int rotations_pending; // Number of rotations not yet finished.
 	FuncPtr rotation_format_func;

From 3f9f47980ac0d7bf38f6cdfb9cfa7d2c51e51a2e Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sat, 4 Dec 2021 20:24:39 -0500
Subject: [PATCH 120/210] updates to ZAM to track recent changes in script
 semantics

---
 src/script_opt/Reduce.cc                      |    6 +
 src/script_opt/ZAM/Expr.cc                    |    3 +-
 src/script_opt/ZAM/Ops.in                     |   24 +-
 src/script_opt/ZAM/ZBody.cc                   |    1 +
 .../Baseline.zam/bifs.disable_analyzer/out    |    7 +
 .../btest/Baseline.zam/plugins.hooks/output   | 2584 -----------------
 testing/btest/plugins/hooks.zeek              |    1 +
 7 files changed, 38 insertions(+), 2588 deletions(-)
 create mode 100644 testing/btest/Baseline.zam/bifs.disable_analyzer/out
 delete mode 100644 testing/btest/Baseline.zam/plugins.hooks/output

diff --git a/src/script_opt/Reduce.cc b/src/script_opt/Reduce.cc
index 63ad87f5af..8370a041a4 100644
--- a/src/script_opt/Reduce.cc
+++ b/src/script_opt/Reduce.cc
@@ -941,6 +941,12 @@ TraversalCode CSE_ValidityChecker::PreExpr(const Expr* e)
 			}
 			break;
 
+		case EXPR_TABLE_CONSTRUCTOR:
+			// These have EXPR_ASSIGN's in them that don't
+			// correspond to actual assignments to variables,
+			// so we don't want to traverse them.
+			return TC_ABORTSTMT;
+
 		default:
 			if ( in_aggr_mod_stmt && (t == EXPR_INDEX || t == EXPR_FIELD) )
 				{
diff --git a/src/script_opt/ZAM/Expr.cc b/src/script_opt/ZAM/Expr.cc
index 41309849a0..3682e9f1ca 100644
--- a/src/script_opt/ZAM/Expr.cc
+++ b/src/script_opt/ZAM/Expr.cc
@@ -230,7 +230,8 @@ const ZAMStmt ZAMCompiler::CompileAssignToIndex(const NameExpr* lhs, const Index
 	auto n = const_aggr ? nullptr : aggr->AsNameExpr();
 	auto con = const_aggr ? aggr->AsConstExpr() : nullptr;
 
-	if ( indexes.length() == 1 && indexes[0]->GetType()->Tag() == TYPE_VECTOR )
+	if ( indexes.length() == 1 && indexes[0]->GetType()->Tag() == TYPE_VECTOR &&
+	     aggr->GetType()->Tag() != TYPE_TABLE )
 		{
 		auto index1 = indexes[0];
 		if ( index1->Tag() == EXPR_CONST )
diff --git a/src/script_opt/ZAM/Ops.in b/src/script_opt/ZAM/Ops.in
index d74cacc9d5..f57ce19947 100644
--- a/src/script_opt/ZAM/Ops.in
+++ b/src/script_opt/ZAM/Ops.in
@@ -1055,7 +1055,17 @@ macro EvalConstructRecord(map_init, map_accessor)
 	auto n = aux->n;
 	map_init
 	for ( auto i = 0; i < n; ++i )
-		new_r->Assign(map_accessor, aux->ToVal(frame, i));
+		{
+		auto v_i = aux->ToVal(frame, i);
+		auto ind = map_accessor;
+		if ( v_i && v_i->GetType()->Tag() == TYPE_VECTOR &&
+		     v_i->GetType<VectorType>()->IsUnspecifiedVector() )
+			{
+			const auto& t_ind = rt->GetFieldType(ind);
+			v_i->AsVectorVal()->Concretize(t_ind->Yield());
+			}
+		new_r->Assign(ind, aux->ToVal(frame, i));
+		}
 	auto& r = frame[z.v1].record_val;
 	Unref(r);
 	r = new_r;
@@ -2084,9 +2094,17 @@ eval	EvalStrStr(frame[z.v2], z.c)
 internal-op Analyzer--Name
 type VV
 eval	auto atype = frame[z.v2].ToVal(z.t);
-	auto& name = analyzer_mgr->GetComponentName(cast_intrusive<EnumVal>(atype));
+	auto val = atype->AsEnumVal();
 	Unref(frame[z.v1].string_val);
-	frame[z.v1].string_val = new StringVal(name);
+	plugin::Component* component = zeek::analyzer_mgr->Lookup(val);
+	if ( ! component )
+		component = zeek::packet_mgr->Lookup(val);
+	if ( ! component )
+		component = zeek::file_mgr->Lookup(val);
+	if ( component )
+		frame[z.v1].string_val = new StringVal(component->CanonicalName());
+	else
+		frame[z.v1].string_val = new StringVal("<error>");
 
 internal-op Files--Enable-Reassembly
 op1-read
diff --git a/src/script_opt/ZAM/ZBody.cc b/src/script_opt/ZAM/ZBody.cc
index aa6efde064..c7fd492bc8 100644
--- a/src/script_opt/ZAM/ZBody.cc
+++ b/src/script_opt/ZAM/ZBody.cc
@@ -21,6 +21,7 @@
 #include "zeek/broker/Manager.h"
 #include "zeek/file_analysis/Manager.h"
 #include "zeek/logging/Manager.h"
+#include "zeek/packet_analysis/Manager.h"
 
 namespace zeek::detail
 	{
diff --git a/testing/btest/Baseline.zam/bifs.disable_analyzer/out b/testing/btest/Baseline.zam/bifs.disable_analyzer/out
new file mode 100644
index 0000000000..2a4cdae144
--- /dev/null
+++ b/testing/btest/Baseline.zam/bifs.disable_analyzer/out
@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+proto confirm, AllAnalyzers::ANALYZER_ANALYZER_HTTP
+http_request, GET, /style/enhanced.css
+T
+total http messages, {
+[[orig_h=192.168.1.104, orig_p=1673/tcp, resp_h=63.245.209.11, resp_p=80/tcp]] = 1
+}
diff --git a/testing/btest/Baseline.zam/plugins.hooks/output b/testing/btest/Baseline.zam/plugins.hooks/output
deleted file mode 100644
index 5a216d8087..0000000000
--- a/testing/btest/Baseline.zam/plugins.hooks/output
+++ /dev/null
@@ -1,2584 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 137/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 53/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 80/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8000/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6669/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_KRB, 88/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_KRB_TCP, 88/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MODBUS, 502/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 1434/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 3306/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_NTP, 123/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDPEUDP, 3389/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 162/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SOCKS, 1080/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSH, 22/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 443/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 5223/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 563/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 585/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 614/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 636/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 989/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 990/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 992/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_prefixes, <frame>, ([])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_topic, <frame>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Broker::__subscribe, <frame>, (zeek/supervisor)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <frame>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Cluster::is_enabled, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Cluster::local_node_type, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(FilteredTraceDetection::should_detect, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, path=dhcp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, path=dnp3, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, path=dns, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, path=dpd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ftp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, path=files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=http, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, path=irc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, path=intel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NTLM::LOG, [name=default, writer=Log::WRITER_ASCII, path=ntlm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ntp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::DROP_LOG, [name=default, writer=Log::WRITER_ASCII, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (OCSP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ocsp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, path=openflow, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, path=pe, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, path=radius, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, path=rdp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, path=snmp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssh, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude={issuer,client_subject,subject,client_issuer}, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, path=signatures, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, path=software, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, path=syslog, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, path=tunnel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policyZAM-code Files::log_policy ])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG)) -> <no result>
-0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (ActiveHTTP::default_max_time, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (ActiveHTTP::default_method, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_endpoint_name, Broker::update_metrics_export_endpoint_nameZAM-code Broker::update_metrics_export_endpoint_name , 0)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_endpoint_name, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_interval, Broker::update_metrics_export_intervalZAM-code Broker::update_metrics_export_interval , 0)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_prefixes, Broker::update_metrics_export_prefixesZAM-code Broker::update_metrics_export_prefixes , 0)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_prefixes, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_topic, Broker::update_metrics_export_topicZAM-code Broker::update_metrics_export_topic , 0)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_topic, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Broker::peer_counts_as_iosource, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Conn::analyzer_inactivity_timeouts, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Conn::default_extract, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Conn::extraction_prefix, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Conn::port_inactivity_timeouts, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (DCE_RPC::ignored_operations, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (DHCP::max_txid_watch_time, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (DNS::max_pending_msgs, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (DNS::max_pending_query_ids, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (DPD::ignore_violations, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (DPD::ignore_violations_after, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (DPD::max_violations, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Dir::polling_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (FTP::cmd_reply_code, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (FTP::default_capture_password, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (FTP::guest_ids, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (FTP::logged_commands, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (FileExtract::default_limit, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Files::enable_reassembler, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (GridFTP::max_time, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (GridFTP::size_threshold, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (GridFTP::skip_data, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (HTTP::default_capture_password, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (HTTP::http_methods, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (HTTP::max_files_orig, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (HTTP::max_files_resp, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (HTTP::proxy_headers, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Input::default_mode, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Input::default_reader, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (KRB::ignored_errors, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Log::default_rotation_dir, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (MQTT::max_payload_size, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (NetControl::default_priority, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::alarmed_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::default_suppression_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::emailed_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::ignored_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::lookup_location_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::mail_from, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::mail_page_dest, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::mail_subject_prefix, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::not_suppressed_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::reply_to, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Notice::sendmail, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (RDP::disable_analyzer_after_detection, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (RDP::rdp_check_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SIP::sip_methods, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SMB::logged_file_actions, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SMTP::mail_path_capture, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SOCKS::default_capture_password, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SSH::compression_algorithms, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SSH::disable_analyzer_after_detection, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SSL::ct_logs, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (SSL::disable_analyzer_after_detection, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Signatures::ignored_ids, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Signatures::summary_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::local_admins, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::local_nets, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::local_zones, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_nets, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_zones, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Site::private_address_space, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Software::asset_tracking, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::ignore_hosts, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_duration, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_duration, Config::weird_option_change_intervalZAM-code Config::weird_option_change_interval , 5)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_global_list, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_rate, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_rate, Config::weird_option_change_countZAM-code Config::weird_option_change_count , 5)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_threshold, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_threshold, Config::weird_option_change_countZAM-code Config::weird_option_change_count , 5)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_whitelist, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_whitelist, Config::weird_option_change_sampling_whitelistZAM-code Config::weird_option_change_sampling_whitelist , 5)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (Weird::weird_do_not_ignore_repeats, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::caching_required_encounters, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::caching_required_encounters_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_max_entries, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_minimum_eviction_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::hash_function, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::known_log_certs_maximum_size, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::log_x509_in_files_log, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::relog_known_certificates_after, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (default_file_bof_buffer_size, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (default_file_timeout_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_netsZAM-code PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets , 5)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changedZAM-code Config::config_option_changed , -100)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34887, PacketAnalyzer::ANALYZER_MPLS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34916, PacketAnalyzer::ANALYZER_PPPOE)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, 105, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 1, PacketAnalyzer::ANALYZER_ICMP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 17, PacketAnalyzer::ANALYZER_UDP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 4, PacketAnalyzer::ANALYZER_IPTUNNEL)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 41, PacketAnalyzer::ANALYZER_IPTUNNEL)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 33, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 87, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 33, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 641, PacketAnalyzer::ANALYZER_MPLS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 87, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 0, PacketAnalyzer::ANALYZER_NULL)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 1, PacketAnalyzer::ANALYZER_ETHERNET)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 10, PacketAnalyzer::ANALYZER_FDDI)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 105, PacketAnalyzer::ANALYZER_IEEE802_11)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34887, PacketAnalyzer::ANALYZER_MPLS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34916, PacketAnalyzer::ANALYZER_PPPOE)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketFilter::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Pcap::install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Pcap::precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip)) -> <no result>
-0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugins, <frame>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(Supervisor::__is_supervisor, <frame>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(__init_primary_bifs, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(__init_secondary_bifs, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(getenv, <null>, (CLUSTER_NODE)) -> <no result>
-0.000000   MetaHookPost  CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F)) -> <no result>
-0.000000   MetaHookPost  CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, )) -> <no result>
-0.000000   MetaHookPost  CallFunction(x509_set_certificate_cache, <frame>, ({})) -> <no result>
-0.000000   MetaHookPost  CallFunction(x509_set_certificate_cache_hit_callback, <frame>, (X509::x509_certificate_cache_replayZAM-code X509::x509_certificate_cache_replay )) -> <no result>
-0.000000   MetaHookPost  CallFunction(zeek_args, <frame>, ()) -> <no result>
-0.000000   MetaHookPost  CallFunction(zeek_init, <null>, ()) -> <no result>
-0.000000   MetaHookPost  DrainEvents() -> <void>
-0.000000   MetaHookPost  LoadFile(0, ../main, <...>/main.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ../plugin, <...>/plugin.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_AsciiReader.ascii.bif.zeek, <...>/Zeek_AsciiReader.ascii.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_AsciiWriter.ascii.bif.zeek, <...>/Zeek_AsciiWriter.ascii.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_BenchmarkReader.benchmark.bif.zeek, <...>/Zeek_BenchmarkReader.benchmark.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_BinaryReader.binary.bif.zeek, <...>/Zeek_BinaryReader.binary.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_BitTorrent.events.bif.zeek, <...>/Zeek_BitTorrent.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_ConfigReader.config.bif.zeek, <...>/Zeek_ConfigReader.config.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_ConnSize.events.bif.zeek, <...>/Zeek_ConnSize.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_ConnSize.functions.bif.zeek, <...>/Zeek_ConnSize.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_DCE_RPC.consts.bif.zeek, <...>/Zeek_DCE_RPC.consts.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_DCE_RPC.events.bif.zeek, <...>/Zeek_DCE_RPC.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_DCE_RPC.types.bif.zeek, <...>/Zeek_DCE_RPC.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_DHCP.events.bif.zeek, <...>/Zeek_DHCP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_DHCP.types.bif.zeek, <...>/Zeek_DHCP.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_DNP3.events.bif.zeek, <...>/Zeek_DNP3.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_DNS.events.bif.zeek, <...>/Zeek_DNS.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_FTP.events.bif.zeek, <...>/Zeek_FTP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_FTP.functions.bif.zeek, <...>/Zeek_FTP.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_File.events.bif.zeek, <...>/Zeek_File.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileEntropy.events.bif.zeek, <...>/Zeek_FileEntropy.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_ICMP.events.bif.zeek, <...>/Zeek_ICMP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_IMAP.events.bif.zeek, <...>/Zeek_IMAP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_IRC.events.bif.zeek, <...>/Zeek_IRC.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Ident.events.bif.zeek, <...>/Zeek_Ident.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_KRB.events.bif.zeek, <...>/Zeek_KRB.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Modbus.events.bif.zeek, <...>/Zeek_Modbus.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_MySQL.events.bif.zeek, <...>/Zeek_MySQL.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_NCP.consts.bif.zeek, <...>/Zeek_NCP.consts.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_NCP.events.bif.zeek, <...>/Zeek_NCP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_NTLM.events.bif.zeek, <...>/Zeek_NTLM.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_NTLM.types.bif.zeek, <...>/Zeek_NTLM.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_NTP.events.bif.zeek, <...>/Zeek_NTP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_NTP.types.bif.zeek, <...>/Zeek_NTP.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_NetBIOS.events.bif.zeek, <...>/Zeek_NetBIOS.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_RFB.events.bif.zeek, <...>/Zeek_RFB.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_RPC.events.bif.zeek, <...>/Zeek_RPC.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_RawReader.raw.bif.zeek, <...>/Zeek_RawReader.raw.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SIP.events.bif.zeek, <...>/Zeek_SIP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.consts.bif.zeek, <...>/Zeek_SMB.consts.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.events.bif.zeek, <...>/Zeek_SMB.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_check_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_close.bif.zeek, <...>/Zeek_SMB.smb1_com_close.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_create_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_echo.bif.zeek, <...>/Zeek_SMB.smb1_com_echo.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_query_information.bif.zeek, <...>/Zeek_SMB.smb1_com_query_information.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_read_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_transaction.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_transaction2.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_com_write_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb1_events.bif.zeek, <...>/Zeek_SMB.smb1_events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_close.bif.zeek, <...>/Zeek_SMB.smb2_com_close.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_create.bif.zeek, <...>/Zeek_SMB.smb2_com_create.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_read.bif.zeek, <...>/Zeek_SMB.smb2_com_read.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_session_setup.bif.zeek, <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_set_info.bif.zeek, <...>/Zeek_SMB.smb2_com_set_info.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_transform_header.bif.zeek, <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_tree_connect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SNMP.types.bif.zeek, <...>/Zeek_SNMP.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SOCKS.events.bif.zeek, <...>/Zeek_SOCKS.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SQLiteReader.sqlite.bif.zeek, <...>/Zeek_SQLiteReader.sqlite.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SQLiteWriter.sqlite.bif.zeek, <...>/Zeek_SQLiteWriter.sqlite.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSH.events.bif.zeek, <...>/Zeek_SSH.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSH.types.bif.zeek, <...>/Zeek_SSH.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.consts.bif.zeek, <...>/Zeek_SSL.consts.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_VXLAN.events.bif.zeek, <...>/Zeek_VXLAN.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_X509.events.bif.zeek, <...>/Zeek_X509.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_X509.functions.bif.zeek, <...>/Zeek_X509.functions.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_X509.ocsp_events.bif.zeek, <...>/Zeek_X509.ocsp_events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_X509.types.bif.zeek, <...>/Zeek_X509.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_XMPP.events.bif.zeek, <...>/Zeek_XMPP.events.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./acld, <...>/acld.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./addrs, <...>/addrs.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./analyzer.bif.zeek, <...>/analyzer.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./api, <...>/api.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./average, <...>/average.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./broker, <...>/broker.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./comm.bif.zeek, <...>/comm.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./const-dos-error, <...>/const-dos-error.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./const-nt-status, <...>/const-nt-status.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./const.bif.zeek, <...>/const.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./consts, <...>/consts.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./contents, <...>/contents.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./control, <...>/control.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./ct-list, <...>/ct-list.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./data.bif.zeek, <...>/data.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./dcc-send, <...>/dcc-send.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./debug, <...>/debug.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./drop, <...>/drop.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./entities, <...>/entities.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./event.bif.zeek, <...>/event.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./exec, <...>/exec.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./file_analysis.bif.zeek, <...>/file_analysis.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./files, <...>/files.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./gridftp, <...>/gridftp.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./hll_unique, <...>/hll_unique.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./hooks.bif.zeek, <...>/hooks.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./inactivity, <...>/inactivity.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./info, <...>/info.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./input, <...>/input.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./input.bif.zeek, <...>/input.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./last, <...>/last.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./log, <...>/log.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./log-ocsp, <...>/log-ocsp.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./magic, <...>/magic) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./main, <...>/main.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./max, <...>/max.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./min, <...>/min.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./mozilla-ca-list, <...>/mozilla-ca-list.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./netstats, <...>/netstats.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./non-cluster, <...>/non-cluster.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./openflow, <...>/openflow.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./option.bif.zeek, <...>/option.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./packet_analysis.bif.zeek, <...>/packet_analysis.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./packetfilter, <...>/packetfilter.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./patterns, <...>/patterns.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./pcap.bif.zeek, <...>/pcap.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./plugin, <...>/plugin.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./plugins, <...>/plugins) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./polling, <...>/polling.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./pools, <...>/pools.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./postprocessors, <...>/postprocessors) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./removal-hooks, <...>/removal-hooks.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./reporter.bif.zeek, <...>/reporter.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./ryu, <...>/ryu.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./sample, <...>/sample.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./scp, <...>/scp.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./sftp, <...>/sftp.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./shunt, <...>/shunt.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./site, <...>/site.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./smb1-main, <...>/smb1-main.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./smb2-main, <...>/smb2-main.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./std-dev, <...>/std-dev.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./store, <...>/store.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./store.bif.zeek, <...>/store.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./strings.bif.zeek, <...>/strings.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./sum, <...>/sum.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./supervisor.bif.zeek, <...>/supervisor.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./telemetry.bif.zeek, <...>/telemetry.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./thresholds, <...>/thresholds.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./top-k.bif.zeek, <...>/top-k.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./topk, <...>/topk.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./types, <...>/types.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./types.bif.zeek, <...>/types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./unique, <...>/unique.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./utils, <...>/utils.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./utils-commands, <...>/utils-commands.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./variance, <...>/variance.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./weird, <...>/weird.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./zeek.bif.zeek, <...>/zeek.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./zeekygen.bif.zeek, <...>/zeekygen.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/add-geodata, <...>/add-geodata.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/ascii, <...>/ascii.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/benchmark, <...>/benchmark.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/binary, <...>/binary.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/config, <...>/config.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/email_admin, <...>/email_admin.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/none, <...>/none.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/page, <...>/page.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/pp-alarms, <...>/pp-alarms.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/raw, <...>/raw.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, .<...>/sqlite, <...>/sqlite.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, <...>/__load__.zeek, <...>/__load__.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, <...>/__preload__.zeek, <...>/__preload__.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, <...>/hooks.zeek, <...>/hooks.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base/bif, <...>/bif) -> -1
-0.000000   MetaHookPost  LoadFile(0, base/init-default, <...>/init-default.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base/packet-protocols, <...>/packet-protocols) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/active-http, <...>/active-http.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/addrs, <...>/addrs.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer, <...>/analyzer) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/api, <...>/api.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/backtrace, <...>/backtrace.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/broker, <...>/broker) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/cluster, <...>/cluster) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/comm.bif, <...>/comm.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/config, <...>/config) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/conn, <...>/conn) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/conn-ids, <...>/conn-ids.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/const.bif, <...>/const.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/control, <...>/control) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/data.bif, <...>/data.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/dce-rpc, <...>/dce-rpc) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/dhcp, <...>/dhcp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/dir, <...>/dir.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/directions-and-hosts, <...>/directions-and-hosts.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/dnp3, <...>/dnp3) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/dns, <...>/dns) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/dpd, <...>/dpd) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/email, <...>/email.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ethernet, <...>/ethernet) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/event.bif, <...>/event.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/exec, <...>/exec.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/extract, <...>/extract) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/fddi, <...>/fddi) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/file_analysis.bif, <...>/file_analysis.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/files, <...>/files) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/files, <...>/files.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ftp, <...>/ftp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/gre, <...>/gre) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/hash, <...>/hash) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/http, <...>/http) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/icmp, <...>/icmp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ieee802_11, <...>/ieee802_11) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/imap, <...>/imap) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/input, <...>/input) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/input.bif, <...>/input.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/intel, <...>/intel) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ip, <...>/ip) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/iptunnel, <...>/iptunnel) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/irc, <...>/irc) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/krb, <...>/krb) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/linux_sll, <...>/linux_sll) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/logging, <...>/logging) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/modbus, <...>/modbus) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/mpls, <...>/mpls) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/mqtt, <...>/mqtt) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/mysql, <...>/mysql) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/netcontrol, <...>/netcontrol) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/nflog, <...>/nflog) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/notice, <...>/notice) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ntlm, <...>/ntlm) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ntp, <...>/ntp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/null, <...>/null) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/numbers, <...>/numbers.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/openflow, <...>/openflow) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/option.bif, <...>/option.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/packet-filter, <...>/packet-filter) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/paths, <...>/paths.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/patterns, <...>/patterns.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/pe, <...>/pe) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/plugins, <...>/plugins) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/pop3, <...>/pop3) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ppp_serial, <...>/ppp_serial) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/pppoe, <...>/pppoe) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/queue, <...>/queue.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/radius, <...>/radius) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/rdp, <...>/rdp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/removal-hooks, <...>/removal-hooks.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/reporter, <...>/reporter) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/reporter.bif, <...>/reporter.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/rfb, <...>/rfb) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/root, <...>/root) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/signatures, <...>/signatures) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/sip, <...>/sip) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/site, <...>/site.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/skip, <...>/skip) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/smb, <...>/smb) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/smtp, <...>/smtp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/snmp, <...>/snmp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/socks, <...>/socks) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/software, <...>/software) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ssh, <...>/ssh) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/ssl, <...>/ssl) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/stats.bif, <...>/stats.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/store.bif, <...>/store.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/strings, <...>/strings.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/strings.bif, <...>/strings.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/sumstats, <...>/sumstats) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/supervisor, <...>/supervisor) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/syslog, <...>/syslog) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/tcp, <...>/tcp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/time, <...>/time.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/tunnels, <...>/tunnels) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/types.bif, <...>/types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/udp, <...>/udp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/urls, <...>/urls.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/utils, <...>/utils.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/version, <...>/version.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/vlan, <...>/vlan) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/vntag, <...>/vntag) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/weird, <...>/weird.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/x509, <...>/x509) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/xmpp, <...>/xmpp) -> -1
-0.000000   MetaHookPost  LoadFile(0, base<...>/zeek.bif, <...>/zeek.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./archive, <...>/archive.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./audio, <...>/audio.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./dpd.sig, <...>/dpd.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./executable, <...>/executable.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./font, <...>/font.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./general, <...>/general.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./image, <...>/image.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./java, <...>/java.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./libmagic, <...>/libmagic.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./office, <...>/office.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./programming, <...>/programming.sig) -> -1
-0.000000   MetaHookPost  LoadFile(1, ./video, <...>/video.sig) -> -1
-0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
-0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
-0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
-0.000000   MetaHookPost  QueueEvent(NetControl::init_done()) -> false
-0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-0.000000   MetaHookPost  QueueEvent(zeek_init()) -> false
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 68/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 137/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 53/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 53/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5353/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DNS, 5355/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 80/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8000/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 81/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 8888/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IMAP, 143/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6666/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6667/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6668/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_IRC, 6669/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_KRB, 88/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_KRB_TCP, 88/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MODBUS, 502/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 1434/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_MYSQL, 3306/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_NTP, 123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RADIUS, 1812/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDP, 3389/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_RDPEUDP, 3389/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SIP, 5060/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 139/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMB, 445/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 25/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SMTP, 587/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 161/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SNMP, 162/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SOCKS, 1080/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSH, 22/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 443/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 5223/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 563/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 585/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 614/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 636/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 989/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 990/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 992/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
-0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ())
-0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec))
-0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_prefixes, <frame>, ([]))
-0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_topic, <frame>, ())
-0.000000   MetaHookPre   CallFunction(Broker::__subscribe, <frame>, (zeek/supervisor))
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <frame>, ())
-0.000000   MetaHookPre   CallFunction(Cluster::is_enabled, <null>, ())
-0.000000   MetaHookPre   CallFunction(Cluster::local_node_type, <null>, ())
-0.000000   MetaHookPre   CallFunction(FilteredTraceDetection::should_detect, <null>, ())
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Broker::LOG, [name=default, writer=Log::WRITER_ASCII, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Config::LOG, [name=default, writer=Log::WRITER_ASCII, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, path=dhcp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, path=dnp3, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DNS::LOG, [name=default, writer=Log::WRITER_ASCII, path=dns, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (DPD::LOG, [name=default, writer=Log::WRITER_ASCII, path=dpd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (FTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ftp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Files::LOG, [name=default, writer=Log::WRITER_ASCII, path=files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=http, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (IRC::LOG, [name=default, writer=Log::WRITER_ASCII, path=irc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Intel::LOG, [name=default, writer=Log::WRITER_ASCII, path=intel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (KRB::LOG, [name=default, writer=Log::WRITER_ASCII, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NTLM::LOG, [name=default, writer=Log::WRITER_ASCII, path=ntlm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ntp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::DROP_LOG, [name=default, writer=Log::WRITER_ASCII, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (OCSP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ocsp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, path=openflow, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, path=pe, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, path=radius, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RDP::LOG, [name=default, writer=Log::WRITER_ASCII, path=rdp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (RFB::LOG, [name=default, writer=Log::WRITER_ASCII, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SIP::LOG, [name=default, writer=Log::WRITER_ASCII, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, path=snmp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssh, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude={issuer,client_subject,subject,client_issuer}, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, path=signatures, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, path=software, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, path=syslog, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, path=tunnel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policyZAM-code Files::log_policy ]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG))
-0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (ActiveHTTP::default_max_time, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (ActiveHTTP::default_method, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_endpoint_name, Broker::update_metrics_export_endpoint_nameZAM-code Broker::update_metrics_export_endpoint_name , 0))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_endpoint_name, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_interval, Broker::update_metrics_export_intervalZAM-code Broker::update_metrics_export_interval , 0))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_prefixes, Broker::update_metrics_export_prefixesZAM-code Broker::update_metrics_export_prefixes , 0))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_prefixes, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_topic, Broker::update_metrics_export_topicZAM-code Broker::update_metrics_export_topic , 0))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Broker::metrics_export_topic, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Broker::peer_counts_as_iosource, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Conn::analyzer_inactivity_timeouts, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Conn::default_extract, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Conn::extraction_prefix, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Conn::port_inactivity_timeouts, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (DCE_RPC::ignored_operations, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (DHCP::max_txid_watch_time, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (DNS::max_pending_msgs, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (DNS::max_pending_query_ids, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (DPD::ignore_violations, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (DPD::ignore_violations_after, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (DPD::max_violations, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Dir::polling_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (FTP::cmd_reply_code, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (FTP::default_capture_password, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (FTP::guest_ids, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (FTP::logged_commands, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (FileExtract::default_limit, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Files::enable_reassembler, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (GridFTP::max_time, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (GridFTP::size_threshold, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (GridFTP::skip_data, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (HTTP::default_capture_password, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (HTTP::http_methods, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (HTTP::max_files_orig, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (HTTP::max_files_resp, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (HTTP::proxy_headers, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Input::default_mode, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Input::default_reader, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (KRB::ignored_errors, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Log::default_rotation_dir, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (MQTT::max_payload_size, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (NetControl::default_priority, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::alarmed_types, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::default_suppression_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::emailed_types, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::ignored_types, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::lookup_location_types, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::mail_from, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::mail_page_dest, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::mail_subject_prefix, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::not_suppressed_types, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::reply_to, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Notice::sendmail, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (RDP::disable_analyzer_after_detection, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (RDP::rdp_check_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SIP::sip_methods, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SMB::logged_file_actions, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SMTP::mail_path_capture, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SOCKS::default_capture_password, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SSH::compression_algorithms, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SSH::disable_analyzer_after_detection, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SSL::ct_logs, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (SSL::disable_analyzer_after_detection, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Signatures::ignored_ids, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Signatures::summary_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::local_admins, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::local_nets, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::local_zones, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_nets, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::neighbor_zones, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Site::private_address_space, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Software::asset_tracking, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::ignore_hosts, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_duration, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_duration, Config::weird_option_change_intervalZAM-code Config::weird_option_change_interval , 5))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_global_list, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_rate, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_rate, Config::weird_option_change_countZAM-code Config::weird_option_change_count , 5))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_threshold, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_threshold, Config::weird_option_change_countZAM-code Config::weird_option_change_count , 5))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_whitelist, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::sampling_whitelist, Config::weird_option_change_sampling_whitelistZAM-code Config::weird_option_change_sampling_whitelist , 5))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (Weird::weird_do_not_ignore_repeats, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::caching_required_encounters, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::caching_required_encounters_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_max_entries, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_minimum_eviction_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::hash_function, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::known_log_certs_maximum_size, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::log_x509_in_files_log, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::relog_known_certificates_after, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (default_file_bof_buffer_size, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (default_file_timeout_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_netsZAM-code PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets , 5))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changedZAM-code Config::config_option_changed , -100))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34887, PacketAnalyzer::ANALYZER_MPLS))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34916, PacketAnalyzer::ANALYZER_PPPOE))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 34525, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, 105, PacketAnalyzer::ANALYZER_IEEE802_11))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 1, PacketAnalyzer::ANALYZER_ICMP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 17, PacketAnalyzer::ANALYZER_UDP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 4, PacketAnalyzer::ANALYZER_IPTUNNEL))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 41, PacketAnalyzer::ANALYZER_IPTUNNEL))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 33, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPOE, 87, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 33, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 641, PacketAnalyzer::ANALYZER_MPLS))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_PPPSERIAL, 87, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 0, PacketAnalyzer::ANALYZER_NULL))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 1, PacketAnalyzer::ANALYZER_ETHERNET))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 10, PacketAnalyzer::ANALYZER_FDDI))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 105, PacketAnalyzer::ANALYZER_IEEE802_11))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34887, PacketAnalyzer::ANALYZER_MPLS))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 34916, PacketAnalyzer::ANALYZER_PPPOE))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
-0.000000   MetaHookPre   CallFunction(PacketFilter::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-0.000000   MetaHookPre   CallFunction(Pcap::install_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter))
-0.000000   MetaHookPre   CallFunction(Pcap::precompile_pcap_filter, <frame>, (PacketFilter::DefaultPcapFilter, ip or not ip))
-0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugins, <frame>, ())
-0.000000   MetaHookPre   CallFunction(Supervisor::__is_supervisor, <frame>, ())
-0.000000   MetaHookPre   CallFunction(__init_primary_bifs, <null>, ())
-0.000000   MetaHookPre   CallFunction(__init_secondary_bifs, <null>, ())
-0.000000   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
-0.000000   MetaHookPre   CallFunction(getenv, <null>, (CLUSTER_NODE))
-0.000000   MetaHookPre   CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
-0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
-0.000000   MetaHookPre   CallFunction(string_to_pattern, <frame>, ((^\.?|\.)()$, F))
-0.000000   MetaHookPre   CallFunction(sub, <frame>, ((^\.?|\.)(~~)$, <...>/, ))
-0.000000   MetaHookPre   CallFunction(x509_set_certificate_cache, <frame>, ({}))
-0.000000   MetaHookPre   CallFunction(x509_set_certificate_cache_hit_callback, <frame>, (X509::x509_certificate_cache_replayZAM-code X509::x509_certificate_cache_replay ))
-0.000000   MetaHookPre   CallFunction(zeek_args, <frame>, ())
-0.000000   MetaHookPre   CallFunction(zeek_init, <null>, ())
-0.000000   MetaHookPre   DrainEvents()
-0.000000   MetaHookPre   LoadFile(0, ../main, <...>/main.zeek)
-0.000000   MetaHookPre   LoadFile(0, ../plugin, <...>/plugin.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_AsciiReader.ascii.bif.zeek, <...>/Zeek_AsciiReader.ascii.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_AsciiWriter.ascii.bif.zeek, <...>/Zeek_AsciiWriter.ascii.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_BenchmarkReader.benchmark.bif.zeek, <...>/Zeek_BenchmarkReader.benchmark.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_BinaryReader.binary.bif.zeek, <...>/Zeek_BinaryReader.binary.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_BitTorrent.events.bif.zeek, <...>/Zeek_BitTorrent.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_ConfigReader.config.bif.zeek, <...>/Zeek_ConfigReader.config.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_ConnSize.events.bif.zeek, <...>/Zeek_ConnSize.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_ConnSize.functions.bif.zeek, <...>/Zeek_ConnSize.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_DCE_RPC.consts.bif.zeek, <...>/Zeek_DCE_RPC.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_DCE_RPC.events.bif.zeek, <...>/Zeek_DCE_RPC.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_DCE_RPC.types.bif.zeek, <...>/Zeek_DCE_RPC.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_DHCP.events.bif.zeek, <...>/Zeek_DHCP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_DHCP.types.bif.zeek, <...>/Zeek_DHCP.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_DNP3.events.bif.zeek, <...>/Zeek_DNP3.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_DNS.events.bif.zeek, <...>/Zeek_DNS.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_FTP.events.bif.zeek, <...>/Zeek_FTP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_FTP.functions.bif.zeek, <...>/Zeek_FTP.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_File.events.bif.zeek, <...>/Zeek_File.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileEntropy.events.bif.zeek, <...>/Zeek_FileEntropy.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_ICMP.events.bif.zeek, <...>/Zeek_ICMP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_IMAP.events.bif.zeek, <...>/Zeek_IMAP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_IRC.events.bif.zeek, <...>/Zeek_IRC.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Ident.events.bif.zeek, <...>/Zeek_Ident.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_KRB.events.bif.zeek, <...>/Zeek_KRB.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Modbus.events.bif.zeek, <...>/Zeek_Modbus.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_MySQL.events.bif.zeek, <...>/Zeek_MySQL.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_NCP.consts.bif.zeek, <...>/Zeek_NCP.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_NCP.events.bif.zeek, <...>/Zeek_NCP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_NTLM.events.bif.zeek, <...>/Zeek_NTLM.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_NTLM.types.bif.zeek, <...>/Zeek_NTLM.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_NTP.events.bif.zeek, <...>/Zeek_NTP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_NTP.types.bif.zeek, <...>/Zeek_NTP.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_NetBIOS.events.bif.zeek, <...>/Zeek_NetBIOS.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_RFB.events.bif.zeek, <...>/Zeek_RFB.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_RPC.events.bif.zeek, <...>/Zeek_RPC.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_RawReader.raw.bif.zeek, <...>/Zeek_RawReader.raw.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SIP.events.bif.zeek, <...>/Zeek_SIP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.consts.bif.zeek, <...>/Zeek_SMB.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.events.bif.zeek, <...>/Zeek_SMB.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_check_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_close.bif.zeek, <...>/Zeek_SMB.smb1_com_close.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_create_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_echo.bif.zeek, <...>/Zeek_SMB.smb1_com_echo.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_query_information.bif.zeek, <...>/Zeek_SMB.smb1_com_query_information.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_read_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_transaction.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_transaction2.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_com_write_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb1_events.bif.zeek, <...>/Zeek_SMB.smb1_events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_close.bif.zeek, <...>/Zeek_SMB.smb2_com_close.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_create.bif.zeek, <...>/Zeek_SMB.smb2_com_create.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_read.bif.zeek, <...>/Zeek_SMB.smb2_com_read.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_session_setup.bif.zeek, <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_set_info.bif.zeek, <...>/Zeek_SMB.smb2_com_set_info.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_transform_header.bif.zeek, <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_tree_connect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SNMP.types.bif.zeek, <...>/Zeek_SNMP.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SOCKS.events.bif.zeek, <...>/Zeek_SOCKS.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SQLiteReader.sqlite.bif.zeek, <...>/Zeek_SQLiteReader.sqlite.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SQLiteWriter.sqlite.bif.zeek, <...>/Zeek_SQLiteWriter.sqlite.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSH.events.bif.zeek, <...>/Zeek_SSH.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSH.types.bif.zeek, <...>/Zeek_SSH.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.consts.bif.zeek, <...>/Zeek_SSL.consts.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_VXLAN.events.bif.zeek, <...>/Zeek_VXLAN.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_X509.events.bif.zeek, <...>/Zeek_X509.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_X509.functions.bif.zeek, <...>/Zeek_X509.functions.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_X509.ocsp_events.bif.zeek, <...>/Zeek_X509.ocsp_events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_X509.types.bif.zeek, <...>/Zeek_X509.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_XMPP.events.bif.zeek, <...>/Zeek_XMPP.events.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./acld, <...>/acld.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./addrs, <...>/addrs.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./analyzer.bif.zeek, <...>/analyzer.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./api, <...>/api.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./average, <...>/average.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./broker, <...>/broker.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./comm.bif.zeek, <...>/comm.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./const-dos-error, <...>/const-dos-error.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./const-nt-status, <...>/const-nt-status.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./const.bif.zeek, <...>/const.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./consts, <...>/consts.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./contents, <...>/contents.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./control, <...>/control.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./ct-list, <...>/ct-list.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./data.bif.zeek, <...>/data.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./dcc-send, <...>/dcc-send.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./debug, <...>/debug.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./drop, <...>/drop.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./entities, <...>/entities.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./event.bif.zeek, <...>/event.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./exec, <...>/exec.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./file_analysis.bif.zeek, <...>/file_analysis.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./files, <...>/files.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./gridftp, <...>/gridftp.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./hll_unique, <...>/hll_unique.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./hooks.bif.zeek, <...>/hooks.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./inactivity, <...>/inactivity.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./info, <...>/info.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./input, <...>/input.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./input.bif.zeek, <...>/input.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./last, <...>/last.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./log, <...>/log.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./log-ocsp, <...>/log-ocsp.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./magic, <...>/magic)
-0.000000   MetaHookPre   LoadFile(0, ./main, <...>/main.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./max, <...>/max.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./min, <...>/min.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./mozilla-ca-list, <...>/mozilla-ca-list.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./netstats, <...>/netstats.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./non-cluster, <...>/non-cluster.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./openflow, <...>/openflow.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./option.bif.zeek, <...>/option.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./packet_analysis.bif.zeek, <...>/packet_analysis.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./packetfilter, <...>/packetfilter.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./patterns, <...>/patterns.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./pcap.bif.zeek, <...>/pcap.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./plugin, <...>/plugin.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./plugins, <...>/plugins)
-0.000000   MetaHookPre   LoadFile(0, ./polling, <...>/polling.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./pools, <...>/pools.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./postprocessors, <...>/postprocessors)
-0.000000   MetaHookPre   LoadFile(0, ./removal-hooks, <...>/removal-hooks.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./reporter.bif.zeek, <...>/reporter.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./ryu, <...>/ryu.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./sample, <...>/sample.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./scp, <...>/scp.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./sftp, <...>/sftp.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./shunt, <...>/shunt.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./site, <...>/site.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./smb1-main, <...>/smb1-main.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./smb2-main, <...>/smb2-main.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./stats.bif.zeek, <...>/stats.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./std-dev, <...>/std-dev.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./store, <...>/store.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./store.bif.zeek, <...>/store.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./strings.bif.zeek, <...>/strings.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./sum, <...>/sum.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./supervisor.bif.zeek, <...>/supervisor.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./telemetry.bif.zeek, <...>/telemetry.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./thresholds, <...>/thresholds.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./top-k.bif.zeek, <...>/top-k.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./topk, <...>/topk.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./types, <...>/types.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./types.bif.zeek, <...>/types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./unique, <...>/unique.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./utils, <...>/utils.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./utils-commands, <...>/utils-commands.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./variance, <...>/variance.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./weird, <...>/weird.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./zeek.bif.zeek, <...>/zeek.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./zeekygen.bif.zeek, <...>/zeekygen.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/add-geodata, <...>/add-geodata.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/ascii, <...>/ascii.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/benchmark, <...>/benchmark.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/binary, <...>/binary.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/config, <...>/config.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/email_admin, <...>/email_admin.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/none, <...>/none.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/page, <...>/page.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/pp-alarms, <...>/pp-alarms.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/raw, <...>/raw.zeek)
-0.000000   MetaHookPre   LoadFile(0, .<...>/sqlite, <...>/sqlite.zeek)
-0.000000   MetaHookPre   LoadFile(0, <...>/__load__.zeek, <...>/__load__.zeek)
-0.000000   MetaHookPre   LoadFile(0, <...>/__preload__.zeek, <...>/__preload__.zeek)
-0.000000   MetaHookPre   LoadFile(0, <...>/hooks.zeek, <...>/hooks.zeek)
-0.000000   MetaHookPre   LoadFile(0, base/bif, <...>/bif)
-0.000000   MetaHookPre   LoadFile(0, base/init-default, <...>/init-default.zeek)
-0.000000   MetaHookPre   LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
-0.000000   MetaHookPre   LoadFile(0, base/packet-protocols, <...>/packet-protocols)
-0.000000   MetaHookPre   LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/active-http, <...>/active-http.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/addrs, <...>/addrs.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer, <...>/analyzer)
-0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/api, <...>/api.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/backtrace, <...>/backtrace.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/broker, <...>/broker)
-0.000000   MetaHookPre   LoadFile(0, base<...>/cluster, <...>/cluster)
-0.000000   MetaHookPre   LoadFile(0, base<...>/comm.bif, <...>/comm.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/config, <...>/config)
-0.000000   MetaHookPre   LoadFile(0, base<...>/conn, <...>/conn)
-0.000000   MetaHookPre   LoadFile(0, base<...>/conn-ids, <...>/conn-ids.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/const.bif, <...>/const.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/control, <...>/control)
-0.000000   MetaHookPre   LoadFile(0, base<...>/data.bif, <...>/data.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/dce-rpc, <...>/dce-rpc)
-0.000000   MetaHookPre   LoadFile(0, base<...>/dhcp, <...>/dhcp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/dir, <...>/dir.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/directions-and-hosts, <...>/directions-and-hosts.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/dnp3, <...>/dnp3)
-0.000000   MetaHookPre   LoadFile(0, base<...>/dns, <...>/dns)
-0.000000   MetaHookPre   LoadFile(0, base<...>/dpd, <...>/dpd)
-0.000000   MetaHookPre   LoadFile(0, base<...>/email, <...>/email.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ethernet, <...>/ethernet)
-0.000000   MetaHookPre   LoadFile(0, base<...>/event.bif, <...>/event.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/exec, <...>/exec.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/extract, <...>/extract)
-0.000000   MetaHookPre   LoadFile(0, base<...>/fddi, <...>/fddi)
-0.000000   MetaHookPre   LoadFile(0, base<...>/file_analysis.bif, <...>/file_analysis.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/files, <...>/files)
-0.000000   MetaHookPre   LoadFile(0, base<...>/files, <...>/files.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ftp, <...>/ftp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/gre, <...>/gre)
-0.000000   MetaHookPre   LoadFile(0, base<...>/hash, <...>/hash)
-0.000000   MetaHookPre   LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/http, <...>/http)
-0.000000   MetaHookPre   LoadFile(0, base<...>/icmp, <...>/icmp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ieee802_11, <...>/ieee802_11)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio)
-0.000000   MetaHookPre   LoadFile(0, base<...>/imap, <...>/imap)
-0.000000   MetaHookPre   LoadFile(0, base<...>/input, <...>/input)
-0.000000   MetaHookPre   LoadFile(0, base<...>/input.bif, <...>/input.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/intel, <...>/intel)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ip, <...>/ip)
-0.000000   MetaHookPre   LoadFile(0, base<...>/iptunnel, <...>/iptunnel)
-0.000000   MetaHookPre   LoadFile(0, base<...>/irc, <...>/irc)
-0.000000   MetaHookPre   LoadFile(0, base<...>/krb, <...>/krb)
-0.000000   MetaHookPre   LoadFile(0, base<...>/linux_sll, <...>/linux_sll)
-0.000000   MetaHookPre   LoadFile(0, base<...>/logging, <...>/logging)
-0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/main, <...>/main.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/modbus, <...>/modbus)
-0.000000   MetaHookPre   LoadFile(0, base<...>/mpls, <...>/mpls)
-0.000000   MetaHookPre   LoadFile(0, base<...>/mqtt, <...>/mqtt)
-0.000000   MetaHookPre   LoadFile(0, base<...>/mysql, <...>/mysql)
-0.000000   MetaHookPre   LoadFile(0, base<...>/netcontrol, <...>/netcontrol)
-0.000000   MetaHookPre   LoadFile(0, base<...>/nflog, <...>/nflog)
-0.000000   MetaHookPre   LoadFile(0, base<...>/notice, <...>/notice)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ntlm, <...>/ntlm)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ntp, <...>/ntp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/null, <...>/null)
-0.000000   MetaHookPre   LoadFile(0, base<...>/numbers, <...>/numbers.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/openflow, <...>/openflow)
-0.000000   MetaHookPre   LoadFile(0, base<...>/option.bif, <...>/option.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/packet-filter, <...>/packet-filter)
-0.000000   MetaHookPre   LoadFile(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/paths, <...>/paths.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/patterns, <...>/patterns.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/pe, <...>/pe)
-0.000000   MetaHookPre   LoadFile(0, base<...>/plugins, <...>/plugins)
-0.000000   MetaHookPre   LoadFile(0, base<...>/pop3, <...>/pop3)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ppp_serial, <...>/ppp_serial)
-0.000000   MetaHookPre   LoadFile(0, base<...>/pppoe, <...>/pppoe)
-0.000000   MetaHookPre   LoadFile(0, base<...>/queue, <...>/queue.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/radius, <...>/radius)
-0.000000   MetaHookPre   LoadFile(0, base<...>/rdp, <...>/rdp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/removal-hooks, <...>/removal-hooks.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/reporter, <...>/reporter)
-0.000000   MetaHookPre   LoadFile(0, base<...>/reporter.bif, <...>/reporter.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/rfb, <...>/rfb)
-0.000000   MetaHookPre   LoadFile(0, base<...>/root, <...>/root)
-0.000000   MetaHookPre   LoadFile(0, base<...>/signatures, <...>/signatures)
-0.000000   MetaHookPre   LoadFile(0, base<...>/sip, <...>/sip)
-0.000000   MetaHookPre   LoadFile(0, base<...>/site, <...>/site.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/skip, <...>/skip)
-0.000000   MetaHookPre   LoadFile(0, base<...>/smb, <...>/smb)
-0.000000   MetaHookPre   LoadFile(0, base<...>/smtp, <...>/smtp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/snmp, <...>/snmp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/socks, <...>/socks)
-0.000000   MetaHookPre   LoadFile(0, base<...>/software, <...>/software)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ssh, <...>/ssh)
-0.000000   MetaHookPre   LoadFile(0, base<...>/ssl, <...>/ssl)
-0.000000   MetaHookPre   LoadFile(0, base<...>/stats.bif, <...>/stats.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/store.bif, <...>/store.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/strings, <...>/strings.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/strings.bif, <...>/strings.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/sumstats, <...>/sumstats)
-0.000000   MetaHookPre   LoadFile(0, base<...>/supervisor, <...>/supervisor)
-0.000000   MetaHookPre   LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/syslog, <...>/syslog)
-0.000000   MetaHookPre   LoadFile(0, base<...>/tcp, <...>/tcp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/time, <...>/time.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/tunnels, <...>/tunnels)
-0.000000   MetaHookPre   LoadFile(0, base<...>/types.bif, <...>/types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/udp, <...>/udp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/urls, <...>/urls.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/utils, <...>/utils.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/version, <...>/version.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/vlan, <...>/vlan)
-0.000000   MetaHookPre   LoadFile(0, base<...>/vntag, <...>/vntag)
-0.000000   MetaHookPre   LoadFile(0, base<...>/weird, <...>/weird.zeek)
-0.000000   MetaHookPre   LoadFile(0, base<...>/x509, <...>/x509)
-0.000000   MetaHookPre   LoadFile(0, base<...>/xmpp, <...>/xmpp)
-0.000000   MetaHookPre   LoadFile(0, base<...>/zeek.bif, <...>/zeek.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek)
-0.000000   MetaHookPre   LoadFile(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek)
-0.000000   MetaHookPre   LoadFile(1, ./archive, <...>/archive.sig)
-0.000000   MetaHookPre   LoadFile(1, ./audio, <...>/audio.sig)
-0.000000   MetaHookPre   LoadFile(1, ./dpd.sig, <...>/dpd.sig)
-0.000000   MetaHookPre   LoadFile(1, ./executable, <...>/executable.sig)
-0.000000   MetaHookPre   LoadFile(1, ./font, <...>/font.sig)
-0.000000   MetaHookPre   LoadFile(1, ./general, <...>/general.sig)
-0.000000   MetaHookPre   LoadFile(1, ./image, <...>/image.sig)
-0.000000   MetaHookPre   LoadFile(1, ./java, <...>/java.sig)
-0.000000   MetaHookPre   LoadFile(1, ./libmagic, <...>/libmagic.sig)
-0.000000   MetaHookPre   LoadFile(1, ./office, <...>/office.sig)
-0.000000   MetaHookPre   LoadFile(1, ./programming, <...>/programming.sig)
-0.000000   MetaHookPre   LoadFile(1, ./video, <...>/video.sig)
-0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
-0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
-0.000000   MetaHookPre   QueueEvent(NetControl::init())
-0.000000   MetaHookPre   QueueEvent(NetControl::init_done())
-0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
-0.000000   MetaHookPre   QueueEvent(zeek_init())
-0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 137/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5353/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 5355/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GENEVE, 6081/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 80/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8000/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8080/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 81/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 8888/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IMAP, 143/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6666/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6667/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6668/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_IRC, 6669/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_KRB, 88/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_KRB_TCP, 88/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_MODBUS, 502/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_MYSQL, 1434/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_MYSQL, 3306/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_NTP, 123/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RADIUS, 1812/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RDP, 3389/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_RDPEUDP, 3389/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SIP, 5060/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMB, 139/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMB, 445/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMTP, 25/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SMTP, 587/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SNMP, 161/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SNMP, 162/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SOCKS, 1080/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSH, 22/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 443/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 5223/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 563/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 585/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 614/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 636/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 989/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 990/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 992/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
-0.000000 | HookCallFunction Broker::__set_metrics_export_endpoint_name()
-0.000000 | HookCallFunction Broker::__set_metrics_export_interval(1.0 sec)
-0.000000 | HookCallFunction Broker::__set_metrics_export_prefixes([])
-0.000000 | HookCallFunction Broker::__set_metrics_export_topic()
-0.000000 | HookCallFunction Broker::__subscribe(zeek/supervisor)
-0.000000 | HookCallFunction Cluster::is_enabled()
-0.000000 | HookCallFunction Cluster::local_node_type()
-0.000000 | HookCallFunction FilteredTraceDetection::should_detect()
-0.000000 | HookCallFunction Log::__add_filter(Broker::LOG, [name=default, writer=Log::WRITER_ASCII, path=broker, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Cluster::LOG, [name=default, writer=Log::WRITER_ASCII, path=cluster, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Config::LOG, [name=default, writer=Log::WRITER_ASCII, path=config, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(DCE_RPC::LOG, [name=default, writer=Log::WRITER_ASCII, path=dce_rpc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(DHCP::LOG, [name=default, writer=Log::WRITER_ASCII, path=dhcp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(DNP3::LOG, [name=default, writer=Log::WRITER_ASCII, path=dnp3, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(DNS::LOG, [name=default, writer=Log::WRITER_ASCII, path=dns, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(DPD::LOG, [name=default, writer=Log::WRITER_ASCII, path=dpd, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(FTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ftp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Files::LOG, [name=default, writer=Log::WRITER_ASCII, path=files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=http, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(IRC::LOG, [name=default, writer=Log::WRITER_ASCII, path=irc, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Intel::LOG, [name=default, writer=Log::WRITER_ASCII, path=intel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(KRB::LOG, [name=default, writer=Log::WRITER_ASCII, path=kerberos, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Modbus::LOG, [name=default, writer=Log::WRITER_ASCII, path=modbus, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(NTLM::LOG, [name=default, writer=Log::WRITER_ASCII, path=ntlm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(NTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ntp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(NetControl::DROP_LOG, [name=default, writer=Log::WRITER_ASCII, path=netcontrol_drop, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(NetControl::LOG, [name=default, writer=Log::WRITER_ASCII, path=netcontrol, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(OCSP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ocsp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, path=openflow, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(PE::LOG, [name=default, writer=Log::WRITER_ASCII, path=pe, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(RADIUS::LOG, [name=default, writer=Log::WRITER_ASCII, path=radius, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(RDP::LOG, [name=default, writer=Log::WRITER_ASCII, path=rdp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(RFB::LOG, [name=default, writer=Log::WRITER_ASCII, path=rfb, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Reporter::LOG, [name=default, writer=Log::WRITER_ASCII, path=reporter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(SIP::LOG, [name=default, writer=Log::WRITER_ASCII, path=sip, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(SMB::FILES_LOG, [name=default, writer=Log::WRITER_ASCII, path=smb_files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(SMB::MAPPING_LOG, [name=default, writer=Log::WRITER_ASCII, path=smb_mapping, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(SMTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=smtp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(SNMP::LOG, [name=default, writer=Log::WRITER_ASCII, path=snmp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssh, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude={issuer,client_subject,subject,client_issuer}, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, path=signatures, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, path=software, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, path=syslog, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Tunnel::LOG, [name=default, writer=Log::WRITER_ASCII, path=tunnel, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(Weird::LOG, [name=default, writer=Log::WRITER_ASCII, path=weird, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(X509::LOG, [name=default, writer=Log::WRITER_ASCII, path=x509, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__add_filter(mysql::LOG, [name=default, writer=Log::WRITER_ASCII, path=mysql, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Log::__create_stream(Broker::LOG, [columns=Broker::Info, ev=<uninitialized>, path=broker, policy=Broker::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Cluster::LOG, [columns=Cluster::Info, ev=<uninitialized>, path=cluster, policy=Cluster::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Config::LOG, [columns=Config::Info, ev=Config::log_config, path=config, policy=Config::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Conn::LOG, [columns=Conn::Info, ev=Conn::log_conn, path=conn, policy=Conn::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DCE_RPC::LOG, [columns=DCE_RPC::Info, ev=<uninitialized>, path=dce_rpc, policy=DCE_RPC::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DHCP::LOG, [columns=DHCP::Info, ev=DHCP::log_dhcp, path=dhcp, policy=DHCP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DNP3::LOG, [columns=DNP3::Info, ev=DNP3::log_dnp3, path=dnp3, policy=DNP3::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policyZAM-code Files::log_policy ])
-0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(KRB::LOG, [columns=KRB::Info, ev=KRB::log_krb, path=kerberos, policy=KRB::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Modbus::LOG, [columns=Modbus::Info, ev=Modbus::log_modbus, path=modbus, policy=Modbus::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(NTLM::LOG, [columns=NTLM::Info, ev=<uninitialized>, path=ntlm, policy=NTLM::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(NTP::LOG, [columns=NTP::Info, ev=NTP::log_ntp, path=ntp, policy=NTP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(NetControl::DROP_LOG, [columns=NetControl::DropInfo, ev=NetControl::log_netcontrol_drop, path=netcontrol_drop, policy=NetControl::log_policy_drop])
-0.000000 | HookCallFunction Log::__create_stream(NetControl::LOG, [columns=NetControl::Info, ev=NetControl::log_netcontrol, path=netcontrol, policy=NetControl::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])
-0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])
-0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(RADIUS::LOG, [columns=RADIUS::Info, ev=RADIUS::log_radius, path=radius, policy=RADIUS::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(RDP::LOG, [columns=RDP::Info, ev=RDP::log_rdp, path=rdp, policy=RDP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(RFB::LOG, [columns=RFB::Info, ev=RFB::log_rfb, path=rfb, policy=RFB::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Reporter::LOG, [columns=Reporter::Info, ev=<uninitialized>, path=reporter, policy=Reporter::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SIP::LOG, [columns=SIP::Info, ev=SIP::log_sip, path=sip, policy=SIP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SMB::FILES_LOG, [columns=SMB::FileInfo, ev=<uninitialized>, path=smb_files, policy=SMB::log_policy_files])
-0.000000 | HookCallFunction Log::__create_stream(SMB::MAPPING_LOG, [columns=SMB::TreeInfo, ev=<uninitialized>, path=smb_mapping, policy=SMB::log_policy_mapping])
-0.000000 | HookCallFunction Log::__create_stream(SMTP::LOG, [columns=SMTP::Info, ev=SMTP::log_smtp, path=smtp, policy=SMTP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SNMP::LOG, [columns=SNMP::Info, ev=SNMP::log_snmp, path=snmp, policy=SNMP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SOCKS::LOG, [columns=SOCKS::Info, ev=SOCKS::log_socks, path=socks, policy=SOCKS::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SSH::LOG, [columns=SSH::Info, ev=SSH::log_ssh, path=ssh, policy=SSH::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(SSL::LOG, [columns=SSL::Info, ev=SSL::log_ssl, path=ssl, policy=SSL::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Signatures::LOG, [columns=Signatures::Info, ev=Signatures::log_signature, path=signatures, policy=Signatures::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Software::LOG, [columns=Software::Info, ev=Software::log_software, path=software, policy=Software::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Syslog::LOG, [columns=Syslog::Info, ev=<uninitialized>, path=syslog, policy=Syslog::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Tunnel::LOG, [columns=Tunnel::Info, ev=<uninitialized>, path=tunnel, policy=Tunnel::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])
-0.000000 | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG)
-0.000000 | HookCallFunction NetControl::init()
-0.000000 | HookCallFunction Option::set_change_handler(ActiveHTTP::default_max_time, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(ActiveHTTP::default_method, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_endpoint_name, Broker::update_metrics_export_endpoint_nameZAM-code Broker::update_metrics_export_endpoint_name , 0)
-0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_endpoint_name, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_interval, Broker::update_metrics_export_intervalZAM-code Broker::update_metrics_export_interval , 0)
-0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_prefixes, Broker::update_metrics_export_prefixesZAM-code Broker::update_metrics_export_prefixes , 0)
-0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_prefixes, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_topic, Broker::update_metrics_export_topicZAM-code Broker::update_metrics_export_topic , 0)
-0.000000 | HookCallFunction Option::set_change_handler(Broker::metrics_export_topic, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Broker::peer_counts_as_iosource, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Conn::analyzer_inactivity_timeouts, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Conn::default_extract, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Conn::extraction_prefix, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Conn::port_inactivity_timeouts, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(DCE_RPC::ignored_operations, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(DHCP::max_txid_watch_time, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(DNS::max_pending_msgs, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(DNS::max_pending_query_ids, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(DPD::ignore_violations, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(DPD::ignore_violations_after, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(DPD::max_violations, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Dir::polling_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(FTP::cmd_reply_code, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(FTP::default_capture_password, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(FTP::guest_ids, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(FTP::logged_commands, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(FileExtract::default_limit, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Files::enable_reassembler, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(GridFTP::max_time, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(GridFTP::size_threshold, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(GridFTP::skip_data, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(HTTP::default_capture_password, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(HTTP::http_methods, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(HTTP::max_files_orig, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(HTTP::max_files_resp, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(HTTP::proxy_headers, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Input::default_mode, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Input::default_reader, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(KRB::ignored_errors, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Log::default_rotation_dir, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(MQTT::max_payload_size, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(NetControl::default_priority, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::alarmed_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::default_suppression_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::emailed_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::ignored_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::lookup_location_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::mail_from, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::mail_page_dest, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::mail_subject_prefix, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::not_suppressed_types, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::reply_to, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Notice::sendmail, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(RDP::disable_analyzer_after_detection, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(RDP::rdp_check_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(SIP::sip_methods, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(SMB::logged_file_actions, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(SMTP::mail_path_capture, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(SOCKS::default_capture_password, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(SSH::compression_algorithms, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(SSH::disable_analyzer_after_detection, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(SSL::ct_logs, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(SSL::disable_analyzer_after_detection, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Signatures::ignored_ids, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Signatures::summary_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Site::local_admins, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Site::local_nets, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Site::local_zones, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Site::neighbor_nets, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Site::neighbor_zones, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Site::private_address_space, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Software::asset_tracking, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::ignore_hosts, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_duration, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_duration, Config::weird_option_change_intervalZAM-code Config::weird_option_change_interval , 5)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_global_list, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_rate, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_rate, Config::weird_option_change_countZAM-code Config::weird_option_change_count , 5)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_threshold, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_threshold, Config::weird_option_change_countZAM-code Config::weird_option_change_count , 5)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_whitelist, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::sampling_whitelist, Config::weird_option_change_sampling_whitelistZAM-code Config::weird_option_change_sampling_whitelist , 5)
-0.000000 | HookCallFunction Option::set_change_handler(Weird::weird_do_not_ignore_repeats, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(X509::caching_required_encounters, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(X509::caching_required_encounters_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(X509::certificate_cache_max_entries, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(X509::certificate_cache_minimum_eviction_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(X509::hash_function, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(X509::known_log_certs_maximum_size, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(X509::log_x509_in_files_log, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(X509::relog_known_certificates_after, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(default_file_bof_buffer_size, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(default_file_timeout_interval, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(ignore_checksums_nets, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_netsZAM-code PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets , 5)
-0.000000 | HookCallFunction Option::set_change_handler(udp_content_delivery_ports_use_resp, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changedZAM-code Config::config_option_changed , -100)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 33024, PacketAnalyzer::ANALYZER_VLAN)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34525, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34887, PacketAnalyzer::ANALYZER_MPLS)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34916, PacketAnalyzer::ANALYZER_PPPOE)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 34525, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11_RADIO, 105, PacketAnalyzer::ANALYZER_IEEE802_11)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 1, PacketAnalyzer::ANALYZER_ICMP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 17, PacketAnalyzer::ANALYZER_UDP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 4, PacketAnalyzer::ANALYZER_IPTUNNEL)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 41, PacketAnalyzer::ANALYZER_IPTUNNEL)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 47, PacketAnalyzer::ANALYZER_GRE)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 58, PacketAnalyzer::ANALYZER_ICMP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IP, 6, PacketAnalyzer::ANALYZER_TCP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2048, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 2054, PacketAnalyzer::ANALYZER_ARP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 32821, PacketAnalyzer::ANALYZER_ARP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_LINUXSLL, 34525, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, 10, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NFLOG, 2, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 2, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 24, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 28, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_NULL, 30, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPOE, 33, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPOE, 87, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 33, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 641, PacketAnalyzer::ANALYZER_MPLS)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_PPPSERIAL, 87, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 0, PacketAnalyzer::ANALYZER_NULL)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 1, PacketAnalyzer::ANALYZER_ETHERNET)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 10, PacketAnalyzer::ANALYZER_FDDI)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 105, PacketAnalyzer::ANALYZER_IEEE802_11)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 113, PacketAnalyzer::ANALYZER_LINUXSLL)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 33024, PacketAnalyzer::ANALYZER_VLAN)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34525, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34887, PacketAnalyzer::ANALYZER_MPLS)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 34916, PacketAnalyzer::ANALYZER_PPPOE)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
-0.000000 | HookCallFunction PacketFilter::log_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-0.000000 | HookCallFunction Pcap::install_pcap_filter(PacketFilter::DefaultPcapFilter)
-0.000000 | HookCallFunction Pcap::precompile_pcap_filter(PacketFilter::DefaultPcapFilter, ip or not ip)
-0.000000 | HookCallFunction SumStats::register_observe_plugins()
-0.000000 | HookCallFunction Supervisor::__is_supervisor()
-0.000000 | HookCallFunction __init_primary_bifs()
-0.000000 | HookCallFunction __init_secondary_bifs()
-0.000000 | HookCallFunction filter_change_tracking()
-0.000000 | HookCallFunction getenv(CLUSTER_NODE)
-0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
-0.000000 | HookCallFunction global_ids()
-0.000000 | HookCallFunction string_to_pattern((^\.?|\.)()$, F)
-0.000000 | HookCallFunction sub((^\.?|\.)(~~)$, <...>/, )
-0.000000 | HookCallFunction x509_set_certificate_cache({})
-0.000000 | HookCallFunction x509_set_certificate_cache_hit_callback(X509::x509_certificate_cache_replayZAM-code X509::x509_certificate_cache_replay )
-0.000000 | HookCallFunction zeek_args()
-0.000000 | HookCallFunction zeek_init()
-0.000000 | HookDrainEvents
-0.000000 | HookLoadFile  ../main <...>/main.zeek
-0.000000 | HookLoadFile  ../plugin <...>/plugin.zeek
-0.000000 | HookLoadFile  ./CPP-load.bif.zeek <...>/CPP-load.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_ARP.events.bif.zeek <...>/Zeek_ARP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_AsciiReader.ascii.bif.zeek <...>/Zeek_AsciiReader.ascii.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_AsciiWriter.ascii.bif.zeek <...>/Zeek_AsciiWriter.ascii.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_BenchmarkReader.benchmark.bif.zeek <...>/Zeek_BenchmarkReader.benchmark.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_BinaryReader.binary.bif.zeek <...>/Zeek_BinaryReader.binary.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_BitTorrent.events.bif.zeek <...>/Zeek_BitTorrent.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_ConfigReader.config.bif.zeek <...>/Zeek_ConfigReader.config.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_ConnSize.events.bif.zeek <...>/Zeek_ConnSize.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_ConnSize.functions.bif.zeek <...>/Zeek_ConnSize.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_DCE_RPC.consts.bif.zeek <...>/Zeek_DCE_RPC.consts.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_DCE_RPC.events.bif.zeek <...>/Zeek_DCE_RPC.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_DCE_RPC.types.bif.zeek <...>/Zeek_DCE_RPC.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_DHCP.events.bif.zeek <...>/Zeek_DHCP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_DHCP.types.bif.zeek <...>/Zeek_DHCP.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_DNP3.events.bif.zeek <...>/Zeek_DNP3.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_DNS.events.bif.zeek <...>/Zeek_DNS.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_FTP.events.bif.zeek <...>/Zeek_FTP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_FTP.functions.bif.zeek <...>/Zeek_FTP.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_File.events.bif.zeek <...>/Zeek_File.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_FileEntropy.events.bif.zeek <...>/Zeek_FileEntropy.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_HTTP.functions.bif.zeek <...>/Zeek_HTTP.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_ICMP.events.bif.zeek <...>/Zeek_ICMP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_IMAP.events.bif.zeek <...>/Zeek_IMAP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_IRC.events.bif.zeek <...>/Zeek_IRC.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Ident.events.bif.zeek <...>/Zeek_Ident.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_KRB.events.bif.zeek <...>/Zeek_KRB.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_KRB.types.bif.zeek <...>/Zeek_KRB.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Login.events.bif.zeek <...>/Zeek_Login.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Login.functions.bif.zeek <...>/Zeek_Login.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_MIME.events.bif.zeek <...>/Zeek_MIME.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_MQTT.events.bif.zeek <...>/Zeek_MQTT.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_MQTT.types.bif.zeek <...>/Zeek_MQTT.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Modbus.events.bif.zeek <...>/Zeek_Modbus.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_MySQL.events.bif.zeek <...>/Zeek_MySQL.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_NCP.consts.bif.zeek <...>/Zeek_NCP.consts.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_NCP.events.bif.zeek <...>/Zeek_NCP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_NTLM.events.bif.zeek <...>/Zeek_NTLM.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_NTLM.types.bif.zeek <...>/Zeek_NTLM.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_NTP.events.bif.zeek <...>/Zeek_NTP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_NTP.types.bif.zeek <...>/Zeek_NTP.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_NetBIOS.events.bif.zeek <...>/Zeek_NetBIOS.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_RFB.events.bif.zeek <...>/Zeek_RFB.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_RPC.events.bif.zeek <...>/Zeek_RPC.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_RawReader.raw.bif.zeek <...>/Zeek_RawReader.raw.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SIP.events.bif.zeek <...>/Zeek_SIP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.consts.bif.zeek <...>/Zeek_SMB.consts.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.events.bif.zeek <...>/Zeek_SMB.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_check_directory.bif.zeek <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_close.bif.zeek <...>/Zeek_SMB.smb1_com_close.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_create_directory.bif.zeek <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_echo.bif.zeek <...>/Zeek_SMB.smb1_com_echo.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_negotiate.bif.zeek <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_query_information.bif.zeek <...>/Zeek_SMB.smb1_com_query_information.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_read_andx.bif.zeek <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_transaction.bif.zeek <...>/Zeek_SMB.smb1_com_transaction.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_transaction2.bif.zeek <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_com_write_andx.bif.zeek <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb1_events.bif.zeek <...>/Zeek_SMB.smb1_events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_close.bif.zeek <...>/Zeek_SMB.smb2_com_close.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_create.bif.zeek <...>/Zeek_SMB.smb2_com_create.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_negotiate.bif.zeek <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_read.bif.zeek <...>/Zeek_SMB.smb2_com_read.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_session_setup.bif.zeek <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_set_info.bif.zeek <...>/Zeek_SMB.smb2_com_set_info.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_transform_header.bif.zeek <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_tree_connect.bif.zeek <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_com_write.bif.zeek <...>/Zeek_SMB.smb2_com_write.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.smb2_events.bif.zeek <...>/Zeek_SMB.smb2_events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMB.types.bif.zeek <...>/Zeek_SMB.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMTP.events.bif.zeek <...>/Zeek_SMTP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SMTP.functions.bif.zeek <...>/Zeek_SMTP.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SNMP.events.bif.zeek <...>/Zeek_SNMP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SNMP.types.bif.zeek <...>/Zeek_SNMP.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SOCKS.events.bif.zeek <...>/Zeek_SOCKS.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SQLiteReader.sqlite.bif.zeek <...>/Zeek_SQLiteReader.sqlite.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SQLiteWriter.sqlite.bif.zeek <...>/Zeek_SQLiteWriter.sqlite.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SSH.events.bif.zeek <...>/Zeek_SSH.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SSH.types.bif.zeek <...>/Zeek_SSH.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SSL.consts.bif.zeek <...>/Zeek_SSL.consts.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_VXLAN.events.bif.zeek <...>/Zeek_VXLAN.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_X509.events.bif.zeek <...>/Zeek_X509.events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_X509.functions.bif.zeek <...>/Zeek_X509.functions.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_X509.ocsp_events.bif.zeek <...>/Zeek_X509.ocsp_events.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_X509.types.bif.zeek <...>/Zeek_X509.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_XMPP.events.bif.zeek <...>/Zeek_XMPP.events.bif.zeek
-0.000000 | HookLoadFile  ./acld <...>/acld.zeek
-0.000000 | HookLoadFile  ./addrs <...>/addrs.zeek
-0.000000 | HookLoadFile  ./analyzer.bif.zeek <...>/analyzer.bif.zeek
-0.000000 | HookLoadFile  ./api <...>/api.zeek
-0.000000 | HookLoadFile  ./archive <...>/archive.sig
-0.000000 | HookLoadFile  ./audio <...>/audio.sig
-0.000000 | HookLoadFile  ./average <...>/average.zeek
-0.000000 | HookLoadFile  ./bloom-filter.bif.zeek <...>/bloom-filter.bif.zeek
-0.000000 | HookLoadFile  ./broker <...>/broker.zeek
-0.000000 | HookLoadFile  ./cardinality-counter.bif.zeek <...>/cardinality-counter.bif.zeek
-0.000000 | HookLoadFile  ./certificate-event-cache <...>/certificate-event-cache.zeek
-0.000000 | HookLoadFile  ./comm.bif.zeek <...>/comm.bif.zeek
-0.000000 | HookLoadFile  ./const-dos-error <...>/const-dos-error.zeek
-0.000000 | HookLoadFile  ./const-nt-status <...>/const-nt-status.zeek
-0.000000 | HookLoadFile  ./const.bif.zeek <...>/const.bif.zeek
-0.000000 | HookLoadFile  ./consts <...>/consts.zeek
-0.000000 | HookLoadFile  ./contents <...>/contents.zeek
-0.000000 | HookLoadFile  ./control <...>/control.zeek
-0.000000 | HookLoadFile  ./ct-list <...>/ct-list.zeek
-0.000000 | HookLoadFile  ./data.bif.zeek <...>/data.bif.zeek
-0.000000 | HookLoadFile  ./dcc-send <...>/dcc-send.zeek
-0.000000 | HookLoadFile  ./debug <...>/debug.zeek
-0.000000 | HookLoadFile  ./dpd.sig <...>/dpd.sig
-0.000000 | HookLoadFile  ./drop <...>/drop.zeek
-0.000000 | HookLoadFile  ./entities <...>/entities.zeek
-0.000000 | HookLoadFile  ./event.bif.zeek <...>/event.bif.zeek
-0.000000 | HookLoadFile  ./exec <...>/exec.zeek
-0.000000 | HookLoadFile  ./executable <...>/executable.sig
-0.000000 | HookLoadFile  ./file_analysis.bif.zeek <...>/file_analysis.bif.zeek
-0.000000 | HookLoadFile  ./files <...>/files.zeek
-0.000000 | HookLoadFile  ./font <...>/font.sig
-0.000000 | HookLoadFile  ./general <...>/general.sig
-0.000000 | HookLoadFile  ./gridftp <...>/gridftp.zeek
-0.000000 | HookLoadFile  ./hll_unique <...>/hll_unique.zeek
-0.000000 | HookLoadFile  ./hooks.bif.zeek <...>/hooks.bif.zeek
-0.000000 | HookLoadFile  ./image <...>/image.sig
-0.000000 | HookLoadFile  ./inactivity <...>/inactivity.zeek
-0.000000 | HookLoadFile  ./info <...>/info.zeek
-0.000000 | HookLoadFile  ./input <...>/input.zeek
-0.000000 | HookLoadFile  ./input.bif.zeek <...>/input.bif.zeek
-0.000000 | HookLoadFile  ./java <...>/java.sig
-0.000000 | HookLoadFile  ./last <...>/last.zeek
-0.000000 | HookLoadFile  ./libmagic <...>/libmagic.sig
-0.000000 | HookLoadFile  ./log <...>/log.zeek
-0.000000 | HookLoadFile  ./log-ocsp <...>/log-ocsp.zeek
-0.000000 | HookLoadFile  ./logging.bif.zeek <...>/logging.bif.zeek
-0.000000 | HookLoadFile  ./magic <...>/magic
-0.000000 | HookLoadFile  ./main <...>/main.zeek
-0.000000 | HookLoadFile  ./max <...>/max.zeek
-0.000000 | HookLoadFile  ./messaging.bif.zeek <...>/messaging.bif.zeek
-0.000000 | HookLoadFile  ./min <...>/min.zeek
-0.000000 | HookLoadFile  ./mozilla-ca-list <...>/mozilla-ca-list.zeek
-0.000000 | HookLoadFile  ./netstats <...>/netstats.zeek
-0.000000 | HookLoadFile  ./non-cluster <...>/non-cluster.zeek
-0.000000 | HookLoadFile  ./office <...>/office.sig
-0.000000 | HookLoadFile  ./openflow <...>/openflow.zeek
-0.000000 | HookLoadFile  ./option.bif.zeek <...>/option.bif.zeek
-0.000000 | HookLoadFile  ./packet_analysis.bif.zeek <...>/packet_analysis.bif.zeek
-0.000000 | HookLoadFile  ./packetfilter <...>/packetfilter.zeek
-0.000000 | HookLoadFile  ./patterns <...>/patterns.zeek
-0.000000 | HookLoadFile  ./pcap.bif.zeek <...>/pcap.bif.zeek
-0.000000 | HookLoadFile  ./plugin <...>/plugin.zeek
-0.000000 | HookLoadFile  ./plugins <...>/plugins
-0.000000 | HookLoadFile  ./polling <...>/polling.zeek
-0.000000 | HookLoadFile  ./pools <...>/pools.zeek
-0.000000 | HookLoadFile  ./postprocessors <...>/postprocessors
-0.000000 | HookLoadFile  ./programming <...>/programming.sig
-0.000000 | HookLoadFile  ./removal-hooks <...>/removal-hooks.zeek
-0.000000 | HookLoadFile  ./reporter.bif.zeek <...>/reporter.bif.zeek
-0.000000 | HookLoadFile  ./ryu <...>/ryu.zeek
-0.000000 | HookLoadFile  ./sample <...>/sample.zeek
-0.000000 | HookLoadFile  ./scp <...>/scp.zeek
-0.000000 | HookLoadFile  ./sftp <...>/sftp.zeek
-0.000000 | HookLoadFile  ./shunt <...>/shunt.zeek
-0.000000 | HookLoadFile  ./site <...>/site.zeek
-0.000000 | HookLoadFile  ./smb1-main <...>/smb1-main.zeek
-0.000000 | HookLoadFile  ./smb2-main <...>/smb2-main.zeek
-0.000000 | HookLoadFile  ./stats.bif.zeek <...>/stats.bif.zeek
-0.000000 | HookLoadFile  ./std-dev <...>/std-dev.zeek
-0.000000 | HookLoadFile  ./store <...>/store.zeek
-0.000000 | HookLoadFile  ./store.bif.zeek <...>/store.bif.zeek
-0.000000 | HookLoadFile  ./strings.bif.zeek <...>/strings.bif.zeek
-0.000000 | HookLoadFile  ./sum <...>/sum.zeek
-0.000000 | HookLoadFile  ./supervisor.bif.zeek <...>/supervisor.bif.zeek
-0.000000 | HookLoadFile  ./telemetry.bif.zeek <...>/telemetry.bif.zeek
-0.000000 | HookLoadFile  ./thresholds <...>/thresholds.zeek
-0.000000 | HookLoadFile  ./top-k.bif.zeek <...>/top-k.bif.zeek
-0.000000 | HookLoadFile  ./topk <...>/topk.zeek
-0.000000 | HookLoadFile  ./types <...>/types.zeek
-0.000000 | HookLoadFile  ./types.bif.zeek <...>/types.bif.zeek
-0.000000 | HookLoadFile  ./unique <...>/unique.zeek
-0.000000 | HookLoadFile  ./utils <...>/utils.zeek
-0.000000 | HookLoadFile  ./utils-commands <...>/utils-commands.zeek
-0.000000 | HookLoadFile  ./variance <...>/variance.zeek
-0.000000 | HookLoadFile  ./video <...>/video.sig
-0.000000 | HookLoadFile  ./weird <...>/weird.zeek
-0.000000 | HookLoadFile  ./zeek.bif.zeek <...>/zeek.bif.zeek
-0.000000 | HookLoadFile  ./zeekygen.bif.zeek <...>/zeekygen.bif.zeek
-0.000000 | HookLoadFile  .<...>/add-geodata <...>/add-geodata.zeek
-0.000000 | HookLoadFile  .<...>/ascii <...>/ascii.zeek
-0.000000 | HookLoadFile  .<...>/benchmark <...>/benchmark.zeek
-0.000000 | HookLoadFile  .<...>/binary <...>/binary.zeek
-0.000000 | HookLoadFile  .<...>/config <...>/config.zeek
-0.000000 | HookLoadFile  .<...>/email_admin <...>/email_admin.zeek
-0.000000 | HookLoadFile  .<...>/none <...>/none.zeek
-0.000000 | HookLoadFile  .<...>/page <...>/page.zeek
-0.000000 | HookLoadFile  .<...>/pp-alarms <...>/pp-alarms.zeek
-0.000000 | HookLoadFile  .<...>/raw <...>/raw.zeek
-0.000000 | HookLoadFile  .<...>/sqlite <...>/sqlite.zeek
-0.000000 | HookLoadFile  <...>/__load__.zeek <...>/__load__.zeek
-0.000000 | HookLoadFile  <...>/__preload__.zeek <...>/__preload__.zeek
-0.000000 | HookLoadFile  <...>/hooks.zeek <...>/hooks.zeek
-0.000000 | HookLoadFile  base/bif <...>/bif
-0.000000 | HookLoadFile  base/init-default <...>/init-default.zeek
-0.000000 | HookLoadFile  base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
-0.000000 | HookLoadFile  base/packet-protocols <...>/packet-protocols
-0.000000 | HookLoadFile  base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
-0.000000 | HookLoadFile  base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
-0.000000 | HookLoadFile  base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
-0.000000 | HookLoadFile  base<...>/active-http <...>/active-http.zeek
-0.000000 | HookLoadFile  base<...>/addrs <...>/addrs.zeek
-0.000000 | HookLoadFile  base<...>/analyzer <...>/analyzer
-0.000000 | HookLoadFile  base<...>/analyzer.bif <...>/analyzer.bif.zeek
-0.000000 | HookLoadFile  base<...>/api <...>/api.zeek
-0.000000 | HookLoadFile  base<...>/backtrace <...>/backtrace.zeek
-0.000000 | HookLoadFile  base<...>/broker <...>/broker
-0.000000 | HookLoadFile  base<...>/cluster <...>/cluster
-0.000000 | HookLoadFile  base<...>/comm.bif <...>/comm.bif.zeek
-0.000000 | HookLoadFile  base<...>/config <...>/config
-0.000000 | HookLoadFile  base<...>/conn <...>/conn
-0.000000 | HookLoadFile  base<...>/conn-ids <...>/conn-ids.zeek
-0.000000 | HookLoadFile  base<...>/const.bif <...>/const.bif.zeek
-0.000000 | HookLoadFile  base<...>/control <...>/control
-0.000000 | HookLoadFile  base<...>/data.bif <...>/data.bif.zeek
-0.000000 | HookLoadFile  base<...>/dce-rpc <...>/dce-rpc
-0.000000 | HookLoadFile  base<...>/dhcp <...>/dhcp
-0.000000 | HookLoadFile  base<...>/dir <...>/dir.zeek
-0.000000 | HookLoadFile  base<...>/directions-and-hosts <...>/directions-and-hosts.zeek
-0.000000 | HookLoadFile  base<...>/dnp3 <...>/dnp3
-0.000000 | HookLoadFile  base<...>/dns <...>/dns
-0.000000 | HookLoadFile  base<...>/dpd <...>/dpd
-0.000000 | HookLoadFile  base<...>/email <...>/email.zeek
-0.000000 | HookLoadFile  base<...>/ethernet <...>/ethernet
-0.000000 | HookLoadFile  base<...>/event.bif <...>/event.bif.zeek
-0.000000 | HookLoadFile  base<...>/exec <...>/exec.zeek
-0.000000 | HookLoadFile  base<...>/extract <...>/extract
-0.000000 | HookLoadFile  base<...>/fddi <...>/fddi
-0.000000 | HookLoadFile  base<...>/file_analysis.bif <...>/file_analysis.bif.zeek
-0.000000 | HookLoadFile  base<...>/files <...>/files
-0.000000 | HookLoadFile  base<...>/files <...>/files.zeek
-0.000000 | HookLoadFile  base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
-0.000000 | HookLoadFile  base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
-0.000000 | HookLoadFile  base<...>/ftp <...>/ftp
-0.000000 | HookLoadFile  base<...>/geoip-distance <...>/geoip-distance.zeek
-0.000000 | HookLoadFile  base<...>/gre <...>/gre
-0.000000 | HookLoadFile  base<...>/hash <...>/hash
-0.000000 | HookLoadFile  base<...>/hash_hrw <...>/hash_hrw.zeek
-0.000000 | HookLoadFile  base<...>/http <...>/http
-0.000000 | HookLoadFile  base<...>/icmp <...>/icmp
-0.000000 | HookLoadFile  base<...>/ieee802_11 <...>/ieee802_11
-0.000000 | HookLoadFile  base<...>/ieee802_11_radio <...>/ieee802_11_radio
-0.000000 | HookLoadFile  base<...>/imap <...>/imap
-0.000000 | HookLoadFile  base<...>/input <...>/input
-0.000000 | HookLoadFile  base<...>/input.bif <...>/input.bif.zeek
-0.000000 | HookLoadFile  base<...>/intel <...>/intel
-0.000000 | HookLoadFile  base<...>/ip <...>/ip
-0.000000 | HookLoadFile  base<...>/iptunnel <...>/iptunnel
-0.000000 | HookLoadFile  base<...>/irc <...>/irc
-0.000000 | HookLoadFile  base<...>/krb <...>/krb
-0.000000 | HookLoadFile  base<...>/linux_sll <...>/linux_sll
-0.000000 | HookLoadFile  base<...>/logging <...>/logging
-0.000000 | HookLoadFile  base<...>/logging.bif <...>/logging.bif.zeek
-0.000000 | HookLoadFile  base<...>/main <...>/main.zeek
-0.000000 | HookLoadFile  base<...>/messaging.bif <...>/messaging.bif.zeek
-0.000000 | HookLoadFile  base<...>/modbus <...>/modbus
-0.000000 | HookLoadFile  base<...>/mpls <...>/mpls
-0.000000 | HookLoadFile  base<...>/mqtt <...>/mqtt
-0.000000 | HookLoadFile  base<...>/mysql <...>/mysql
-0.000000 | HookLoadFile  base<...>/netcontrol <...>/netcontrol
-0.000000 | HookLoadFile  base<...>/nflog <...>/nflog
-0.000000 | HookLoadFile  base<...>/notice <...>/notice
-0.000000 | HookLoadFile  base<...>/ntlm <...>/ntlm
-0.000000 | HookLoadFile  base<...>/ntp <...>/ntp
-0.000000 | HookLoadFile  base<...>/null <...>/null
-0.000000 | HookLoadFile  base<...>/numbers <...>/numbers.zeek
-0.000000 | HookLoadFile  base<...>/openflow <...>/openflow
-0.000000 | HookLoadFile  base<...>/option.bif <...>/option.bif.zeek
-0.000000 | HookLoadFile  base<...>/packet-filter <...>/packet-filter
-0.000000 | HookLoadFile  base<...>/packet_analysis.bif <...>/packet_analysis.bif.zeek
-0.000000 | HookLoadFile  base<...>/paths <...>/paths.zeek
-0.000000 | HookLoadFile  base<...>/patterns <...>/patterns.zeek
-0.000000 | HookLoadFile  base<...>/pe <...>/pe
-0.000000 | HookLoadFile  base<...>/plugins <...>/plugins
-0.000000 | HookLoadFile  base<...>/pop3 <...>/pop3
-0.000000 | HookLoadFile  base<...>/ppp_serial <...>/ppp_serial
-0.000000 | HookLoadFile  base<...>/pppoe <...>/pppoe
-0.000000 | HookLoadFile  base<...>/queue <...>/queue.zeek
-0.000000 | HookLoadFile  base<...>/radius <...>/radius
-0.000000 | HookLoadFile  base<...>/rdp <...>/rdp
-0.000000 | HookLoadFile  base<...>/removal-hooks <...>/removal-hooks.zeek
-0.000000 | HookLoadFile  base<...>/reporter <...>/reporter
-0.000000 | HookLoadFile  base<...>/reporter.bif <...>/reporter.bif.zeek
-0.000000 | HookLoadFile  base<...>/rfb <...>/rfb
-0.000000 | HookLoadFile  base<...>/root <...>/root
-0.000000 | HookLoadFile  base<...>/signatures <...>/signatures
-0.000000 | HookLoadFile  base<...>/sip <...>/sip
-0.000000 | HookLoadFile  base<...>/site <...>/site.zeek
-0.000000 | HookLoadFile  base<...>/skip <...>/skip
-0.000000 | HookLoadFile  base<...>/smb <...>/smb
-0.000000 | HookLoadFile  base<...>/smtp <...>/smtp
-0.000000 | HookLoadFile  base<...>/snmp <...>/snmp
-0.000000 | HookLoadFile  base<...>/socks <...>/socks
-0.000000 | HookLoadFile  base<...>/software <...>/software
-0.000000 | HookLoadFile  base<...>/ssh <...>/ssh
-0.000000 | HookLoadFile  base<...>/ssl <...>/ssl
-0.000000 | HookLoadFile  base<...>/stats.bif <...>/stats.bif.zeek
-0.000000 | HookLoadFile  base<...>/store.bif <...>/store.bif.zeek
-0.000000 | HookLoadFile  base<...>/strings <...>/strings.zeek
-0.000000 | HookLoadFile  base<...>/strings.bif <...>/strings.bif.zeek
-0.000000 | HookLoadFile  base<...>/sumstats <...>/sumstats
-0.000000 | HookLoadFile  base<...>/supervisor <...>/supervisor
-0.000000 | HookLoadFile  base<...>/supervisor.bif <...>/supervisor.bif.zeek
-0.000000 | HookLoadFile  base<...>/syslog <...>/syslog
-0.000000 | HookLoadFile  base<...>/tcp <...>/tcp
-0.000000 | HookLoadFile  base<...>/thresholds <...>/thresholds.zeek
-0.000000 | HookLoadFile  base<...>/time <...>/time.zeek
-0.000000 | HookLoadFile  base<...>/tunnels <...>/tunnels
-0.000000 | HookLoadFile  base<...>/types.bif <...>/types.bif.zeek
-0.000000 | HookLoadFile  base<...>/udp <...>/udp
-0.000000 | HookLoadFile  base<...>/urls <...>/urls.zeek
-0.000000 | HookLoadFile  base<...>/utils <...>/utils.zeek
-0.000000 | HookLoadFile  base<...>/version <...>/version.zeek
-0.000000 | HookLoadFile  base<...>/vlan <...>/vlan
-0.000000 | HookLoadFile  base<...>/vntag <...>/vntag
-0.000000 | HookLoadFile  base<...>/weird <...>/weird.zeek
-0.000000 | HookLoadFile  base<...>/x509 <...>/x509
-0.000000 | HookLoadFile  base<...>/xmpp <...>/xmpp
-0.000000 | HookLoadFile  base<...>/zeek.bif <...>/zeek.bif.zeek
-0.000000 | HookLoadFile  builtin-plugins/__load__.zeek <...>/__load__.zeek
-0.000000 | HookLoadFile  builtin-plugins/__preload__.zeek <...>/__preload__.zeek
-0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
-0.000000 | HookLogWrite  packet_filter [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T]
-0.000000 | HookQueueEvent NetControl::init()
-0.000000 | HookQueueEvent NetControl::init_done()
-0.000000 | HookQueueEvent filter_change_tracking()
-0.000000 | HookQueueEvent zeek_init()
-XXXXXXXXXX.XXXXXX   MetaHookPost  BroObjDtor(<void ptr>) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Broker::log_flush, <null>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(NetControl::init_done, <null>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(Broker::log_flush()) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  SetupAnalyzerTree(XXXXXXXXXX.XXXXXX(XXXXXXXXXX.XXXXXX) TCP 141.142.228.5:59856 -> 192.150.187.43:80) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   BroObjDtor(<void ptr>)
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Broker::log_flush, <null>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(NetControl::init_done, <null>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(new_connection, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(Broker::log_flush())
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(ChecksumOffloading::check())
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(filter_change_tracking())
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(new_connection([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   SetupAnalyzerTree(XXXXXXXXXX.XXXXXX(XXXXXXXXXX.XXXXXX) TCP 141.142.228.5:59856 -> 192.150.187.43:80)
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookBroObjDtor
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookCallFunction Broker::log_flush()
-XXXXXXXXXX.XXXXXX | HookCallFunction ChecksumOffloading::check()
-XXXXXXXXXX.XXXXXX | HookCallFunction NetControl::init_done()
-XXXXXXXXXX.XXXXXX | HookCallFunction filter_change_tracking()
-XXXXXXXXXX.XXXXXX | HookCallFunction get_net_stats()
-XXXXXXXXXX.XXXXXX | HookCallFunction new_connection([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX | HookQueueEvent Broker::log_flush()
-XXXXXXXXXX.XXXXXX | HookQueueEvent ChecksumOffloading::check()
-XXXXXXXXXX.XXXXXX | HookQueueEvent filter_change_tracking()
-XXXXXXXXXX.XXXXXX | HookQueueEvent new_connection([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=0, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=0 secs, service={}, history=, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookSetupAnalyzerTree XXXXXXXXXX.XXXXXX(XXXXXXXXXX.XXXXXX) TCP 141.142.228.5:59856 -> 192.150.187.43:80
-XXXXXXXXXX.XXXXXX | RequestObjDtor Broker::log_flush()
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=69.0 msecs 740.056992 usecs, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=69.0 msecs 740.056992 usecs, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(connection_established, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=69.0 msecs 740.056992 usecs, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(connection_established([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=69.0 msecs 740.056992 usecs, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookCallFunction connection_established([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=69.0 msecs 740.056992 usecs, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX | HookQueueEvent connection_established([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=0, state=4, num_pkts=1, num_bytes_ip=64, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=0, num_bytes_ip=0, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=69.0 msecs 740.056992 usecs, service={}, history=Sh, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Accept, ACCEPT, */*)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Host, HOST, bro.org)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Connection, CONNECTION, Keep-Alive)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(split_string1, <frame>, (bro.org, /^?(:)$?/)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Accept, ACCEPT, */*)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Connection, CONNECTION, Keep-Alive)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Host, HOST, bro.org)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0)))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Accept, ACCEPT, */*))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Host, HOST, bro.org))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Connection, CONNECTION, Keep-Alive))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(split_string1, <frame>, (bro.org, /^?(:)$?/))
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Accept, ACCEPT, */*))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Connection, CONNECTION, Keep-Alive))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Host, HOST, bro.org))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0)))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-XXXXXXXXXX.XXXXXX | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)
-XXXXXXXXXX.XXXXXX | HookCallFunction fmt(-%s, HTTP)
-XXXXXXXXXX.XXXXXX | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=0, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=<uninitialized>, origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Accept, ACCEPT, */*)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Host, HOST, bro.org)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Connection, CONNECTION, Keep-Alive)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
-XXXXXXXXXX.XXXXXX | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)
-XXXXXXXXXX.XXXXXX | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
-XXXXXXXXXX.XXXXXX | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
-XXXXXXXXXX.XXXXXX | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)
-XXXXXXXXXX.XXXXXX | HookCallFunction split_string1(bro.org, /^?(:)$?/)
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Accept, ACCEPT, */*)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Connection, CONNECTION, Keep-Alive)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, Host, HOST, bro.org)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)
-XXXXXXXXXX.XXXXXX | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(file_new, <null>, ([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(file_over_new_connection, <null>, ([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Accept-Ranges, ACCEPT-RANGES, bytes)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Connection, CONNECTION, Keep-Alive)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Length, CONTENT-LENGTH, 4705)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Type, CONTENT-TYPE, text/plain; charset=UTF-8)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Date, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETag, ETAG, "1261-4c870358a6fc0")) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Keep-Alive, KEEP-ALIVE, timeout=5, max=100)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Last-Modified, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Server, SERVER, Apache/2.4.3 (Fedora))) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXF11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(file_new([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>])) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(file_over_new_connection([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Accept-Ranges, ACCEPT-RANGES, bytes)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Connection, CONNECTION, Keep-Alive)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Length, CONTENT-LENGTH, 4705)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Type, CONTENT-TYPE, text/plain; charset=UTF-8)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Date, DATE, Thu, 07 Mar 2013 21:43:07 GMT)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETag, ETAG, "1261-4c870358a6fc0")) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Keep-Alive, KEEP-ALIVE, timeout=5, max=100)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Last-Modified, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Server, SERVER, Apache/2.4.3 (Fedora))) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(file_new, <null>, ([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(file_over_new_connection, <null>, ([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_begin_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Accept-Ranges, ACCEPT-RANGES, bytes))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Connection, CONNECTION, Keep-Alive))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Length, CONTENT-LENGTH, 4705))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Type, CONTENT-TYPE, text/plain; charset=UTF-8))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Date, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETag, ETAG, "1261-4c870358a6fc0"))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Keep-Alive, KEEP-ALIVE, timeout=5, max=100))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Last-Modified, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_header, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Server, SERVER, Apache/2.4.3 (Fedora)))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_reply, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXF11141.142.228.5:59856 > 192.150.187.43:80))
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(file_new([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(file_over_new_connection([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Accept-Ranges, ACCEPT-RANGES, bytes))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Connection, CONNECTION, Keep-Alive))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Length, CONTENT-LENGTH, 4705))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Type, CONTENT-TYPE, text/plain; charset=UTF-8))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Date, DATE, Thu, 07 Mar 2013 21:43:07 GMT))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETag, ETAG, "1261-4c870358a6fc0"))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Keep-Alive, KEEP-ALIVE, timeout=5, max=100))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Last-Modified, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Server, SERVER, Apache/2.4.3 (Fedora)))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_reply([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK))
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-XXXXXXXXXX.XXXXXX | HookCallFunction file_new([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookCallFunction file_over_new_connection([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)
-XXXXXXXXXX.XXXXXX | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Accept-Ranges, ACCEPT-RANGES, bytes)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Connection, CONNECTION, Keep-Alive)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Length, CONTENT-LENGTH, 4705)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Type, CONTENT-TYPE, text/plain; charset=UTF-8)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Date, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETag, ETAG, "1261-4c870358a6fc0")
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Keep-Alive, KEEP-ALIVE, timeout=5, max=100)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Last-Modified, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Server, SERVER, Apache/2.4.3 (Fedora))
-XXXXXXXXXX.XXXXXX | HookCallFunction http_reply([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
-XXXXXXXXXX.XXXXXX | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
-XXXXXXXXXX.XXXXXX | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXF11141.142.228.5:59856 > 192.150.187.43:80)
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX | HookQueueEvent file_new([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=<uninitialized>, ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookQueueEvent file_over_new_connection([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=<uninitialized>, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={}, rx_hosts={}, conn_uids={}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=<uninitialized>, irc=<uninitialized>, pe=<uninitialized>], [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Accept-Ranges, ACCEPT-RANGES, bytes)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Connection, CONNECTION, Keep-Alive)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Length, CONTENT-LENGTH, 4705)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Content-Type, CONTENT-TYPE, text/plain; charset=UTF-8)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Date, DATE, Thu, 07 Mar 2013 21:43:07 GMT)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, ETag, ETAG, "1261-4c870358a6fc0")
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Keep-Alive, KEEP-ALIVE, timeout=5, max=100)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Last-Modified, LAST-MODIFIED, Wed, 29 Aug 2012 23:49:27 GMT)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, Server, SERVER, Apache/2.4.3 (Fedora))
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_reply([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], 1.1, 200, OK)
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Files::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], Files::LOG, [name=default, writer=Log::WRITER_ASCII, path=files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=http, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], HTTP::LOG)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], Files::LOG)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(file_sniff, <null>, ([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>], [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(file_state_remove, <null>, ([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXF11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, files(XXXXXXXXXX.XXXXXX,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, http(XXXXXXXXXX.XXXXXX,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, files(XXXXXXXXXX.XXXXXX,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, <void ptr>) -> true
-XXXXXXXXXX.XXXXXX   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, http(XXXXXXXXXX.XXXXXX,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>) -> true
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(file_sniff([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>], [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T])) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(file_state_remove([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>])) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Files::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], Files::LOG, [name=default, writer=Log::WRITER_ASCII, path=files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=http, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], HTTP::LOG))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], Files::LOG))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(file_sniff, <null>, ([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>], [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(file_state_remove, <null>, ([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_end_entity, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXF11141.142.228.5:59856 > 192.150.187.43:80))
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, files(XXXXXXXXXX.XXXXXX,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)})
-XXXXXXXXXX.XXXXXX   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, http(XXXXXXXXXX.XXXXXX,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])})
-XXXXXXXXXX.XXXXXX   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, files(XXXXXXXXXX.XXXXXX,0.0,0.0), 25, {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}, <void ptr>)
-XXXXXXXXXX.XXXXXX   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, http(XXXXXXXXXX.XXXXXX,0.0,0.0), 30, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}, <void ptr>)
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(file_sniff([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>], [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(file_state_remove([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookCallFunction Files::log_policy([ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], Files::LOG, [name=default, writer=Log::WRITER_ASCII, path=files, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::log_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], HTTP::LOG, [name=default, writer=Log::WRITER_ASCII, path=http, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], HTTP::LOG)
-XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], Files::LOG)
-XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-XXXXXXXXXX.XXXXXX | HookCallFunction file_sniff([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>], [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T])
-XXXXXXXXXX.XXXXXX | HookCallFunction file_state_remove([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)
-XXXXXXXXXX.XXXXXX | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookCallFunction http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
-XXXXXXXXXX.XXXXXX | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
-XXXXXXXXXX.XXXXXX | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXF11141.142.228.5:59856 > 192.150.187.43:80)
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX | HookLogInit   files 1/1 {ts (time), fuid (string), tx_hosts (set[addr]), rx_hosts (set[addr]), conn_uids (set[string]), source (string), depth (count), analyzers (set[string]), mime_type (string), filename (string), duration (interval), local_orig (bool), is_orig (bool), seen_bytes (count), total_bytes (count), missing_bytes (count), overflow_bytes (count), timedout (bool), parent_fuid (string), md5 (string), sha1 (string), sha256 (string), extracted (string), extracted_cutoff (bool), extracted_size (count)}
-XXXXXXXXXX.XXXXXX | HookLogInit   http 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), trans_depth (count), method (string), host (string), uri (string), referrer (string), version (string), user_agent (string), origin (string), request_body_len (count), response_body_len (count), status_code (count), status_msg (string), info_code (count), info_msg (string), tags (set[enum]), username (string), password (string), proxied (set[string]), orig_fuids (vector[string]), orig_filenames (vector[string]), orig_mime_types (vector[string]), resp_fuids (vector[string]), resp_filenames (vector[string]), resp_mime_types (vector[string])}
-XXXXXXXXXX.XXXXXX | HookLogWrite  files [ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts=192.150.187.43, rx_hosts=141.142.228.5, conn_uids=CHhAvVGS1DHFjwGM9, source=HTTP, depth=0, analyzers=, mime_type=text/plain, filename=<uninitialized>, duration=0.000263, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]
-XXXXXXXXXX.XXXXXX | HookLogWrite  http [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags=, username=<uninitialized>, password=<uninitialized>, proxied=<uninitialized>, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=FMnxxt3xjVcWNS2141, resp_filenames=<uninitialized>, resp_mime_types=text/plain]
-XXXXXXXXXX.XXXXXX | HookQueueEvent file_sniff([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=<uninitialized>, filename=<uninitialized>, duration=0 secs, local_orig=<uninitialized>, is_orig=F, seen_bytes=0, total_bytes=<uninitialized>, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>], [mime_type=text/plain, mime_types=[[strength=-20, mime=text/plain]], inferred=T])
-XXXXXXXXXX.XXXXXX | HookQueueEvent file_state_remove([id=FMnxxt3xjVcWNS2141, parent_id=<uninitialized>, source=HTTP, is_orig=F, conns={[[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]] = [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=1448, state=4, num_pkts=2, num_bytes_ip=112, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 167.951584 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]}, last_active=XXXXXXXXXX.XXXXXX, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timeout_interval=2.0 mins, bof_buffer_size=4096, bof_buffer=\x0a0.26 | 2012-08-24 15:10:04 -0700\x0a\x0a  * Fixing update-changes, which could pick the wrong control file. (Robin Sommer)\x0a\x0a  * Fixing GPG signing script. (Robin Sommer)\x0a\x0a0.25 | 2012-08-01 13:55:46 -0500\x0a\x0a  * Fix configure script to exit with non-zero status on error (Jon Siwek)\x0a\x0a0.24 | 2012-07-05 12:50:43 -0700\x0a\x0a  * Raise minimum required CMake version to 2.6.3 (Jon Siwek)\x0a\x0a  * Adding script to delete old fully-merged branches. (Robin Sommer)\x0a\x0a0.23-2 | 2012-01-25 13:24:01 -0800\x0a\x0a  * Fix a bro-cut error message. (Daniel Thayer)\x0a\x0a0.23 | 2012-01-11 12:16:11 -0800\x0a\x0a  * Tweaks to release scripts, plus a new one for signing files.\x0a    (Robin Sommer)\x0a\x0a0.22 | 2012-01-10 16:45:19 -0800\x0a\x0a  * Tweaks for OpenBSD support. (Jon Siwek)\x0a\x0a  * bro-cut extensions and fixes.  (Robin Sommer)\x0a    \x0a    - If no field names are given on the command line, we now pass through\x0a      all fields. Adresses #657.\x0a\x0a    - Removing some GNUism from awk script. Addresses #653.\x0a\x0a    - Added option for time output in UTC. Addresses #668.\x0a\x0a    - Added output field separator option -F. Addresses #649.\x0a\x0a    - Fixing option -c: only some header lines were passed through\x0a      rather than all. (Robin Sommer)\x0a\x0a  * Fix parallel make portability. (Jon Siwek)\x0a\x0a0.21-9 | 2011-11-07 05:44:14 -0800\x0a\x0a  * Fixing compiler warnings. Addresses #388. (Jon Siwek)\x0a\x0a0.21-2 | 2011-11-02 18:12:13 -0700\x0a\x0a  * Fix for misnaming temp file in update-changes script. (Robin Sommer)\x0a\x0a0.21-1 | 2011-11-02 18:10:39 -0700\x0a\x0a  * Little fix for make-release script, which could pick out the wrong\x0a    tag. (Robin Sommer)\x0a\x0a0.21 | 2011-10-27 17:40:45 -0700\x0a\x0a  * Fixing bro-cut's usage message and argument error handling. (Robin Sommer)\x0a\x0a  * Bugfix in update-changes script. (Robin Sommer)\x0a\x0a  * update-changes now ignores commits it did itself. (Robin Sommer)\x0a\x0a  * Fix a bug in the update-changes script. (Robin Sommer)\x0a\x0a  * bro-cut now always installs to $prefix/bin by `make install`. (Jon Siwek)\x0a\x0a  * Options to adjust time format for bro-cut. (Robin Sommer)\x0a\x0a    The default with -d is now ISO format. The new option "-D <fmt>"\x0a    specifies a custom strftime()-style format string. Alternatively,\x0a    the environment variable BRO_CUT_TIMEFMT can set the format as\x0a    well.\x0a\x0a  * bro-cut now understands the field separator header. (Robin Sommer)\x0a\x0a  * Renaming options -h/-H -> -c/-C, and doing some general cleanup.\x0a\x0a0.2 | 2011-10-25 19:53:57 -0700\x0a\x0a  * Adding support for replacing version string in a setup.py. (Robin\x0a    Sommer)\x0a\x0a  * Change generated root cert DN indices format for RFC2253\x0a    compliance. (Jon Siwek)\x0a\x0a  * New tool devel-tools/check-release to run before making releases.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes gets a new option -a to amend to\x0a    previous commit if possible. Default is now not to (used to be the\x0a    opposite). (Robin Sommer)\x0a\x0a  * Change Mozilla trust root generation to index certs by subject DN. (Jon Siwek)\x0a\x0a  * Change distclean to only remove build dir. (Jon Siwek)\x0a\x0a  * Make dist now cleans the copied source (Jon Siwek)\x0a\x0a  * Small tweak to make-release for forced git-clean. (Jon Siwek)\x0a\x0a  * Fix to not let updates scripts loose their executable permissions.\x0a    (Robin Sommer)\x0a\x0a  * devel-tools/update-changes now looks for a 'release' tag to\x0a    idenfify the stable version, and 'beta' for the beta versions.\x0a    (Robin Sommer).\x0a\x0a  * Distribution cleanup. (Robin Sommer)\x0a\x0a  * New script devel-tools/make-release to create source tar balls.\x0a    (Robin Sommer)\x0a\x0a  * Removing bdcat. With the new log format, this isn't very useful\x0a    anymore. (Robin Sommer)\x0a\x0a  * Adding script that shows all pending git fastpath commits. (Robin\x0a    Sommer)\x0a\x0a  * Script to measure CPU time by loading an increasing set of\x0a    scripts. (Robin Sommer)\x0a\x0a  * extract-conn script now deals wit *.gz files. (Robin Sommer)\x0a\x0a  * Tiny update to output a valid CA list file for SSL cert\x0a    validation. (Seth Hall)\x0a\x0a  * Adding "install-aux" target. Addresses #622. (Jon Siwek)\x0a\x0a  * Distribution cleanup. (Jon Siwek and Robin Sommer)\x0a\x0a  * FindPCAP now links against thread library when necessary (e.g.\x0a    PF_RING's libpcap) (Jon Siwek)\x0a\x0a  * Install binaries with an RPATH (Jon Siwek)\x0a\x0a  * Workaround for FreeBSD CMake port missing debug flags (Jon Siwek)\x0a\x0a  * Rewrite of the update-changes script. (Robin Sommer)\x0a\x0a0.1-1 | 2011-06-14 21:12:41 -0700\x0a\x0a  * Add a script for generating Mozilla's CA list for the SSL analyzer.\x0a    (Seth Hall)\x0a\x0a0.1 | 2011-04-01 16:28:22 -0700\x0a\x0a  * Converting build process to CMake. (Jon Siwek)\x0a\x0a  * Removing cf<...>/ca-* from distribution. The README has a note where\x0a    to find them now. (Robin Sommer)\x0a\x0a  * General cleanup. (Robin Sommer)\x0a\x0a  * Initial import of bro/aux from SVN r7088. (Jon Siwek)\x0a, info=[ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4042, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], ftp=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], irc=<uninitialized>, pe=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
-XXXXXXXXXX.XXXXXX | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=4705, content_gap_length=0, header_length=280])
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Broker::log_flush, <null>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(ChecksumOffloading::check, <null>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Conn::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::finalize_http, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(get_net_stats, <frame>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(is_tcp_port, <frame>, (59856/tcp)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(net_done, <null>, (XXXXXXXXXX.XXXXXX)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(zeek_done, <null>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>) -> true
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(Broker::log_flush()) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(ChecksumOffloading::check()) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(zeek_done()) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Broker::log_flush, <null>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(ChecksumOffloading::check, <null>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Conn::log_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::finalize_http, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(get_file_handle, <null>, (Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(get_net_stats, <frame>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(is_tcp_port, <frame>, (59856/tcp))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(net_done, <null>, (XXXXXXXXXX.XXXXXX))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80))
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(zeek_done, <null>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
-XXXXXXXXXX.XXXXXX   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])})
-XXXXXXXXXX.XXXXXX   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, conn(XXXXXXXXXX.XXXXXX,0.0,0.0), 21, {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}, <void ptr>)
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(Broker::log_flush())
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(ChecksumOffloading::check())
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(filter_change_tracking())
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(zeek_done())
-XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
-XXXXXXXXXX.XXXXXX | HookCallFunction Broker::log_flush()
-XXXXXXXXXX.XXXXXX | HookCallFunction ChecksumOffloading::check()
-XXXXXXXXXX.XXXXXX | HookCallFunction Conn::log_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG, [name=default, writer=Log::WRITER_ASCII, path=conn, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::finalize_http([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)
-XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
-XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookCallFunction filter_change_tracking()
-XXXXXXXXXX.XXXXXX | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)
-XXXXXXXXXX.XXXXXX | HookCallFunction get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookCallFunction get_net_stats()
-XXXXXXXXXX.XXXXXX | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
-XXXXXXXXXX.XXXXXX | HookCallFunction is_tcp_port(59856/tcp)
-XXXXXXXXXX.XXXXXX | HookCallFunction net_done(XXXXXXXXXX.XXXXXX)
-XXXXXXXXXX.XXXXXX | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)
-XXXXXXXXXX.XXXXXX | HookCallFunction zeek_done()
-XXXXXXXXXX.XXXXXX | HookDrainEvents
-XXXXXXXXXX.XXXXXX | HookLogInit   conn 1/1 {ts (time), uid (string), id.orig_h (addr), id.orig_p (port), id.resp_h (addr), id.resp_p (port), proto (enum), service (string), duration (interval), orig_bytes (count), resp_bytes (count), conn_state (string), local_orig (bool), local_resp (bool), missed_bytes (count), history (string), orig_pkts (count), orig_ip_bytes (count), resp_pkts (count), resp_ip_bytes (count), tunnel_parents (set[string])}
-XXXXXXXXXX.XXXXXX | HookLogWrite  conn [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id.orig_h=141.142.228.5, id.orig_p=59856, id.resp_h=192.150.187.43, id.resp_p=80, proto=tcp, service=http, duration=0.211484, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]
-XXXXXXXXXX.XXXXXX | HookQueueEvent Broker::log_flush()
-XXXXXXXXXX.XXXXXX | HookQueueEvent ChecksumOffloading::check()
-XXXXXXXXXX.XXXXXX | HookQueueEvent connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
-XXXXXXXXXX.XXXXXX | HookQueueEvent filter_change_tracking()
-XXXXXXXXXX.XXXXXX | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_httpZAM-code HTTP::finalize_http }, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
-XXXXXXXXXX.XXXXXX | HookQueueEvent zeek_done()
diff --git a/testing/btest/plugins/hooks.zeek b/testing/btest/plugins/hooks.zeek
index 992d305f14..c44dfd9dce 100644
--- a/testing/btest/plugins/hooks.zeek
+++ b/testing/btest/plugins/hooks.zeek
@@ -1,3 +1,4 @@
+# @TEST-REQUIRES: test "${ZEEK_ZAM}" != "1"
 # @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Hooks
 # @TEST-EXEC: cp -r %DIR/hooks-plugin/* .
 # @TEST-EXEC: ./configure --zeek-dist=${DIST} && make

From a1324a882d2d9e679c05b560e1a70f73f6180fe0 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Mon, 6 Dec 2021 09:39:58 -0500
Subject: [PATCH 121/210] update script-to-C++ compilation for new record
 constructor internals

---
 src/script_opt/CPP/Exprs.cc      | 26 ++++++++++++++++++++++++--
 src/script_opt/CPP/RuntimeOps.cc | 11 +++++++++++
 src/script_opt/CPP/RuntimeOps.h  |  4 ++++
 3 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/src/script_opt/CPP/Exprs.cc b/src/script_opt/CPP/Exprs.cc
index dd3baa995c..c0a0d40ede 100644
--- a/src/script_opt/CPP/Exprs.cc
+++ b/src/script_opt/CPP/Exprs.cc
@@ -670,8 +670,30 @@ string CPPCompile::GenRecordConstructorExpr(const Expr* e)
 			vals += ", ";
 		}
 
-	return string("record_constructor__CPP({") + vals + "}, " + "cast_intrusive<RecordType>(" +
-	       GenTypeName(t) + "))";
+	vals = string("{") + vals + "}";
+
+	const auto& map = rc->Map();
+
+	if ( map )
+		{
+		string map_vals;
+		for ( auto m : *map )
+			{
+			if ( ! map_vals.empty() )
+				map_vals += ", ";
+
+			map_vals += to_string(m);
+			}
+
+		map_vals = string("{") + map_vals + "}";
+
+		return string("record_constructor_map__CPP(") + vals + ", " + map_vals +
+		       ", cast_intrusive<RecordType>(" + GenTypeName(t) + "))";
+		}
+
+	else
+		return string("record_constructor__CPP(") + vals + ", cast_intrusive<RecordType>(" +
+		       GenTypeName(t) + "))";
 	}
 
 string CPPCompile::GenSetConstructorExpr(const Expr* e)
diff --git a/src/script_opt/CPP/RuntimeOps.cc b/src/script_opt/CPP/RuntimeOps.cc
index 15994dc637..2aa55f3f1c 100644
--- a/src/script_opt/CPP/RuntimeOps.cc
+++ b/src/script_opt/CPP/RuntimeOps.cc
@@ -224,6 +224,17 @@ RecordValPtr record_constructor__CPP(vector<ValPtr> vals, RecordTypePtr t)
 	return rv;
 	}
 
+RecordValPtr record_constructor_map__CPP(vector<ValPtr> vals, vector<int> map, RecordTypePtr t)
+	{
+	auto rv = make_intrusive<RecordVal>(move(t));
+	auto n = vals.size();
+
+	for ( auto i = 0u; i < n; ++i )
+		rv->Assign(map[i], vals[i]);
+
+	return rv;
+	}
+
 VectorValPtr vector_constructor__CPP(vector<ValPtr> vals, VectorTypePtr t)
 	{
 	auto vv = make_intrusive<VectorVal>(move(t));
diff --git a/src/script_opt/CPP/RuntimeOps.h b/src/script_opt/CPP/RuntimeOps.h
index ecf6c36e5d..c0ea9231f9 100644
--- a/src/script_opt/CPP/RuntimeOps.h
+++ b/src/script_opt/CPP/RuntimeOps.h
@@ -140,6 +140,10 @@ extern TableValPtr table_constructor__CPP(std::vector<ValPtr> indices, std::vect
 // assigned to the corresponding elements of the given vector of values.
 extern RecordValPtr record_constructor__CPP(std::vector<ValPtr> vals, RecordTypePtr t);
 
+// Same, but with a map when using a named constructor.
+extern RecordValPtr record_constructor_map__CPP(std::vector<ValPtr> vals, std::vector<int> map,
+                                                RecordTypePtr t);
+
 // Constructs a vector of the given type, populated with the given values.
 extern VectorValPtr vector_constructor__CPP(std::vector<ValPtr> vals, VectorTypePtr t);
 

From acb5e5dd26d305d1c22d58352d9f4a5a4ff4bfc0 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 3 Dec 2021 11:35:15 -0700
Subject: [PATCH 122/210] Remove separate Tag types, note breaking change in
 NEWS

---
 NEWS                      |  11 +++
 src/RuleAction.h          |   2 +-
 src/analyzer/Analyzer.h   |   2 +-
 src/analyzer/Tag.h        | 152 --------------------------------------
 src/file_analysis/File.h  |   2 +-
 src/file_analysis/Tag.h   | 152 --------------------------------------
 src/input/Manager.h       |   2 +-
 src/input/Tag.h           | 152 --------------------------------------
 src/logging/Tag.h         | 152 --------------------------------------
 src/packet_analysis/Tag.h | 152 --------------------------------------
 src/zeek-setup.cc         |   2 +-
 11 files changed, 16 insertions(+), 765 deletions(-)
 delete mode 100644 src/analyzer/Tag.h
 delete mode 100644 src/file_analysis/Tag.h
 delete mode 100644 src/input/Tag.h
 delete mode 100644 src/logging/Tag.h
 delete mode 100644 src/packet_analysis/Tag.h

diff --git a/NEWS b/NEWS
index dd3c9b377c..8f1ac4555b 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,17 @@ release. For an exhaustive list of changes, see the ``CHANGES`` file
 Zeek 4.2.0
 ==========
 
+Breaking Changes
+----------------
+
+- The existing ``Tag`` types in C++ (``zeek::Analyzer::Tag``, etc) have been merged
+  into a single type called ``zeek::Tag``. This is a breaking change, and may result
+  in plugins failing to build where they were relying on those types being different
+  for function overloading and such. We attempted to include deprecated versions of
+  the old types, but were unable to do so because of changes to return types from a
+  number of methods. With this change, any uses of the `zeek::*::Tag` types will
+  need to be replaced by `zeek::Tag`.
+
 New Functionality
 -----------------
 
diff --git a/src/RuleAction.h b/src/RuleAction.h
index c9d1b45db8..938904d4fb 100644
--- a/src/RuleAction.h
+++ b/src/RuleAction.h
@@ -3,7 +3,7 @@
 #include <sys/types.h> // for u_char
 #include <string>
 
-#include "zeek/analyzer/Tag.h"
+#include "zeek/Tag.h"
 
 namespace zeek::detail
 	{
diff --git a/src/analyzer/Analyzer.h b/src/analyzer/Analyzer.h
index 7bdfa0fbed..3d84632374 100644
--- a/src/analyzer/Analyzer.h
+++ b/src/analyzer/Analyzer.h
@@ -11,8 +11,8 @@
 #include "zeek/EventHandler.h"
 #include "zeek/IntrusivePtr.h"
 #include "zeek/Obj.h"
+#include "zeek/Tag.h"
 #include "zeek/Timer.h"
-#include "zeek/analyzer/Tag.h"
 
 namespace zeek
 	{
diff --git a/src/analyzer/Tag.h b/src/analyzer/Tag.h
deleted file mode 100644
index 6316381dc2..0000000000
--- a/src/analyzer/Tag.h
+++ /dev/null
@@ -1,152 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#pragma once
-
-#include "zeek/zeek-config.h"
-
-#include <string>
-
-#include "zeek/Tag.h"
-#include "zeek/Val.h"
-
-namespace zeek::analyzer
-	{
-
-/**
- * This class implements a wrapper around zeek::Tag , presenting the same interface as that
- * member object. It previously implemented a full tag object for this type of plugin
- * component, but that functionality was merged into zeek::Tag and the separate tag types were
- * deprecated. This class will eventually be removed per the Zeek deprecation policy.
- */
-class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
-	{
-public:
-	/**
-	 * Type for the component's main type.
-	 */
-	using type_t = zeek::Tag::type_t;
-
-	/**
-	 * Type for the component's subtype.
-	 */
-	using subtype_t = zeek::Tag::subtype_t;
-
-	/**
-	 * Returns the tag's main type.
-	 */
-	zeek::Tag::type_t Type() const { return tag.Type(); }
-
-	/**
-	 * Returns the tag's subtype.
-	 */
-	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : tag() { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 *
-	 * @param type The main type. Note that the manager class manages the
-	 * the value space internally, so noone else should assign main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
-		: tag(etype, type, subtype)
-		{
-		}
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the component's Manager
-	 * manages the value space internally, so noone else should assign
-	 * any main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Analyzer::Tag.
-	 */
-	explicit Tag(EnumValPtr val) : tag(val) { }
-
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : tag(other.tag) { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() { }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other)
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Move assignment operator.
-	 */
-	Tag& operator=(Tag&& other) noexcept
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return tag == other.tag; }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return tag != other.tag; }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return tag < other.tag; }
-
-	/**
-	 * Returns the numerical values for main and subtype inside a string
-	 * suitable for printing. This is primarily for debugging.
-	 */
-	std::string AsString() const { return tag.AsString(); }
-
-	/**
-	 * Returns the script-layer enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const EnumValPtr& AsVal() const { return tag.AsVal(); }
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal component type.
-	 */
-	explicit operator bool() const { return static_cast<bool>(tag); }
-
-private:
-	zeek::Tag tag;
-	};
-
-	} // namespace zeek::analyzer
diff --git a/src/file_analysis/File.h b/src/file_analysis/File.h
index db8e20f025..da87e6a963 100644
--- a/src/file_analysis/File.h
+++ b/src/file_analysis/File.h
@@ -6,11 +6,11 @@
 #include <string>
 #include <utility>
 
+#include "zeek/Tag.h"
 #include "zeek/WeirdState.h"
 #include "zeek/ZeekArgs.h"
 #include "zeek/ZeekList.h" // for ValPList
 #include "zeek/ZeekString.h"
-#include "zeek/analyzer/Tag.h"
 #include "zeek/file_analysis/AnalyzerSet.h"
 
 namespace zeek
diff --git a/src/file_analysis/Tag.h b/src/file_analysis/Tag.h
deleted file mode 100644
index 5f21276a0a..0000000000
--- a/src/file_analysis/Tag.h
+++ /dev/null
@@ -1,152 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#pragma once
-
-#include "zeek/zeek-config.h"
-
-#include <string>
-
-#include "zeek/Tag.h"
-#include "zeek/Val.h"
-
-namespace zeek::file_analysis
-	{
-
-/**
- * This class implements a wrapper around zeek::Tag , presenting the same interface as that
- * member object. It previously implemented a full tag object for this type of plugin
- * component, but that functionality was merged into zeek::Tag and the separate tag types were
- * deprecated. This class will eventually be removed per the Zeek deprecation policy.
- */
-class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
-	{
-public:
-	/**
-	 * Type for the component's main type.
-	 */
-	using type_t = zeek::Tag::type_t;
-
-	/**
-	 * Type for the component's subtype.
-	 */
-	using subtype_t = zeek::Tag::subtype_t;
-
-	/**
-	 * Returns the tag's main type.
-	 */
-	zeek::Tag::type_t Type() const { return tag.Type(); }
-
-	/**
-	 * Returns the tag's subtype.
-	 */
-	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : tag() { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 *
-	 * @param type The main type. Note that the manager class manages the
-	 * the value space internally, so noone else should assign main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
-		: tag(etype, type, subtype)
-		{
-		}
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the component's Manager
-	 * manages the value space internally, so noone else should assign
-	 * any main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Files::Tag.
-	 */
-	explicit Tag(EnumValPtr val) : tag(val) { }
-
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : tag(other.tag) { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() { }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other)
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Move assignment operator.
-	 */
-	Tag& operator=(Tag&& other) noexcept
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return tag == other.tag; }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return tag != other.tag; }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return tag < other.tag; }
-
-	/**
-	 * Returns the numerical values for main and subtype inside a string
-	 * suitable for printing. This is primarily for debugging.
-	 */
-	std::string AsString() const { return tag.AsString(); }
-
-	/**
-	 * Returns the script-layer enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const EnumValPtr& AsVal() const { return tag.AsVal(); }
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal component type.
-	 */
-	explicit operator bool() const { return static_cast<bool>(tag); }
-
-private:
-	zeek::Tag tag;
-	};
-
-	} // namespace zeek::file_analysis
diff --git a/src/input/Manager.h b/src/input/Manager.h
index 1c0b34d55b..2928b4f23d 100644
--- a/src/input/Manager.h
+++ b/src/input/Manager.h
@@ -7,8 +7,8 @@
 #include <map>
 
 #include "zeek/EventHandler.h"
+#include "zeek/Tag.h"
 #include "zeek/input/Component.h"
-#include "zeek/input/Tag.h"
 #include "zeek/plugin/ComponentManager.h"
 #include "zeek/threading/SerialTypes.h"
 
diff --git a/src/input/Tag.h b/src/input/Tag.h
deleted file mode 100644
index 290728560b..0000000000
--- a/src/input/Tag.h
+++ /dev/null
@@ -1,152 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#pragma once
-
-#include "zeek/zeek-config.h"
-
-#include <string>
-
-#include "zeek/Tag.h"
-#include "zeek/Val.h"
-
-namespace zeek::input
-	{
-
-/**
- * This class implements a wrapper around zeek::Tag , presenting the same interface as that
- * member object. It previously implemented a full tag object for this type of plugin
- * component, but that functionality was merged into zeek::Tag and the separate tag types were
- * deprecated. This class will eventually be removed per the Zeek deprecation policy.
- */
-class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
-	{
-public:
-	/**
-	 * Type for the component's main type.
-	 */
-	using type_t = zeek::Tag::type_t;
-
-	/**
-	 * Type for the component's subtype.
-	 */
-	using subtype_t = zeek::Tag::subtype_t;
-
-	/**
-	 * Returns the tag's main type.
-	 */
-	zeek::Tag::type_t Type() const { return tag.Type(); }
-
-	/**
-	 * Returns the tag's subtype.
-	 */
-	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : tag() { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 *
-	 * @param type The main type. Note that the manager class manages the
-	 * the value space internally, so noone else should assign main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
-		: tag(etype, type, subtype)
-		{
-		}
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the component's Manager
-	 * manages the value space internally, so noone else should assign
-	 * any main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Input::Tag.
-	 */
-	explicit Tag(EnumValPtr val) : tag(val) { }
-
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : tag(other.tag) { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() { }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other)
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Move assignment operator.
-	 */
-	Tag& operator=(Tag&& other) noexcept
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return tag == other.tag; }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return tag != other.tag; }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return tag < other.tag; }
-
-	/**
-	 * Returns the numerical values for main and subtype inside a string
-	 * suitable for printing. This is primarily for debugging.
-	 */
-	std::string AsString() const { return tag.AsString(); }
-
-	/**
-	 * Returns the script-layer enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const EnumValPtr& AsVal() const { return tag.AsVal(); }
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal component type.
-	 */
-	explicit operator bool() const { return static_cast<bool>(tag); }
-
-private:
-	zeek::Tag tag;
-	};
-
-	} // namespace zeek::input
diff --git a/src/logging/Tag.h b/src/logging/Tag.h
deleted file mode 100644
index ae8e17d7bb..0000000000
--- a/src/logging/Tag.h
+++ /dev/null
@@ -1,152 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#pragma once
-
-#include "zeek/zeek-config.h"
-
-#include <string>
-
-#include "zeek/Tag.h"
-#include "zeek/Val.h"
-
-namespace zeek::logging
-	{
-
-/**
- * This class implements a wrapper around zeek::Tag , presenting the same interface as that
- * member object. It previously implemented a full tag object for this type of plugin
- * component, but that functionality was merged into zeek::Tag and the separate tag types were
- * deprecated. This class will eventually be removed per the Zeek deprecation policy.
- */
-class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
-	{
-public:
-	/**
-	 * Type for the component's main type.
-	 */
-	using type_t = zeek::Tag::type_t;
-
-	/**
-	 * Type for the component's subtype.
-	 */
-	using subtype_t = zeek::Tag::subtype_t;
-
-	/**
-	 * Returns the tag's main type.
-	 */
-	zeek::Tag::type_t Type() const { return tag.Type(); }
-
-	/**
-	 * Returns the tag's subtype.
-	 */
-	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : tag() { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 *
-	 * @param type The main type. Note that the manager class manages the
-	 * the value space internally, so noone else should assign main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
-		: tag(etype, type, subtype)
-		{
-		}
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the \a logging::Manager
-	 * manages the value space internally, so noone else should assign
-	 * any main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c Logger::Tag.
-	 */
-	explicit Tag(EnumValPtr val) : tag(val) { }
-
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : tag(other.tag) { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() { }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other)
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Move assignment operator.
-	 */
-	Tag& operator=(Tag&& other) noexcept
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return tag == other.tag; }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return tag != other.tag; }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return tag < other.tag; }
-
-	/**
-	 * Returns the numerical values for main and subtype inside a string
-	 * suitable for printing. This is primarily for debugging.
-	 */
-	std::string AsString() const { return tag.AsString(); }
-
-	/**
-	 * Returns the script-layer enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const EnumValPtr& AsVal() const { return tag.AsVal(); }
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal component type.
-	 */
-	explicit operator bool() const { return static_cast<bool>(tag); }
-
-private:
-	zeek::Tag tag;
-	};
-
-	} // namespace zeek::logging
diff --git a/src/packet_analysis/Tag.h b/src/packet_analysis/Tag.h
deleted file mode 100644
index ffbdfee105..0000000000
--- a/src/packet_analysis/Tag.h
+++ /dev/null
@@ -1,152 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#pragma once
-
-#include "zeek/zeek-config.h"
-
-#include <string>
-
-#include "zeek/Tag.h"
-#include "zeek/Val.h"
-
-namespace zeek::packet_analysis
-	{
-
-/**
- * This class implements a wrapper around zeek::Tag , presenting the same interface as that
- * member object. It previously implemented a full tag object for this type of plugin
- * component, but that functionality was merged into zeek::Tag and the separate tag types were
- * deprecated. This class will eventually be removed per the Zeek deprecation policy.
- */
-class [[deprecated("Remove in v5.1. Use zeek::Tag.")]] Tag
-	{
-public:
-	/**
-	 * Type for the component's main type.
-	 */
-	using type_t = zeek::Tag::type_t;
-
-	/**
-	 * Type for the component's subtype.
-	 */
-	using subtype_t = zeek::Tag::subtype_t;
-
-	/**
-	 * Returns the tag's main type.
-	 */
-	zeek::Tag::type_t Type() const { return tag.Type(); }
-
-	/**
-	 * Returns the tag's subtype.
-	 */
-	zeek::Tag::subtype_t Subtype() const { return tag.Subtype(); }
-
-	/**
-	 * Default constructor. This initializes the tag with an error value
-	 * that will make \c operator \c bool return false.
-	 */
-	Tag() : tag() { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 *
-	 * @param type The main type. Note that the manager class manages the
-	 * the value space internally, so noone else should assign main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	Tag(const EnumTypePtr& etype, zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0)
-		: tag(etype, type, subtype)
-		{
-		}
-
-	/**
-	 * Constructor.
-	 *
-	 * @param type The main type. Note that the component's Manager
-	 * manages the value space internally, so noone else should assign
-	 * any main types.
-	 *
-	 * @param subtype The sub type, which is left to a component for
-	 * interpretation. By default it's set to zero.
-	 */
-	explicit Tag(zeek::Tag::type_t type, zeek::Tag::subtype_t subtype = 0) : tag(type, subtype) { }
-
-	/**
-	 * Constructor.
-	 *
-	 * @param val An enum value of script type \c PacketAnalyzer::Tag.
-	 */
-	explicit Tag(EnumValPtr val) : tag(val) { }
-
-	/*
-	 * Copy constructor.
-	 */
-	Tag(const Tag& other) : tag(other.tag) { }
-
-	/**
-	 * Destructor.
-	 */
-	~Tag() { }
-
-	/**
-	 * Assignment operator.
-	 */
-	Tag& operator=(const Tag& other)
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Move assignment operator.
-	 */
-	Tag& operator=(Tag&& other) noexcept
-		{
-		tag = other.tag;
-		return *this;
-		}
-
-	/**
-	 * Compares two tags for equality.
-	 */
-	bool operator==(const Tag& other) const { return tag == other.tag; }
-
-	/**
-	 * Compares two tags for inequality.
-	 */
-	bool operator!=(const Tag& other) const { return tag != other.tag; }
-
-	/**
-	 * Compares two tags for less-than relationship.
-	 */
-	bool operator<(const Tag& other) const { return tag < other.tag; }
-
-	/**
-	 * Returns the numerical values for main and subtype inside a string
-	 * suitable for printing. This is primarily for debugging.
-	 */
-	std::string AsString() const { return tag.AsString(); }
-
-	/**
-	 * Returns the script-layer enum that corresponds to this tag.
-	 * The returned value does not have its ref-count increased.
-	 *
-	 * @param etype the script-layer enum type associated with the tag.
-	 */
-	const EnumValPtr& AsVal() const { return tag.AsVal(); }
-
-	/**
-	 * Returns false if the tag represents an error value rather than a
-	 * legal component type.
-	 */
-	explicit operator bool() const { return static_cast<bool>(tag); }
-
-private:
-	zeek::Tag tag;
-	};
-
-	} // namespace zeek::packet_analysis
diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc
index 5b2c6de914..8867ab548e 100644
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@@ -41,12 +41,12 @@
 #include "zeek/ScriptCoverageManager.h"
 #include "zeek/Stats.h"
 #include "zeek/Stmt.h"
+#include "zeek/Tag.h"
 #include "zeek/Timer.h"
 #include "zeek/Traverse.h"
 #include "zeek/Trigger.h"
 #include "zeek/Var.h"
 #include "zeek/analyzer/Manager.h"
-#include "zeek/analyzer/Tag.h"
 #include "zeek/binpac_zeek.h"
 #include "zeek/broker/Manager.h"
 #include "zeek/file_analysis/Manager.h"

From 368dec837206ddf893a5d6599481328641816295 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 6 Dec 2021 12:24:42 -0700
Subject: [PATCH 123/210] GH-1764: Update mappings for Geneve analyzer to
 IP4/IP6/ARP

---
 scripts/base/packet-protocols/geneve/main.zeek | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/scripts/base/packet-protocols/geneve/main.zeek b/scripts/base/packet-protocols/geneve/main.zeek
index 1131deac1d..d70055925b 100644
--- a/scripts/base/packet-protocols/geneve/main.zeek
+++ b/scripts/base/packet-protocols/geneve/main.zeek
@@ -19,4 +19,9 @@ event zeek_init() &priority=20
 	# https://datatracker.ietf.org/doc/html/draft-gross-geneve-00#section-3.4
 	# for details.
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x6558, PacketAnalyzer::ANALYZER_ETHERNET);
+
+	# Some additional mappings for protocols that we already handle natively.
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0800, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x08DD, PacketAnalyzer::ANALYZER_IP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0808, PacketAnalyzer::ANALYZER_ARP);
 	}

From f8b8401d84f0913334aa2a4b5ad169bce7cda215 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 2 Dec 2021 12:37:02 -0800
Subject: [PATCH 124/210] Alphabetically sort configure's enable/disable/with
 options

---
 configure | 151 ++++++++++++++++++++++++++----------------------------
 1 file changed, 74 insertions(+), 77 deletions(-)

diff --git a/configure b/configure
index 5756c3448f..9db0899dc7 100755
--- a/configure
+++ b/configure
@@ -54,51 +54,51 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
                            install --home [PATH/lib/python]
 
   Optional Features:
-    --enable-debug         compile in debugging mode (like --build-type=Debug)
     --enable-coverage      compile with code coverage support (implies debugging mode)
+    --enable-cpp-tests     build Zeek's C++ unit tests
+    --enable-debug         compile in debugging mode (like --build-type=Debug)
     --enable-fuzzers       build fuzzer targets
+    --enable-jemalloc      link against jemalloc
     --enable-mobile-ipv6   analyze mobile IPv6 features defined by RFC 6275
     --enable-perftools     enable use of Google perftools (use tcmalloc)
     --enable-perftools-debug use Google's perftools for debugging
-    --enable-jemalloc      link against jemalloc
-    --enable-static-broker build Broker statically (ignored if --with-broker is specified)
     --enable-static-binpac build binpac statically (ignored if --with-binpac is specified)
-    --enable-cpp-tests     build Zeek's C++ unit tests
+    --enable-static-broker build Broker statically (ignored if --with-broker is specified)
     --enable-zeek-client   install the Zeek cluster management client (experimental)
-    --disable-zeekctl      don't install ZeekControl
-    --disable-auxtools     don't build or install auxiliary tools
     --disable-archiver     don't build or install zeek-archiver tool
+    --disable-auxtools     don't build or install auxiliary tools
+    --disable-broker-tests don't try to build Broker unit tests
     --disable-btest        don't install BTest
     --disable-btest-pcaps  don't install Zeek's BTest input pcaps
     --disable-python       don't try to build python bindings for Broker
-    --disable-broker-tests don't try to build Broker unit tests
+    --disable-zeekctl      don't install ZeekControl
     --disable-zkg          don't install zkg
 
   Required Packages in Non-Standard Locations:
-    --with-openssl=PATH    path to OpenSSL install root
-    --with-bind=PATH       path to BIND install root
-    --with-pcap=PATH       path to libpcap install root
-    --with-binpac=PATH     path to BinPAC executable
-                           (useful for cross-compiling)
     --with-bifcl=PATH      path to Zeek BIF compiler executable
                            (useful for cross-compiling)
-    --with-flex=PATH       path to flex executable
+    --with-bind=PATH       path to BIND install root
+    --with-binpac=PATH     path to BinPAC executable
+                           (useful for cross-compiling)
     --with-bison=PATH      path to bison executable
-    --with-python=PATH     path to Python executable
     --with-broker=PATH     path to Broker install root
                            (Zeek uses an embedded version by default)
     --with-caf=PATH        path to C++ Actor Framework install root
                            (a Broker dependency that is embedded by default)
+    --with-flex=PATH       path to flex executable
     --with-libkqueue=PATH  path to libkqueue install root
                            (Zeek uses an embedded version by default)
+    --with-openssl=PATH    path to OpenSSL install root
+    --with-pcap=PATH       path to libpcap install root
+    --with-python=PATH     path to Python executable
 
   Optional Packages in Non-Standard Locations:
     --with-geoip=PATH      path to the libmaxminddb install root
+    --with-jemalloc=PATH   path to jemalloc install root
     --with-krb5=PATH       path to krb5 install root
     --with-perftools=PATH  path to Google Perftools install root
-    --with-jemalloc=PATH   path to jemalloc install root
-    --with-python-lib=PATH path to libpython
     --with-python-inc=PATH path to Python headers
+    --with-python-lib=PATH path to libpython
     --with-swig=PATH       path to SWIG executable
 
   Packaging Options (for developers):
@@ -260,12 +260,18 @@ while [ $# -ne 0 ]; do
             append_cache_entry ENABLE_COVERAGE BOOL true
             append_cache_entry ENABLE_DEBUG BOOL true
             ;;
-        --enable-fuzzers)
-            append_cache_entry ZEEK_ENABLE_FUZZERS BOOL true
+        --enable-cpp-tests)
+            append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL true
             ;;
         --enable-debug)
             append_cache_entry ENABLE_DEBUG BOOL true
             ;;
+        --enable-fuzzers)
+            append_cache_entry ZEEK_ENABLE_FUZZERS BOOL true
+            ;;
+        --enable-jemalloc)
+            append_cache_entry ENABLE_JEMALLOC BOOL true
+            ;;
         --enable-mobile-ipv6)
             has_enable_mobile_ipv6=1
             ;;
@@ -276,32 +282,24 @@ while [ $# -ne 0 ]; do
             append_cache_entry ENABLE_PERFTOOLS BOOL true
             append_cache_entry ENABLE_PERFTOOLS_DEBUG BOOL true
             ;;
-        --sanitizers=*)
-            append_cache_entry ZEEK_SANITIZERS STRING $optarg
-            ;;
-        --enable-jemalloc)
-            append_cache_entry ENABLE_JEMALLOC BOOL true
+        --enable-static-binpac)
+            append_cache_entry BUILD_STATIC_BINPAC BOOL true
             ;;
         --enable-static-broker)
             append_cache_entry BUILD_STATIC_BROKER BOOL true
             ;;
-        --enable-static-binpac)
-            append_cache_entry BUILD_STATIC_BINPAC BOOL true
-            ;;
-        --enable-cpp-tests)
-            append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL true
-            ;;
         --enable-zeek-client)
             append_cache_entry INSTALL_ZEEK_CLIENT BOOL true
             ;;
-        --disable-zeekctl)
-            append_cache_entry INSTALL_ZEEKCTL BOOL false
+        --disable-archiver)
+            append_cache_entry INSTALL_ZEEK_ARCHIVER BOOL false
             ;;
         --disable-auxtools)
             append_cache_entry INSTALL_AUX_TOOLS BOOL false
             ;;
-        --disable-archiver)
-            append_cache_entry INSTALL_ZEEK_ARCHIVER BOOL false
+        --disable-broker-tests)
+            append_cache_entry BROKER_DISABLE_TESTS BOOL true
+            append_cache_entry BROKER_DISABLE_DOC_EXAMPLES BOOL true
             ;;
         --disable-btest)
             append_cache_entry INSTALL_BTEST BOOL false
@@ -312,69 +310,68 @@ while [ $# -ne 0 ]; do
         --disable-python)
             append_cache_entry DISABLE_PYTHON_BINDINGS BOOL true
             ;;
-        --disable-broker-tests)
-            append_cache_entry BROKER_DISABLE_TESTS BOOL true
-            append_cache_entry BROKER_DISABLE_DOC_EXAMPLES BOOL true
-            ;;
         --disable-zkg)
             append_cache_entry INSTALL_ZKG BOOL false
             ;;
-        --with-openssl=*)
-            append_cache_entry OPENSSL_ROOT_DIR PATH $optarg
-            ;;
-        --with-bind=*)
-            append_cache_entry BIND_ROOT_DIR PATH $optarg
-            ;;
-        --with-pcap=*)
-            append_cache_entry PCAP_ROOT_DIR PATH $optarg
-            ;;
-        --with-binpac=*)
-            append_cache_entry BINPAC_EXE_PATH PATH $optarg
-            ;;
         --with-bifcl=*)
             append_cache_entry BIFCL_EXE_PATH PATH $optarg
             ;;
-        --with-flex=*)
-            append_cache_entry FLEX_EXECUTABLE PATH $optarg
+        --with-bind=*)
+            append_cache_entry BIND_ROOT_DIR PATH $optarg
+            ;;
+        --with-binpac=*)
+            append_cache_entry BINPAC_EXE_PATH PATH $optarg
             ;;
         --with-bison=*)
             append_cache_entry BISON_EXECUTABLE PATH $optarg
             ;;
-        --with-geoip=*)
-            append_cache_entry LibMMDB_ROOT_DIR PATH $optarg
-            ;;
-        --with-krb5=*)
-            append_cache_entry LibKrb5_ROOT_DIR PATH $optarg
-            ;;
-        --with-perftools=*)
-            append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
-            ;;
-        --with-jemalloc=*)
-            append_cache_entry JEMALLOC_ROOT_DIR PATH $optarg
-            append_cache_entry ENABLE_JEMALLOC BOOL true
-            ;;
-        --with-python=*)
-            append_cache_entry PYTHON_EXECUTABLE PATH $optarg
-            ;;
-        --with-python-lib=*)
-            append_cache_entry PYTHON_LIBRARY PATH $optarg
-            ;;
-        --with-python-inc=*)
-            append_cache_entry PYTHON_INCLUDE_DIR PATH $optarg
-            append_cache_entry PYTHON_INCLUDE_PATH PATH $optarg
-            ;;
-        --with-swig=*)
-            append_cache_entry SWIG_EXECUTABLE PATH $optarg
-            ;;
         --with-broker=*)
             append_cache_entry BROKER_ROOT_DIR PATH $optarg
             ;;
         --with-caf=*)
             append_cache_entry CAF_ROOT PATH $optarg
             ;;
+        --with-flex=*)
+            append_cache_entry FLEX_EXECUTABLE PATH $optarg
+            ;;
+        --with-geoip=*)
+            append_cache_entry LibMMDB_ROOT_DIR PATH $optarg
+            ;;
+        --with-jemalloc=*)
+            append_cache_entry JEMALLOC_ROOT_DIR PATH $optarg
+            append_cache_entry ENABLE_JEMALLOC BOOL true
+            ;;
+        --with-krb5=*)
+            append_cache_entry LibKrb5_ROOT_DIR PATH $optarg
+            ;;
         --with-libkqueue=*)
             append_cache_entry LIBKQUEUE_ROOT_DIR PATH $optarg
             ;;
+        --with-pcap=*)
+            append_cache_entry PCAP_ROOT_DIR PATH $optarg
+            ;;
+        --with-perftools=*)
+            append_cache_entry GooglePerftools_ROOT_DIR PATH $optarg
+            ;;
+        --with-openssl=*)
+            append_cache_entry OPENSSL_ROOT_DIR PATH $optarg
+            ;;
+        --with-python=*)
+            append_cache_entry PYTHON_EXECUTABLE PATH $optarg
+            ;;
+        --with-python-inc=*)
+            append_cache_entry PYTHON_INCLUDE_DIR PATH $optarg
+            append_cache_entry PYTHON_INCLUDE_PATH PATH $optarg
+            ;;
+        --with-python-lib=*)
+            append_cache_entry PYTHON_LIBRARY PATH $optarg
+            ;;
+        --with-swig=*)
+            append_cache_entry SWIG_EXECUTABLE PATH $optarg
+            ;;
+        --sanitizers=*)
+            append_cache_entry ZEEK_SANITIZERS STRING $optarg
+            ;;
         --binary-package)
             append_cache_entry BINARY_PACKAGING_MODE BOOL true
             ;;

From f20f8ad4a8bd41ab5dbb6ea873674bbfb4e3cc42 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Fri, 2 Jul 2021 15:19:11 -0700
Subject: [PATCH 125/210] Support for unit tests in plugins

This pushes the unit test kickoff down in the Zeek startup sequence, to give
plugins a chance to register. It also enforces deterministic mode for unit
testing, since without it some unit tests start to have nondeterministic results
at that stage.
---
 src/CMakeLists.txt |  1 +
 src/zeek-setup.cc  | 18 +++++++++++-------
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index a0e2e8124b..4a3343e2b3 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -629,6 +629,7 @@ install(FILES
         ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/patricia.h
         ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/setsignal.h
         ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/sqlite3.h
+        ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/doctest.h
         DESTINATION include/zeek/3rdparty
 )
 
diff --git a/src/zeek-setup.cc b/src/zeek-setup.cc
index 5b2c6de914..3c391e2fe6 100644
--- a/src/zeek-setup.cc
+++ b/src/zeek-setup.cc
@@ -416,13 +416,7 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 		}
 
 	if ( options.run_unit_tests )
-		{
-		doctest::Context context;
-		auto dargs = to_cargs(options.doctest_args);
-		context.applyCommandLine(dargs.size(), dargs.data());
-		ZEEK_LSAN_ENABLE();
-		exit(context.run());
-		}
+		options.deterministic_mode = true;
 
 	auto stem = Supervisor::CreateStem(options.supervisor_mode);
 
@@ -601,6 +595,16 @@ SetupResult setup(int argc, char** argv, Options* zopts)
 
 	plugin_mgr->ActivateDynamicPlugins(! options.bare_mode);
 
+	// Delay the unit test until here so that plugins have been loaded.
+	if ( options.run_unit_tests )
+		{
+		doctest::Context context;
+		auto dargs = to_cargs(options.doctest_args);
+		context.applyCommandLine(dargs.size(), dargs.data());
+		ZEEK_LSAN_ENABLE();
+		exit(context.run());
+		}
+
 	// Print usage after plugins load so that any path extensions are properly shown.
 	if ( options.print_usage )
 		usage(argv[0], 0);

From 5c44dfbb9e8a3e6876b6d41756f89ce5be1036ae Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 2 Dec 2021 12:57:28 -0800
Subject: [PATCH 126/210] Flip unit tests to being enabled by default

This flips --enable-cpp-tests to --disable-cpp-tests, enabling unit testing by
default. The help output has a minor corresponding tweak as well.
---
 configure      | 9 +++++----
 src/Options.cc | 3 ++-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/configure b/configure
index 9db0899dc7..ddf4ce1bf1 100755
--- a/configure
+++ b/configure
@@ -55,7 +55,6 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
 
   Optional Features:
     --enable-coverage      compile with code coverage support (implies debugging mode)
-    --enable-cpp-tests     build Zeek's C++ unit tests
     --enable-debug         compile in debugging mode (like --build-type=Debug)
     --enable-fuzzers       build fuzzer targets
     --enable-jemalloc      link against jemalloc
@@ -70,6 +69,7 @@ Usage: $0 [OPTION]... [VAR=VALUE]...
     --disable-broker-tests don't try to build Broker unit tests
     --disable-btest        don't install BTest
     --disable-btest-pcaps  don't install Zeek's BTest input pcaps
+    --disable-cpp-tests    don't build Zeek's C++ unit tests
     --disable-python       don't try to build python bindings for Broker
     --disable-zeekctl      don't install ZeekControl
     --disable-zkg          don't install zkg
@@ -163,6 +163,7 @@ append_cache_entry ZEEK_ETC_INSTALL_DIR PATH $prefix/etc
 append_cache_entry ENABLE_DEBUG BOOL false
 append_cache_entry ENABLE_PERFTOOLS BOOL false
 append_cache_entry ENABLE_JEMALLOC BOOL false
+append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL true
 append_cache_entry BUILD_SHARED_LIBS BOOL true
 append_cache_entry INSTALL_AUX_TOOLS BOOL true
 append_cache_entry INSTALL_BTEST BOOL true
@@ -260,9 +261,6 @@ while [ $# -ne 0 ]; do
             append_cache_entry ENABLE_COVERAGE BOOL true
             append_cache_entry ENABLE_DEBUG BOOL true
             ;;
-        --enable-cpp-tests)
-            append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL true
-            ;;
         --enable-debug)
             append_cache_entry ENABLE_DEBUG BOOL true
             ;;
@@ -307,6 +305,9 @@ while [ $# -ne 0 ]; do
         --disable-btest-pcaps)
             append_cache_entry INSTALL_BTEST_PCAPS BOOL false
             ;;
+        --disable-cpp-tests)
+            append_cache_entry ENABLE_ZEEK_UNIT_TESTS BOOL false
+            ;;
         --disable-python)
             append_cache_entry DISABLE_PYTHON_BINDINGS BOOL true
             ;;
diff --git a/src/Options.cc b/src/Options.cc
index 2fa98a3b3a..0870acade1 100644
--- a/src/Options.cc
+++ b/src/Options.cc
@@ -143,8 +143,9 @@ void usage(const char* prog, int code)
 	fprintf(stderr, "    --pseudo-realtime[=<speedup>]   | enable pseudo-realtime for performance "
 	                "evaluation (default 1)\n");
 	fprintf(stderr, "    -j|--jobs                       | enable supervisor mode\n");
+
 	fprintf(stderr, "    --test                          | run unit tests ('--test -h' for help, "
-	                "only when compiling with ENABLE_ZEEK_UNIT_TESTS)\n");
+	                "not available when built without ENABLE_ZEEK_UNIT_TESTS)\n");
 	fprintf(stderr, "    $ZEEKPATH                       | file search path (%s)\n",
 	        util::zeek_path().c_str());
 	fprintf(stderr, "    $ZEEK_PLUGIN_PATH               | plugin search path (%s)\n",

From 78803b04fc844c5971446a5eecf7e7f77fb8559d Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 8 Jul 2021 12:32:50 -0700
Subject: [PATCH 127/210] Add testcases for plugin with doctest usage

---
 .../plugins.doctest-disabled/testnames        |  1 +
 .../plugins.doctest-supported/testnames       |  2 ++
 .../plugins.doctest-supported/testresults     |  7 ++++++
 .../plugins.doctest-unsupported/testnames     |  1 +
 testing/btest/plugins/doctest-disabled.zeek   | 12 +++++++++
 .../plugins/doctest-plugin/.btest-ignore      |  0
 .../plugins/doctest-plugin/src/Plugin.cc      | 25 +++++++++++++++++++
 .../btest/plugins/doctest-plugin/src/Plugin.h | 17 +++++++++++++
 testing/btest/plugins/doctest-supported.zeek  | 18 +++++++++++++
 .../btest/plugins/doctest-unsupported.zeek    | 13 ++++++++++
 testing/scripts/diff-clean-doctest            | 17 +++++++++++++
 11 files changed, 113 insertions(+)
 create mode 100644 testing/btest/Baseline/plugins.doctest-disabled/testnames
 create mode 100644 testing/btest/Baseline/plugins.doctest-supported/testnames
 create mode 100644 testing/btest/Baseline/plugins.doctest-supported/testresults
 create mode 100644 testing/btest/Baseline/plugins.doctest-unsupported/testnames
 create mode 100644 testing/btest/plugins/doctest-disabled.zeek
 create mode 100644 testing/btest/plugins/doctest-plugin/.btest-ignore
 create mode 100644 testing/btest/plugins/doctest-plugin/src/Plugin.cc
 create mode 100644 testing/btest/plugins/doctest-plugin/src/Plugin.h
 create mode 100644 testing/btest/plugins/doctest-supported.zeek
 create mode 100644 testing/btest/plugins/doctest-unsupported.zeek
 create mode 100755 testing/scripts/diff-clean-doctest

diff --git a/testing/btest/Baseline/plugins.doctest-disabled/testnames b/testing/btest/Baseline/plugins.doctest-disabled/testnames
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/plugins.doctest-disabled/testnames
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/Baseline/plugins.doctest-supported/testnames b/testing/btest/Baseline/plugins.doctest-supported/testnames
new file mode 100644
index 0000000000..88ebfdf6ac
--- /dev/null
+++ b/testing/btest/Baseline/plugins.doctest-supported/testnames
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+doctest-plugin/demotest
diff --git a/testing/btest/Baseline/plugins.doctest-supported/testresults b/testing/btest/Baseline/plugins.doctest-supported/testresults
new file mode 100644
index 0000000000..1e4e9af997
--- /dev/null
+++ b/testing/btest/Baseline/plugins.doctest-supported/testresults
@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[doctest] doctest version is "x.y.z"
+[doctest] run with "--help" for options
+===============================================================================
+[doctest] test cases: 1 | 1 passed | 0 failed | XX skipped
+[doctest] assertions: 1 | 1 passed | 0 failed |
+[doctest] Status: SUCCESS!
diff --git a/testing/btest/Baseline/plugins.doctest-unsupported/testnames b/testing/btest/Baseline/plugins.doctest-unsupported/testnames
new file mode 100644
index 0000000000..49d861c74c
--- /dev/null
+++ b/testing/btest/Baseline/plugins.doctest-unsupported/testnames
@@ -0,0 +1 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
diff --git a/testing/btest/plugins/doctest-disabled.zeek b/testing/btest/plugins/doctest-disabled.zeek
new file mode 100644
index 0000000000..780f280e3b
--- /dev/null
+++ b/testing/btest/plugins/doctest-disabled.zeek
@@ -0,0 +1,12 @@
+# This requires Zeek with unit test support. The following errors if disabled.
+# @TEST-REQUIRES: zeek --test -h >/dev/null
+
+# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Doctest
+# @TEST-EXEC: cp -r %DIR/doctest-plugin/* .
+
+# Build the plugin without unit-test support.
+# @TEST-EXEC: ./configure --disable-cpp-tests --zeek-dist=${DIST} && make
+#
+# List the plugin's test names -- there shouldn't be any.
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::Doctest" ZEEK_PLUGIN_PATH=`pwd` zeek --test -ltc | grep doctest-plugin >testnames || true
+# @TEST-EXEC: btest-diff testnames
diff --git a/testing/btest/plugins/doctest-plugin/.btest-ignore b/testing/btest/plugins/doctest-plugin/.btest-ignore
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/testing/btest/plugins/doctest-plugin/src/Plugin.cc b/testing/btest/plugins/doctest-plugin/src/Plugin.cc
new file mode 100644
index 0000000000..e12c564948
--- /dev/null
+++ b/testing/btest/plugins/doctest-plugin/src/Plugin.cc
@@ -0,0 +1,25 @@
+
+#include "Plugin.h"
+
+#include <zeek/3rdparty/doctest.h>
+
+
+namespace btest::plugin::Demo_Doctest { Plugin plugin; }
+
+using namespace btest::plugin::Demo_Doctest;
+
+zeek::plugin::Configuration Plugin::Configure()
+	{
+	zeek::plugin::Configuration config;
+	config.name = "Demo::Doctest";
+	config.description = "Run doctest in a unit-test enabled build";
+	config.version.major = 1;
+	config.version.minor = 0;
+	config.version.patch = 0;
+	return config;
+	}
+
+TEST_CASE("doctest-plugin/demotest")
+        {
+        CHECK(true);
+        }
diff --git a/testing/btest/plugins/doctest-plugin/src/Plugin.h b/testing/btest/plugins/doctest-plugin/src/Plugin.h
new file mode 100644
index 0000000000..ac70241d19
--- /dev/null
+++ b/testing/btest/plugins/doctest-plugin/src/Plugin.h
@@ -0,0 +1,17 @@
+
+#pragma once
+
+#include <zeek/plugin/Plugin.h>
+
+namespace btest::plugin::Demo_Doctest {
+
+class Plugin : public zeek::plugin::Plugin
+{
+protected:
+	// Overridden from zeek::plugin::Plugin.
+	zeek::plugin::Configuration Configure() override;
+};
+
+extern Plugin plugin;
+
+}
diff --git a/testing/btest/plugins/doctest-supported.zeek b/testing/btest/plugins/doctest-supported.zeek
new file mode 100644
index 0000000000..075ab9f2c0
--- /dev/null
+++ b/testing/btest/plugins/doctest-supported.zeek
@@ -0,0 +1,18 @@
+# This requires Zeek with unit test support. The following errors if disabled.
+# @TEST-REQUIRES: zeek --test -h >/dev/null
+
+# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Doctest
+# @TEST-EXEC: cp -r %DIR/doctest-plugin/* .
+
+# Build the plugin with unit-test support. Zeek supports it, so we should
+# get runnable tests.
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
+#
+# List the plugin's test names.
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::Doctest" ZEEK_PLUGIN_PATH=`pwd` zeek --test -ltc | grep doctest-plugin >testnames
+# @TEST-EXEC: btest-diff testnames
+
+# The seed file affects some of the unit tests, so we unset it.
+# Running the unit tests implies deterministic mode, -D.
+# @TEST-EXEC: ZEEK_SEED_FILE= ZEEK_PLUGIN_ACTIVATE="Demo::Doctest" ZEEK_PLUGIN_PATH=`pwd` zeek --test --test-case='doctest-plugin/*' >testresults
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=diff-clean-doctest btest-diff testresults
diff --git a/testing/btest/plugins/doctest-unsupported.zeek b/testing/btest/plugins/doctest-unsupported.zeek
new file mode 100644
index 0000000000..b1f6480ca4
--- /dev/null
+++ b/testing/btest/plugins/doctest-unsupported.zeek
@@ -0,0 +1,13 @@
+# This requires Zeek without unit test support. The following errors if enabled.
+# @TEST-REQUIRES: ! zeek --test -h >/dev/null
+
+# @TEST-EXEC: ${DIST}/auxil/zeek-aux/plugin-support/init-plugin -u . Demo Doctest
+# @TEST-EXEC: cp -r %DIR/doctest-plugin/* .
+
+# Build the plugin without disabling unit testing. Zeek doesn't support it,
+# so the plugin should automatically build without it.
+# @TEST-EXEC: ./configure --zeek-dist=${DIST} && make
+#
+# List the plugin's test names -- there shouldn't be any.
+# @TEST-EXEC: ZEEK_PLUGIN_ACTIVATE="Demo::Doctest" ZEEK_PLUGIN_PATH=`pwd` zeek --test -ltc | grep doctest-plugin >testnames || true
+# @TEST-EXEC: btest-diff testnames
diff --git a/testing/scripts/diff-clean-doctest b/testing/scripts/diff-clean-doctest
new file mode 100755
index 0000000000..613bd2ffc1
--- /dev/null
+++ b/testing/scripts/diff-clean-doctest
@@ -0,0 +1,17 @@
+#! /usr/bin/env bash
+#
+# doctest's console reports contain several aspects that change over time:
+# - The total number of tests, which we replace with "XX"
+# - The version number, which becomes "x.y.z"
+# - Spacing in the report, which we normalize to single spaces
+
+# Get us "modern" regexps with sed.
+if [ $(uname) == "Linux" ]; then
+    sed="sed -r"
+else
+    sed="sed -E"
+fi
+
+$sed -e 's/[0-9]+ skipped/XX skipped/g' |
+    $sed -e 's/"[0-9]+\.[0-9]+\.[0-9]+"/"x.y.z"/g' |
+    $sed -e 's/ {2,}/ /g'

From a1eb36de95d43236e1ef43cdbca0b2252d80ffe2 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 6 Dec 2021 12:04:57 -0800
Subject: [PATCH 128/210] Remove the --enable-cpp-tests configure flag in
 Cirrus CI

We no longer need it given that unit tests are now enabled by default.
---
 .cirrus.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index c6cc08954b..c1f963cf6c 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -10,11 +10,11 @@ btest_jobs: &BTEST_JOBS 4
 btest_retries: &BTEST_RETRIES 2
 memory: &MEMORY 4GB
 
-config: &CONFIG --build-type=release --enable-cpp-tests --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install
-static_config: &STATIC_CONFIG --build-type=release --enable-cpp-tests --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install
-sanitizer_config: &SANITIZER_CONFIG --build-type=debug --enable-cpp-tests --disable-broker-tests --sanitizers=address,undefined --enable-fuzzers --enable-coverage
-mobile_ipv6_config: &MOBILE_IPV6_CONFIG --build-type=release --enable-cpp-tests --enable-mobile-ipv6 --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install
-openssl30_config: &OPENSSL30_CONFIG --build-type=release --enable-cpp-tests  --disable-broker-tests --with-openssl=/opt/openssl --prefix=$CIRRUS_WORKING_DIR/install
+config: &CONFIG --build-type=release --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install
+static_config: &STATIC_CONFIG --build-type=release --disable-broker-tests --enable-static-broker --enable-static-binpac --prefix=$CIRRUS_WORKING_DIR/install
+sanitizer_config: &SANITIZER_CONFIG --build-type=debug --disable-broker-tests --sanitizers=address,undefined --enable-fuzzers --enable-coverage
+mobile_ipv6_config: &MOBILE_IPV6_CONFIG --build-type=release --enable-mobile-ipv6 --disable-broker-tests --prefix=$CIRRUS_WORKING_DIR/install
+openssl30_config: &OPENSSL30_CONFIG --build-type=release --disable-broker-tests --with-openssl=/opt/openssl --prefix=$CIRRUS_WORKING_DIR/install
 
 resources_template: &RESOURCES_TEMPLATE
   cpu: *CPUS

From 33cd1cf65fea028f8a1aadd521351ab30a132ea7 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Fri, 3 Dec 2021 20:16:42 -0800
Subject: [PATCH 129/210] Update cmake and auxil/zeek-aux submodules

---
 auxil/zeek-aux | 2 +-
 cmake          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index 9100b9d524..614fb53023 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit 9100b9d524dddfade02f1b4fceb54265a113b68c
+Subproject commit 614fb53023e97f71816beacba401f085d5dbdd6d
diff --git a/cmake b/cmake
index 7ba5d4cb81..88cf658d05 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 7ba5d4cb8115496ce88e6ec71a74ca3927a0b7fd
+Subproject commit 88cf658d059772b3df6dcd4a91c1a4c4afc113d9

From c7eef7b09455e33741d4f90765f531ce24374349 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 7 Dec 2021 10:43:46 -0700
Subject: [PATCH 130/210] Update plugin.hooks baseline for recent Geneve change

---
 testing/btest/Baseline/plugins.hooks/output | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index bdb7837b2e..274c93bb10 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -593,6 +593,9 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2056, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -2047,6 +2050,9 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2056, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP))
@@ -3500,6 +3506,9 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2056, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)

From 7a6501296b557bf8f9710ba2dab57302fab96a4c Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 8 Dec 2021 09:18:54 -0700
Subject: [PATCH 131/210] Restore --disable-zeekctl configure argument

---
 configure | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/configure b/configure
index ddf4ce1bf1..8f0fb27e41 100755
--- a/configure
+++ b/configure
@@ -311,6 +311,9 @@ while [ $# -ne 0 ]; do
         --disable-python)
             append_cache_entry DISABLE_PYTHON_BINDINGS BOOL true
             ;;
+        --disable-zeekctl)
+            append_cache_entry INSTALL_ZEEKCTL BOOL false
+            ;;
         --disable-zkg)
             append_cache_entry INSTALL_ZKG BOOL false
             ;;

From 1aaed1cc2e6d4b1338c18425afe2743992eef094 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 6 Dec 2021 17:49:25 -0800
Subject: [PATCH 132/210] Add LogAscii::json_include_unset_fields flag to
 control unset field rendering

The flag controls whether JSON rendering includes unset &optional log fields
(F, the default), or includes them with a null value (T).
---
 .../frameworks/logging/writers/ascii.zeek     |  5 ++++
 src/logging/writers/ascii/Ascii.cc            | 19 ++++++++++++-
 src/logging/writers/ascii/Ascii.h             |  1 +
 src/logging/writers/ascii/ascii.bif           |  1 +
 src/threading/formatters/JSON.cc              | 13 +++++----
 src/threading/formatters/JSON.h               |  3 +-
 .../testing_nullfields.log                    |  2 ++
 .../testing_nullfields_via_config.log         |  2 ++
 .../logging/ascii-json-optional.zeek          | 28 ++++++++++++++++---
 9 files changed, 62 insertions(+), 12 deletions(-)
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-optional/testing_nullfields.log
 create mode 100644 testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-optional/testing_nullfields_via_config.log

diff --git a/scripts/base/frameworks/logging/writers/ascii.zeek b/scripts/base/frameworks/logging/writers/ascii.zeek
index ce37a32537..bbeb94c172 100644
--- a/scripts/base/frameworks/logging/writers/ascii.zeek
+++ b/scripts/base/frameworks/logging/writers/ascii.zeek
@@ -66,6 +66,11 @@ export {
 	## This option is also available as a per-filter ``$config`` option.
 	const json_timestamps: JSON::TimestampFormat = JSON::TS_EPOCH &redef;
 
+	## Handling of optional fields when writing out JSON. By default the
+	## JSON formatter skips key and val when the field is absent. Setting
+	## the following field to T includes the key, with a null value.
+	const json_include_unset_fields = F &redef;
+
 	## If true, include lines with log meta information such as column names
 	## with types, the values of ASCII logging options that are in use, and
 	## the time when the file was opened and closed (the latter at the end).
diff --git a/src/logging/writers/ascii/Ascii.cc b/src/logging/writers/ascii/Ascii.cc
index d70e23db99..0b189c75b5 100644
--- a/src/logging/writers/ascii/Ascii.cc
+++ b/src/logging/writers/ascii/Ascii.cc
@@ -197,6 +197,7 @@ Ascii::Ascii(WriterFrontend* frontend) : WriterBackend(frontend)
 	tsv = false;
 	use_json = false;
 	enable_utf_8 = false;
+	json_include_unset_fields = false;
 	formatter = nullptr;
 	gzip_level = 0;
 	gzfile = nullptr;
@@ -232,6 +233,8 @@ void Ascii::InitConfigOptions()
 	BifConst::LogAscii::json_timestamps->Describe(&tsfmt);
 	json_timestamps.assign((const char*)tsfmt.Bytes(), tsfmt.Len());
 
+	json_include_unset_fields = BifConst::LogAscii::json_include_unset_fields;
+
 	gzip_file_extension.assign((const char*)BifConst::LogAscii::gzip_file_extension->Bytes(),
 	                           BifConst::LogAscii::gzip_file_extension->Len());
 
@@ -329,6 +332,20 @@ bool Ascii::InitFilterOptions()
 		else if ( strcmp(i->first, "json_timestamps") == 0 )
 			json_timestamps.assign(i->second);
 
+		else if ( strcmp(i->first, "json_include_unset_fields") == 0 )
+			{
+			if ( strcmp(i->second, "T") == 0 )
+				json_include_unset_fields = true;
+			else if ( strcmp(i->second, "F") == 0 )
+				json_include_unset_fields = false;
+			else
+				{
+				Error("invalid value for 'json_include_unset_fields', must be "
+				      "a string and either \"T\" or \"F\"");
+				return false;
+				}
+			}
+
 		else if ( strcmp(i->first, "gzip_file_extension") == 0 )
 			gzip_file_extension.assign(i->second);
 
@@ -364,7 +381,7 @@ bool Ascii::InitFormatter()
 			return false;
 			}
 
-		formatter = new threading::formatter::JSON(this, tf);
+		formatter = new threading::formatter::JSON(this, tf, json_include_unset_fields);
 		// Using JSON implicitly turns off the header meta fields.
 		include_meta = false;
 		}
diff --git a/src/logging/writers/ascii/Ascii.h b/src/logging/writers/ascii/Ascii.h
index ae5afff999..b7eb1dc1d8 100644
--- a/src/logging/writers/ascii/Ascii.h
+++ b/src/logging/writers/ascii/Ascii.h
@@ -78,6 +78,7 @@ private:
 	bool use_json;
 	bool enable_utf_8;
 	std::string json_timestamps;
+	bool json_include_unset_fields;
 	std::string logdir;
 
 	threading::Formatter* formatter;
diff --git a/src/logging/writers/ascii/ascii.bif b/src/logging/writers/ascii/ascii.bif
index c7d30ad531..38932ded36 100644
--- a/src/logging/writers/ascii/ascii.bif
+++ b/src/logging/writers/ascii/ascii.bif
@@ -14,6 +14,7 @@ const use_json: bool;
 const enable_leftover_log_rotation: bool;
 const enable_utf_8: bool;
 const json_timestamps: JSON::TimestampFormat;
+const json_include_unset_fields: bool;
 const gzip_level: count;
 const gzip_file_extension: string;
 const logdir: string;
diff --git a/src/threading/formatters/JSON.cc b/src/threading/formatters/JSON.cc
index 5e3449cbdc..774b231f39 100644
--- a/src/threading/formatters/JSON.cc
+++ b/src/threading/formatters/JSON.cc
@@ -28,7 +28,8 @@ bool JSON::NullDoubleWriter::Double(double d)
 	return rapidjson::Writer<rapidjson::StringBuffer>::Double(d);
 	}
 
-JSON::JSON(MsgThread* t, TimeFormat tf) : Formatter(t), surrounding_braces(true)
+JSON::JSON(MsgThread* t, TimeFormat tf, bool arg_include_unset_fields)
+	: Formatter(t), surrounding_braces(true), include_unset_fields(arg_include_unset_fields)
 	{
 	timestamps = tf;
 	}
@@ -44,7 +45,7 @@ bool JSON::Describe(ODesc* desc, int num_fields, const Field* const* fields, Val
 
 	for ( int i = 0; i < num_fields; i++ )
 		{
-		if ( vals[i]->present )
+		if ( vals[i]->present || include_unset_fields )
 			BuildJSON(writer, vals[i], fields[i]->name);
 		}
 
@@ -62,7 +63,7 @@ bool JSON::Describe(ODesc* desc, Value* val, const std::string& name) const
 		return false;
 		}
 
-	if ( ! val->present || name.empty() )
+	if ( (! val->present && ! include_unset_fields) || name.empty() )
 		return true;
 
 	rapidjson::Document doc;
@@ -86,15 +87,15 @@ Value* JSON::ParseValue(const std::string& s, const std::string& name, TypeTag t
 
 void JSON::BuildJSON(NullDoubleWriter& writer, Value* val, const std::string& name) const
 	{
+	if ( ! name.empty() )
+		writer.Key(name);
+
 	if ( ! val->present )
 		{
 		writer.Null();
 		return;
 		}
 
-	if ( ! name.empty() )
-		writer.Key(name);
-
 	switch ( val->type )
 		{
 		case TYPE_BOOL:
diff --git a/src/threading/formatters/JSON.h b/src/threading/formatters/JSON.h
index 0b6ae12b81..c946ab7bf2 100644
--- a/src/threading/formatters/JSON.h
+++ b/src/threading/formatters/JSON.h
@@ -26,7 +26,7 @@ public:
 		          // elasticsearch).
 		};
 
-	JSON(MsgThread* t, TimeFormat tf);
+	JSON(MsgThread* t, TimeFormat tf, bool include_unset_fields = false);
 	~JSON() override;
 
 	bool Describe(ODesc* desc, Value* val, const std::string& name = "") const override;
@@ -50,6 +50,7 @@ private:
 
 	TimeFormat timestamps;
 	bool surrounding_braces;
+	bool include_unset_fields;
 	};
 
 	} // namespace zeek::threading::formatter
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-optional/testing_nullfields.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-optional/testing_nullfields.log
new file mode 100644
index 0000000000..90269d5703
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-optional/testing_nullfields.log
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+{"ts":null,"msg":"Testing 1 2 3 "}
diff --git a/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-optional/testing_nullfields_via_config.log b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-optional/testing_nullfields_via_config.log
new file mode 100644
index 0000000000..90269d5703
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.frameworks.logging.ascii-json-optional/testing_nullfields_via_config.log
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+{"ts":null,"msg":"Testing 1 2 3 "}
diff --git a/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.zeek b/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.zeek
index ec86557c4a..6ef40cae28 100644
--- a/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.zeek
+++ b/testing/btest/scripts/base/frameworks/logging/ascii-json-optional.zeek
@@ -1,10 +1,20 @@
+# This test verifies the behavior of the JSON writer regarding unset optional
+# values.  By default, such fields are skipped, while redef'ing
+# LogAscii::json_include_unset_fields=T or using a filter's config table to set a
+# field of the same name includes them with a null value.
 #
 # @TEST-EXEC: zeek -b %INPUT
 # @TEST-EXEC: btest-diff testing.log
+#
+# @TEST-EXEC: zeek -b %INPUT LogAscii::json_include_unset_fields=T Testing::logname=testing_nullfields
+# @TEST-EXEC: btest-diff testing_nullfields.log
+#
+# @TEST-EXEC: zeek -b %INPUT Testing::use_config_table=T Testing::logname=testing_nullfields_via_config
+# @TEST-EXEC: btest-diff testing_nullfields_via_config.log
 
 @load tuning/json-logs
 
-module testing;
+module Testing;
 
 export {
     redef enum Log::ID += { LOG };
@@ -15,13 +25,23 @@ export {
     };
 
     global log_test: event(rec: Info);
+
+    const logname = "testing" &redef;
+    const use_config_table = F &redef;
 }
 
 event zeek_init() &priority=5
 {
-    Log::create_stream(testing::LOG, [$columns=testing::Info, $ev=log_test]);
+    Log::create_stream(LOG, [$columns=Info, $ev=log_test, $path=logname]);
+
+    if ( use_config_table )
+        {
+        local f = Log::get_filter(LOG, "default");
+        f$config = table(["json_include_unset_fields"] = "T");
+        Log::add_filter(LOG, f);
+        }
+
     local info: Info;
     info$msg = "Testing 1 2 3 ";
-   Log::write(testing::LOG, info);
+    Log::write(LOG, info);
 }
-

From e1dc09e230ed994f9ed57664847d2c1491c3ab44 Mon Sep 17 00:00:00 2001
From: Johanna Amann <johanna@corelight.com>
Date: Thu, 9 Dec 2021 19:15:33 +0000
Subject: [PATCH 133/210] Improve error message for clash between variable and
 function name

The previous error message was very cryptic and led to an abort.

Fixes GH-1832
---
 src/Var.cc | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/Var.cc b/src/Var.cc
index dc8a04251b..5437b11c33 100644
--- a/src/Var.cc
+++ b/src/Var.cc
@@ -618,8 +618,14 @@ void begin_func(IDPtr id, const char* module_name, FunctionFlavor flavor, bool i
 	std::optional<FuncType::Prototype> prototype;
 
 	if ( id->GetType() )
+		{
+		if ( id->GetType()->Tag() != TYPE_FUNC )
+			{
+			id->Error("Function clash with previous definition with incompatible type", t.get());
+			reporter->FatalError("invalid definition of '%s' (see previous errors)", id->Name());
+			}
 		prototype = get_prototype(id, t);
-
+		}
 	else if ( is_redef )
 		id->Error("redef of not-previously-declared value");
 

From c15a9eab7f45f27df915e96292e99de53c4ad3a0 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 8 Dec 2021 12:51:19 -0700
Subject: [PATCH 134/210] GH-1740: Report a better error message if table key
 is not a list

---
 src/Expr.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Expr.cc b/src/Expr.cc
index b1d7ebb153..9271cf7e22 100644
--- a/src/Expr.cc
+++ b/src/Expr.cc
@@ -2626,7 +2626,7 @@ TypePtr AssignExpr::InitType() const
 	{
 	if ( op1->Tag() != EXPR_LIST )
 		{
-		Error("bad initializer");
+		Error("bad initializer, first operand should be a list");
 		return nullptr;
 		}
 
@@ -3490,7 +3490,10 @@ TableConstructorExpr::TableConstructorExpr(ListExprPtr constructor_list,
 			SetType(init_type(op.get()));
 
 			if ( ! type )
+				{
 				SetError();
+				return;
+				}
 
 			else if ( type->Tag() != TYPE_TABLE || type->AsTableType()->IsSet() )
 				SetError("values in table(...) constructor do not specify a table");

From b966a3876f8a543542ff5326f0aa7f90c2ab7d56 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 8 Dec 2021 14:08:54 -0700
Subject: [PATCH 135/210] GH-1741: Print error if calling a non-hook with hook
 keyword

---
 src/parse.y                                     |  4 ++++
 .../Baseline/language.hook_calls/invalid.out    | 17 +++++++++--------
 testing/btest/language/hook_calls.zeek          |  8 +++++++-
 3 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/src/parse.y b/src/parse.y
index e7bf8fddac..cf60ff58ac 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -721,8 +721,12 @@ expr:
 			{
 			--in_hook;
 			set_location(@1, @3);
+
 			if ( $3->Tag() != EXPR_CALL )
 				$3->Error("not a valid hook call expression");
+			else if ( $3->AsCallExpr()->Func()->GetType()->AsFuncType()->Flavor() != FUNC_FLAVOR_HOOK )
+				$3->Error("hook keyword should only be used to call hooks");
+
 			$$ = $3;
 			}
 
diff --git a/testing/btest/Baseline/language.hook_calls/invalid.out b/testing/btest/Baseline/language.hook_calls/invalid.out
index 762168bcef..89ec4d01ac 100644
--- a/testing/btest/Baseline/language.hook_calls/invalid.out
+++ b/testing/btest/Baseline/language.hook_calls/invalid.out
@@ -1,9 +1,10 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in ./invalid.zeek, line 9: hook cannot be called directly, use hook operator (myhook)
-error in ./invalid.zeek, line 10: hook cannot be called directly, use hook operator (myhook)
-error in ./invalid.zeek, line 11: hook cannot be called directly, use hook operator (myhook)
-error in ./invalid.zeek, line 12: not a valid hook call expression (2 + 2)
-warning in ./invalid.zeek, line 12: expression value ignored (2 + 2)
-error in ./invalid.zeek, line 13: not a valid hook call expression (2 + 2)
-error in ./invalid.zeek, line 15: hook cannot be called directly, use hook operator (h)
-error in ./invalid.zeek, line 16: hook cannot be called directly, use hook operator (h)
+error in ./invalid.zeek, line 14: hook cannot be called directly, use hook operator (myhook)
+error in ./invalid.zeek, line 15: hook cannot be called directly, use hook operator (myhook)
+error in ./invalid.zeek, line 16: hook cannot be called directly, use hook operator (myhook)
+error in ./invalid.zeek, line 17: not a valid hook call expression (2 + 2)
+warning in ./invalid.zeek, line 17: expression value ignored (2 + 2)
+error in ./invalid.zeek, line 18: not a valid hook call expression (2 + 2)
+error in ./invalid.zeek, line 20: hook cannot be called directly, use hook operator (h)
+error in ./invalid.zeek, line 21: hook cannot be called directly, use hook operator (h)
+error in ./invalid.zeek, line 24: hook keyword should only be used to call hooks (foo())
diff --git a/testing/btest/language/hook_calls.zeek b/testing/btest/language/hook_calls.zeek
index eee92f1e2a..89ba9bc4cc 100644
--- a/testing/btest/language/hook_calls.zeek
+++ b/testing/btest/language/hook_calls.zeek
@@ -15,7 +15,7 @@ hook myhook(i: count)
 hook myhook(i: count) &priority=-1
     {
     print "other myhook()", i;
-	}
+    }
 
 function indirect(): hook(i: count)
     {
@@ -66,6 +66,11 @@ hook myhook(i: count)
 	if ( i == 0 ) break;
 	}
 
+function foo()
+	{
+	print "foo()";
+	}
+
 event zeek_init()
 	{
 	myhook(3);
@@ -78,5 +83,6 @@ event zeek_init()
 	if ( h(3) )
 		print "hmm";
 	print "done";
+	hook foo();
 	}
 @TEST-END-FILE

From 248325e30106bb81444ecf3ce6716bfb3ab3d6c8 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 8 Dec 2021 09:29:15 -0700
Subject: [PATCH 136/210] Fix ethertype for ARP in Geneve forwarding rules

---
 scripts/base/packet-protocols/geneve/main.zeek | 2 +-
 testing/btest/Baseline/plugins.hooks/output    | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/scripts/base/packet-protocols/geneve/main.zeek b/scripts/base/packet-protocols/geneve/main.zeek
index d70055925b..64efe9ce66 100644
--- a/scripts/base/packet-protocols/geneve/main.zeek
+++ b/scripts/base/packet-protocols/geneve/main.zeek
@@ -23,5 +23,5 @@ event zeek_init() &priority=20
 	# Some additional mappings for protocols that we already handle natively.
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0800, PacketAnalyzer::ANALYZER_IP);
 	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x08DD, PacketAnalyzer::ANALYZER_IP);
-	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0808, PacketAnalyzer::ANALYZER_ARP);
+	PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 0x0806, PacketAnalyzer::ANALYZER_ARP);
 	}
diff --git a/testing/btest/Baseline/plugins.hooks/output b/testing/btest/Baseline/plugins.hooks/output
index 274c93bb10..45ee2b9c00 100644
--- a/testing/btest/Baseline/plugins.hooks/output
+++ b/testing/btest/Baseline/plugins.hooks/output
@@ -594,7 +594,7 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
-0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2056, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
@@ -2051,7 +2051,7 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP))
-0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2056, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP))
@@ -3507,7 +3507,7 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)
-0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2056, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)

From 5f81c50e0f20790026c2540d8c329764bf44bb40 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Wed, 8 Dec 2021 10:11:35 -0700
Subject: [PATCH 137/210] GH-1125: Support GRE ARUBA headers

---
 src/packet_analysis/protocol/gre/GRE.cc       |  30 +++++++++++++++---
 .../protocol/iptunnel/IPTunnel.cc             |  11 +++----
 .../core.tunnels.gre-aruba/tunnel.log         |  11 +++++++
 testing/btest/Traces/tunnels/gre-aruba.pcap   | Bin 0 -> 384129 bytes
 testing/btest/core/tunnels/gre-aruba.zeek     |   4 +++
 5 files changed, 46 insertions(+), 10 deletions(-)
 create mode 100644 testing/btest/Baseline/core.tunnels.gre-aruba/tunnel.log
 create mode 100644 testing/btest/Traces/tunnels/gre-aruba.pcap
 create mode 100644 testing/btest/core/tunnels/gre-aruba.zeek

diff --git a/src/packet_analysis/protocol/gre/GRE.cc b/src/packet_analysis/protocol/gre/GRE.cc
index f282f314eb..4eefff20e8 100644
--- a/src/packet_analysis/protocol/gre/GRE.cc
+++ b/src/packet_analysis/protocol/gre/GRE.cc
@@ -85,7 +85,6 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 				{
 				eth_len = 14;
 				gre_link_type = DLT_EN10MB;
-				proto_typ = ntohs(*((uint16_t*)(data + gre_len + eth_len - 2)));
 				}
 			else
 				{
@@ -113,7 +112,6 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 						return false;
 						}
 					}
-				proto_typ = ntohs(*((uint16_t*)(data + gre_len + erspan_len + eth_len - 2)));
 				}
 			else
 				{
@@ -144,8 +142,32 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 						return false;
 						}
 					}
+				}
+			else
+				{
+				Weird("truncated_GRE", packet);
+				return false;
+				}
+			}
 
-				proto_typ = ntohs(*((uint16_t*)(data + gre_len + erspan_len + eth_len - 2)));
+		else if ( proto_typ == 0x8200 )
+			{
+			// ARUBA. Following headers seem like they're always a 26-byte 802.11 QoS header, then
+			// an 8-byte LLC header, then IPv4. There's very little in the way of documentation
+			// for ARUBA's header format. This is all based on the one sample file we have that
+			// contains it.
+			if ( len > gre_len + 34 )
+				{
+				gre_link_type = DLT_EN10MB;
+				erspan_len = 34;
+
+				// TODO: fix this, but it's gonna require quite a bit more surgery to the GRE
+				// analyzer to make it more independent from the IPTunnel analyzer.
+				// Setting gre_version to 1 here tricks the IPTunnel analyzer into treating the
+				// first header as IP instead of Ethernet which it does by default when
+				// gre_version is 0.
+				gre_version = 1;
+				proto = (data[gre_len + 34] & 0xF0) >> 4;
 				}
 			else
 				{
@@ -187,7 +209,7 @@ bool GREAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* packet)
 		return false;
 		}
 
-	if ( gre_version == 1 )
+	if ( gre_version == 1 && proto_typ != 0x8200 )
 		{
 		uint16_t ppp_proto = ntohs(*((uint16_t*)(data + gre_len + 2)));
 
diff --git a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
index 699572a950..b16b2dd00c 100644
--- a/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
+++ b/src/packet_analysis/protocol/iptunnel/IPTunnel.cc
@@ -84,13 +84,12 @@ bool IPTunnelAnalyzer::AnalyzePacket(size_t len, const uint8_t* data, Packet* pa
 		tunnel_it->second.second = zeek::run_state::network_time;
 
 	if ( gre_version == 0 )
-		ProcessEncapsulatedPacket(run_state::processing_start_time, packet, len, len, data,
-		                          gre_link_type, packet->encap, ip_tunnels[tunnel_idx].first);
+		return ProcessEncapsulatedPacket(run_state::processing_start_time, packet, len, len, data,
+		                                 gre_link_type, packet->encap,
+		                                 ip_tunnels[tunnel_idx].first);
 	else
-		ProcessEncapsulatedPacket(run_state::processing_start_time, packet, inner, packet->encap,
-		                          ip_tunnels[tunnel_idx].first);
-
-	return true;
+		return ProcessEncapsulatedPacket(run_state::processing_start_time, packet, inner,
+		                                 packet->encap, ip_tunnels[tunnel_idx].first);
 	}
 
 /**
diff --git a/testing/btest/Baseline/core.tunnels.gre-aruba/tunnel.log b/testing/btest/Baseline/core.tunnels.gre-aruba/tunnel.log
new file mode 100644
index 0000000000..468fedf7aa
--- /dev/null
+++ b/testing/btest/Baseline/core.tunnels.gre-aruba/tunnel.log
@@ -0,0 +1,11 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+#separator \x09
+#set_separator	,
+#empty_field	(empty)
+#unset_field	-
+#path	tunnel
+#open XXXX-XX-XX-XX-XX-XX
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	tunnel_type	action
+#types	time	string	addr	port	addr	port	enum	enum
+XXXXXXXXXX.XXXXXX	CHhAvVGS1DHFjwGM9	10.3.34.171	0	10.33.10.23	0	Tunnel::GRE	Tunnel::DISCOVER
+#close XXXX-XX-XX-XX-XX-XX
diff --git a/testing/btest/Traces/tunnels/gre-aruba.pcap b/testing/btest/Traces/tunnels/gre-aruba.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..ba150aa4b26c26f52e41bf115f738f384b000c61
GIT binary patch
literal 384129
zcmeF)2V7Lw+AsbMVk4qsSJXImEZ_h`vtrkXIw}epP}+b<Rf=6F(WtSKm?(CPCPott
zv3IdWlUTqK#f%ZVVvHn{qOtv-^=u~2UVDaTpL6D(|GoFU@8_NK$;mPB&2P15t-WUE
z;<0V(90e!g_5V2u4)9;@mG>UK^4khRI{Y<z3Du2);7}4)|J<n`-Vq$yRT6p$LR9~9
zg7B(+`&rKAnttKj#JR2@yerIwe;oeY)P<>GqvISsCX4^1VVWRp-VA?Sz<<&$`SU=*
zP+|8?=N8Sw&g{M7d^cRsmB0I-!NtCB3%croOFw=k8t#2h8UPQ5nY1B`GwgO@hLrG9
zLz}y!1YPcdv?E1F{}`mJUUm4xE280for+Wr<<amiZOGvbRnZW}8IFQMr&EF9vS>Ka
zfHYJ<!#lJgmop@9!nU}<wM9c{3kRJF+Tx`k+=u>9bxZ}p04>N~R{KM8|Bh$~qzwl6
zAr}2X`{GMxIQ)tk@`Qm)?=BE@ck>UsvtMO!{JUgxJ3(-CD!;>_T)9dP4o;5Db2gLA
zq%(TnqCHtskK2na%#-KLc|49>IJZita&pooikV!PP*JGmDB#OlCXSB%yD)?MCfblA
zF*uxhv6UGP#alJhb8>n-Q4sp{3RbsQ_YDr#wfFS!baC#Rl9t{<Jz1|$@JJaS=i=NW
zB{^9iogSZ(+(Dh7*QdHiCdOy#U7Uxd#*L4R(YyCcPSZzcjMuvl(T~f}r=_QLP{U6d
zmZl%?-Yrg_3_oi?%H;UO#K`tO9vZb<NPKck%7iraz+knf#zWIl4S&N|+fhBySKC_M
zEj2Y!AEJ-yAD`ad$J@`t+gI(@zi;q>pmyrS_yoPWk3KpfrM0@pnDHq|`u6@>4~>V`
zQ|ss9sqs+{jf{;PA7A>9xj1)=j@GBbFHhG`Om9CXJt?tWB>eFB=t%Z&(taZQJ8dWO
ze>W+y<G9WmkAQaZNs)2-_7n6`sil7znVKBeu1)(k_`my0epXt1T(UmKT|Y5;Ok{GL
zzGG(RC~xt{m=*55lA}{%;*;Y#sN*Kbr?yka=wlNj(;-Ar=^h0CU<Ulg4r+a}`>>(y
z^vUKQ;Nr~sY2U<3)cnx{`)N<Qj}%Gzh~V~O8}`%k(ms-R_Q-{T>d;Ti4G0y4hhR9`
z+7ZVs{NpypZjd)Kc=V+Wxr?M@cjp0Sm^zIau5>tZ_U<Qw&hJsyboQ&**nRFR9lOkP
zV3i}0Nf3@*4+Ud4aIwVWw(}r*=5n4HP1^j##;%}kE@skbt)ox}#x8qV9lK6JU0EjW
zKBF^<kQf}k+j)o?Cf~7YsOKb%|JK&njY~<1OVoQrrzHKq(JKz*|NllW>!~~DI8h^K
z9F81kx|gJWDCw!%iSewLWFKI?<jcaUJ@0-Y=)!luJKsEVj&+xh9N#~ksF9P2p6awG
zPwH`-I2Ju8InRRWb?g4ZMo!GH;>h{wiId<8qlUe#j+{zC6L92=r49KKgTvX03Cyre
zZPfrHXUEUBM$Uu@6FmOk==tAg?PH^7S>5tfZ=H<2)rIaU!V<~oaoc&A^^~czrE~0u
zO`5bR`ckJV_fi8J7iRdZF}3~%?Pmt})3iagOlp{zVQmD@@|s@Pbs!jCMEoKMKZBv4
zYgHiw1`B&x8!<xkfYmr+9?*t}4H84^U6+|5p*qW9@oCrPcRC5W^HqNS)ot^sELN*_
zZU(>e5g-OGEJq>o5wVL#s5eRx5ltE5$d*#XwmaPf-OCFdW{mZ5N??dy{Q>b95Es`~
zCFWC|mLb~op%I4D5`@;Z5kt89F~ousPg>u-C+Hea8wj(OfR#u>W$Ap%JfG!NC3>jN
z4?Q~ClPmSOxxR^>?wsehS8d;a$U>?AiI~aUBV;E2Xy`#3@}vf>YhyI{STh*FP!I+i
zdx!GQU@B%VmPv|NHDN34<JrqvZ*^Fu>%cs%Yto(~iN_(zRn0u@Dp>RAU{~|a&eHik
zHa-zHB;)mwNl<&kh9omSTHn4s{@wO5e*V5%Ki>d%Z|`Vdcdf5p<L)1$_i>NbYV@A5
zu>n5OQBmzv<Mq+{v@wxsV=OjEmK&n}Y(vyd+z^>}9I#9Hr?9tK_)GRj@zLW`(o$m6
z-FxcUj~YM8eNbw8d{X>makIkqNiNO<hPw9{-a$QZQn!BoBgXU!>J^`w5I10whqu<l
z%fl0PLK+WGFZfGu_%E;l17$kwzTAWK$#LmpI;i0%h&#KOM30!#U*nOK>XBsr<zl_)
z;#>l)_o||JW@G!@Mu+?KHbHdjl}K7oaC2>fy{W6T^>poCwOw<F_2_aR!|4wgy1|^o
zet#K;PS~US(+1&;WR$zPHbp}htA^@e_((Lg^dt?q$7rKqkD=lX&Ct-9Gq^(zhcO3O
zt5^<g9yw66T|dmhi_RfOYS4x(V}`4rF+<<lgG=r{5Ont@y1{rBaJJhqPdeK%kFzhe
z@6ruGPY2plB=xw3WTWS6&J%75o{oKEaw{<t|5=VgeW)DS%i8SXSW%~A2DcAsgX*kh
z-*7k+vYZ(T->_<c+2#4wvSt_MlS@~fXJ=2J06$NEPyYbFmO8J_T8&prop)#W4{hfV
zzl=nm3FG_qO7Aw#uUFEf#FT^#P5PwBfhm!Gncc?p=skRLbZYe2kr`gyHQkf@=|h9Z
zdW}yD_0stb?KvhoE<U(lY{=lDnUgYGc*TyHq!}1JF~G0S<i6cnc*ns1|Esgv5O%Q9
zK^-+IU7yxj<IbP&n5PiC%wKStL(E{Fo*wCm86HX|vbFQdQIp6prGrN&=_rC*$O`PN
zUr9Sk8%I;{yX#;83+d|x;SU%ve~+RD@L)KGgQc(>-C47)S$0-I>)M<d+%?RA<;qJz
z*ClD?4)Xwh1xJUD7Kfh9b34(2$Yk&&^i-uiIZ}_CYYX&r<UBiT&tKnxO={Cyi<x+i
zcOc4x!Bd!_)p^>GCow>I(2^P2304g-fS0D0HGoUY15d9=t(T9#m%FFd*WX>M)%v>!
zM8)deJ)?YlA_Jm)e53uN|Ia87d|sCa8atE+tOu#)lRXHI?x06krdzK>(t1!Hw89<~
zAZ@)>k8980_lor(eH*a{WvwI)1~gQp4XU3cqsq<I4GsQQ4NxBFOMCJ3O{C!+G*qAs
zYTnQq4X-yMII>rj)Skazz#QDf9NdRh5n91A$X-^L!rFtO9EOq9m^Nr`SmxmHW5`No
zxblqU@VY!Go#EghCG*F!M$-R)rBDm2w@-kV#$D_0<*n5Q_;3$C{ueBaUS*W_3KvE;
zgh%;QBdW^5yIHq!J5G0-2uZgQv|*pJZd3ee>G1Ko=P2kV)oDA|yeMg*L-LE#Xxg&}
zJ;!KID(A__Vx9s#BZWm$bFZABd%Hr5DrV1!?sCs2@RYs#7<>>t-_f2tsmCp374uxh
zgO1n3s_jlw@WKo>w8zvFhxTULa0m_G(uREAuo?|tN{2QWhP9c%4Byul4G+7KIb1-)
z4%(o;WjVbFZW$k7yWm-|MZ35d2VKu)hKq3O@+b7wF3?a!TU<oLcG{rf3}K%!Lvb$G
zSKnXuydy3*+3})5;~<_@+di)ze2E!aRiO=m5`)9pj1QS1AJ400IY7a340cKQl-BBb
zhB(bCsaIa_IJ~^P{rMe7x1N2x12Pl4ho<?)ru+Gi@eNK-8ZkI=@EBeEq~WQ($Bj&i
z@tzPrv9~S&wiG@iB1a}C4w@LBI?2y>aR21UkiL@##}Atr<*lET1pj-&u*k9f5{CH%
z5A5C}?tjBQ2Uir)dk!x}TMpJ+Z_+*G2ka?t&^<-R^^~xUtfxGvY_+#SPniu@YW`nO
zvFjo%>nZH8t*rAk<vpb#9B32s8k{x28oY(>DOr-90-Mt{tfyT4LO#Dg8qMa`O77yk
z_Qycd07V`czN8H~ykRXGHp>jd)Auri;k;;=vVt_gPX@yV+MvEIU1LIW(6C8vm>0<m
z39y}DqxSfE(f~gh4C`rwhBvH3!{;(X$n<i|Fky~pP;DR$chK+&Z3yHIpP*r*%n*8I
zCOl>Oyit^B7`d4=+(pAW+MweN>(RiSHbTuYqH<?2O!)bVXc%#yG{B#LwpdFWQhCD$
zG+=Eisl7&M7lI+^$oA44{w58@Xjn}fvUmg5$5%JV+G1plIXabN^6jOfVH9on84W9G
zLoRRl40Bj7GrZmMQ=Q6TWC7eDVB;d)f!yN4^GRrn<+LH6H{fb^^%J=vZZ#O{XF*lR
z4DXa94Uf@~O&f}M!{?a8I+-DC%6^?nC_n96(eSl@Il%yRD0^AkW(&zf@b;uz25r#6
z2(rAn7>0&o%mM1Z(*2Tq`(@9&{tnOAgj_gyWY5=FP0Icr%jE3=q^BZgl1_UfI8VkB
zmPx^0mdWdSwB>f=pj)3ZPa`<rXC79kv%kkY^)soPokL)?gMOl+J*hCVEb|H3gl+VZ
zxsC2s6m);aHigjv?ZIw#7D@MS%ya)Jb?bLX5PCY&9)r~57P1*VYdO!ef}}tCv-!Ni
zWwFmBep7)sni&E~zG~lc4sFPi7~p8;3ud_T(5e9{!8gm(m7tPGps)7~|A#%L@bl3I
z_-XyT-2Hrgw7wdxpIxg$?wPB&fAId#k7iic-P($}lssezc3mI3+vG~R4U~mnV%J?Q
z?KaJ~79=~HSl4x$Dt6s0H_|W^4O-fe#~bis^wm{z!?N924#B|_%OMahMweY44;h9A
z1rI)pc*9oAVWr$)I)X!Zi)h$Cku(fPgD0Is32*oc4J%}Zl+%Nmp+`f}aAq=T2tk8_
zsa1F=nOfaKa?!9{ZZIx}a_Dz2Sln4#_<lngLebEk&OyZ+zD7f~%#d1RI~Wc<e<d1b
z=aYsJXz-v7YTmF74a;PPaV-m=B-{MpchNA1HjG4rJ8jVLhV5urDl?3)T^Y)u{m(ax
z29FD54sWBO9c>8Y4Li{AvD^^b6%1p)I3XGqR--P&4GBj>8`==T8+M|BTkc_w8ow$U
z4BCv+<#knc(l81Qt!YClZ`g%~CGs53Ly0cD?D{~=A-5iBh(JRt+K|N?cBA1#xxob6
zM&VlHMWR7ZUQQemiH4T6A%{2YLBj`TgLpv%wrpVrRvrrzp)_UlL(?W?4zR(5@~;JL
z$mI=t(U4^}h~*#jhqUjPuoArw9K15a7gtDw9t}-tLlJM-hla&wgER*xr}XbcLujkY
z)S4BGh9<P3gg5L*!y>t1l^<I#Mhp}UBWXh%8q~BwfDNWaDee|>01XS}hWmJw;qtC%
zh<7J*7=s1{PbF2n;UF3o$PD4{mDi~%RZg5N8h*_n4P(*Jh|WR78xEmizTB|CH8c1^
zRlxe>%^9R20SyglLm+QBjD~qK!>BYkPN`IRdN<L~)<7B((a?Z4=y*dO8s3)~M$dVh
z8OAmh4bJb7h9oq&(uN4$a0CtbW*y0q&gg?PbgGIMv|7<HdNyfDMniqtkjfj5qG66a
zhnMg;t>TBK(z<%<H>3e>r@%Z}mo{YahGS^J%j}XIB5E}T!_;d~f3iL~>l|qqhlV<|
zA%`~{N5gxv93p!R(y1y8_zDj0nBig}X&8@&+O#2;H=IDjESVu{+EAUUe9Z}sM8hT8
zkcNg@v>}f-e1nFWa>MF#FjxOJ{HSQSOdDVe1pPt5HR*iba1ssg$_&x#zJj{?@lZGl
zV{NhLD%lnpXsAKwP{bQfq2V35;R*DIa@j9dl=g?)q#+Xx3f_`b!W+ItgF$A9nY|PY
z&M7xU!@duzP;2)RW@z<0orB>QZr%J24KvJ!*ELK&t6_xhS4BhhLKnf!QNWkAV@Ah1
zLzXi`OC^_UB?bp$*d}JU|CAZ{V@9|(FT7|^9~u2${+JoA<NEshdwaS2YWzL@v>N*!
z8d-gmSk`?W<&P3i{z&$lmDq3m>AqXS^_z^3Sii|vmG+y`>oekUFzYu1Hvf<BH(Fm$
zZ$G#I<}O|c^9-=-VWX_yunW@m={MJIxlnW7DxC8k()~t&hcJ@8!uL4mO}9ShIXQLt
zp>*zVL%n@!NDdnA(S|_Iknu4y6daTGUAH*npr-@ao@w{rqG6*qX;_DbyR<>a8<wKs
zsLY_#f6NU1w~2-TEot}!4R>fm1aDY|h9h#rN_-Swdy#1P%AYjAgK}5{Z_|cU&Jc1M
z`vbnopVg=TtbyrCuUHQ2;zh$Y+OPo)w`hZbH=IGkR9T-)zj%!qI?NXhn>vy?e2Rvf
zv>}T#WMpGo<jLFOB%Jd(ITd#n4S)3@4WFUm25rdU4a?DRSY{Yp;}SEhfgJ#=4WGP4
z8aAS#h&JT%h81WyBsavvHOO*X`?eAdSwl&~=V-W28}fJq-f%8BC^y`B1_sa5rF(^j
z!K7gm8h)Y;`MhBj=D=M~g*j@7g9{kyeBDyaA!rzBfRz}=<~7<-#2G@)GQ-s=EC<Qn
z5o=^sqo}i@A$BBb_yP?^+EBt7GVn@j!G2j=3<<9bXYl)mO%x3+qe#P-X!wyf2qn@r
zD`O3|#Xh;A5UwORb}md74L1`>13W>3wzx_gRJ>s=8o0;r&>x0&gb!qKFiwQieKt1N
zWs-)iXegu&YR(Y0nHh@ldhqMLg2%08&!1Fc^Fv{I(eMdv_zDeIXoH3`WaMBDdt_}f
zbSiruveFM$0hYsh+K`Ke%d{boH{jK+g57e%f<9oF-wJl6%&>ea*%n`;;Ro8F;|-r+
z4!dNA;MV<M@A%7nm1tN=8@8k2B5g?J4eQacQ*O{U0>dpspVI!Yh|FOJ8ZOWV18>-X
zh8=Rl#~*;<oyI<;{ed>@M1z9&mSu5<kaNs%buu$ZYM6{fyt@C%Z=&JMGBSr<Xegj_
z$l(q7XqY53WOiN2)~x(BqM=qcY1oa1eA<x98N$9`hGM*4Dw!W%c*B{Blhf)6iVb_v
zaE><QafXafu|I5=_lGY6pg$y5hH9CO&DwMhd(m)~Hso`LurDzOyy7a&q03m7!-r5U
zGeaHPun!GqXhRWa$oLF%*e1{68@P@n4E_bG0)>YCXgEz9N;pGE0W(~kDDRVl3ZYLn
z$x9UtzvqyB@&FpXrwzid+}gbnbHF!`LtB)dQ^2}8tPZT*g0KcEG?v4kwBaBc6uh-Z
z#Ti1*V-6E!IZUVl_evZ`y?jeFbcT;GfrDLqSv%(wqJ|togMzpAs5wK}7G@~ME6>tC
zIqNj*lR@1?!-h?y;V>Fb(QTpO3?UaVhfG-x6T?@)x><7v^fcBMpV5XqG@PUjft(?1
zE9QXLuBACF&VfGpv|DLC`EWP&(J4cYpkW_v&`Ay2kc*f@ygY}w#RipdKW&V7m9k*s
za<_ts>z}hs&h4ox%!R(eURL`?=8&W4`I`1bNIjiGE}<vFnkNT5ec;c-)y^6P6F0>c
zOgvoG()Gr^szMf!*vqPG`jBJj`kZ#9N?koeen3}<HCG<E9zst9mutbq;}Z)eUfgBP
zR~38)ps|-#U-FRS=-W;E3{syq4DV_c<9#t{U)nj_pelDE&RcB9WiR%XEPJ`cz}m6F
zA<}aKJqkW6DU0{yvb>7%?wB=CGVB@g$}sc1TCjk58lEG^`$_cV(fQ;`J#JxNqlbIT
zC+rvCcf)vp-g}NX-gnW4Q)oC$8}fL=HZ<V1ddp0*g+b|H=rAinG<;A*=I|{V4$+2u
z-mo1Fc&%PyaBzGR)}T4(VZ5`pn0td9OW&bE!P_i~q=ud$mzm+}a9d+3xRu3Nnv^)u
z+E@y|NoMpt`VP<;l}LSVVLLD*?z+3jt!#(6&{qT@=p8Ym=Z@8=dGItEHqr(G>T-*-
z=}sY6Fr#pJM(dx$Ja{G`1T%tp5at_;j9A-UFGsy~ddL}cZKYi*sY@GDh^`p9>u^<A
zFShl&ERJili+PH`L(~#*dIM(>dufka>TwIXik=ji2Qq=Sa@ts15dH!~+BWJ#frc2-
z@C9wi;S3p{Ged#-ExK0gI%fD`A8ELThRw7gmp9<E(*pdg7Z}%^!O3X_oCY(4>Zl`i
z<^LyUXz?d)$def0%KwinhbwqKCOf06r)o6Tk$w*MfAy7rt;Rn<tM!GaaGn8LZ;iKo
zpTb$a@~{2Rul%!a)9)<Vb&Ig;DwyhuB;5wC{2OryCs`lDPEPAfhwwt$a03krKFhd-
zGh}SWA-t6tq{AnvGnC?6d%}?>%RzzRCK^7ahmT;AO!;mZcw|w4pSmD7I63u%BTZ(Q
zc$sXATWC=5Zd4U-z~h1f^RepdX=J$id$u*pg5yMH__ByJ+(CnacY<no18xrs%ttq`
z4Iv}pYErpxhr{7HGt7KI8t$S&L5UK`8*pn@U_Lf^Z3x{7*Mc0AU%Xe^7C)1QduYg^
z`-6@*U`bzK-X^~`j5wMG<znQoNupsgZMcsH1@A_U;0?JrF3ek03&YLFU<fRzAsVij
z$Q&M^VGW%_DsT824fxJr$+#HV<tZ%jw=-fy!)JexhGH}*ct@;(H(=>rfbR^J7~XDZ
z0z-xDKB6J~Z_@A(4XfxJvN%K7PL@M4z7rG-rSHO&mZfZ5m}tY#Xi)I3+#Jr3f!l`y
z^ET>re|WnYj0-{d07_|QxK)GtSi2#Q(6EBeA(u0R?ZO;#O6O`W2Pdb#(?mn>#-!mF
zG$?pya2{s}xyB4v6J=}G<o3QWM|ES5FIf)DT9faBg+B?U?*cl9e5pYj@)H_Hn+@WX
zfA=vacqD32sT!TRD3;=;_?!l&_#e75&vM#Rf}Z)br-=7lN6#p^XMw;xr^d=XD`*e&
zD9C3X?J40sMd<lw3-vl5(F12ecmyHl^W!F#&u#D!TNS7r!1FQf5q_7h?;$tPGsc|H
zKi5kpr+Pr25pw*+KJ$Sm*=OM26by4|gGy@9hTKHM+h)V-Og<RP+UVd?c_vF}5BwJJ
z%%MGM-g65*BW-#1w6pZwsL9$$f#(nO%%(jW-g6s0Bjlc?7g;{r;9!#-TZw%}^n66;
z^Cx=VqdkGV=MH*8ZF#nYT6*qIWBC|q&tK@7MSFC-=Pr8wIR<^*e^zy2`D}z4^>sd?
z=Nj#Kf}WYQCxZ9fL(e})NxbKiS(cuM_gFsHY0p#iyi0phdCz_H43oFly3biYt6l#s
z&)?{IhxQnF&ja)X+wv^Swe<WtnB`MM=kp9b2HKOwdy3IBRPNbWgXQyKZ@K3N?Rk!#
z8MG&d_dG<;5L=!(<1IbUTd;g?(w-OSnNE9hdC$-287%jFIhEz}Zl!<A^AbJNXipyR
zd4wLFEzi_77M`&Vi&;J`yvX(I6?&%9o_yZ(3wj30Jzw8t`ApEtJq<fho}o|)!1^_X
z_7w4+$LJYo%QNmfOHYNTET6Ho#{oT)X-^67DM8Nwxo5YI<&zj8_ax9BIJkp+Cea=N
zR$hx^Y;DM|=n1mriCkdmseXp#qrg)RJrik<iue46p8j&rfqg8Wu%>cPBAt&DdM3~w
zHSaN@=Pg^F!2>Nl4cD=Jl4uW{6hV7s(jE=(`5is|<esC=Sw8)5|6864=uz;=LxH^K
z5A^i4<?-!g>GA5v@=2!isfeC*Iv*YH`4c^T<erm@SU#Hba!(5Ffmt2eD~<L<@SeZW
z)7zG(?HEgs-*%SIF4|KWJ>zLlD(`uMo?dd#=_f3o7O)ciQy-2MJ-ca-GkV6+9s}=r
zik_afJnD}uJ)Ik|eD=_uH_($xd$M@X-{|Qf_nePn`7~(rZ+WVqCx!Op@SbPr>2AxT
z8gA+7^DE0|FP)DIdXi~RF7J7co^Eo_<<l%5=bz=CeYB@4dXi{Q9`AX9o<Lh3p`N8@
z$O)E@0#7ycB+{OI-t!VYUFDu@zAT@=x5z#7dXn{z3Oxz5r-=8wLJxjV&Fe>g><miu
z+<}$o^>`nX#PV54d#a;nEbS@bJfQ-5I?MC9nZxqAzEbX4OnYjeC!Y2Qu+z7!e?lG5
z)5(_S;z>(SS~r$Y7VW8to-wpX#d{pl(^2lZ@67T!7cTdFNPB9bCyw^0c~3d?bg<<)
z{=TJWdTo}^653N6J+ZV$!+V_26Cn3IN@w{TZY=kFOnd5}M^AeKc~5!t_}lXA-D&BW
zIfLbMmiE*|PYmtR@tz9k@soRg`-$bVqrco!Kzm>oh59F&_C)ZWis<pR<=HgB(z9qN
z%jZ1psgIs0+LOwADxn9ziB38nKIzNy*#Il!>-kXhT%tX2Y6SU2(jEivsf-@2JRi}s
zX1%3n$w8LS545KNdLn2~7VmLJkGI_OVjIh6d4Sw=h4wT=&uH3{!+YL9kC!dal5>`x
z<*isgg|w#;dPdQnT;5X!J)Sa;zFb3=&mz6t^CRtf6FuRyCy)2IphsiNGZ#(*U-#!V
zAFzCk;F$|2D(q$Tnrr4zm_?yK2h*N>si#wDRrIv7=E;G4hQrATcxssRHAkBC^^W5?
z{aDfU6S%T~#9mfi(}$|j)t`11NnJfdtD);nYpy(Sxr|1at4aT+he_Wo+nVn>__Be<
zURHgxhc-c9ciLAX^#z5h&{x}<uLyiwd!VnWY3wGwY3$Z>WjSxqPB=w@_U%SH1$Yu+
zQ7;9BR!3(oTh19!i9!2<b4P$_?B4aZysRJIq@B&s8Av--yt4*6Yua+QT4#11b}@}T
zKEalkId9X>=IHE7JJr0iCOT`_a^5!QsqgxSN#AR<X{>cGbGr5-`)3PucA=db-dPKs
z)onR{`n)txbiVa%S<Z&Evn4t^)6PKNSsR`BQ6rM|9p+~?j;3kN?S8efY3%j)O*XtN
z&o^mjD|B|EojTrG2c6Yy<>@2VAx%yCVXIC0h;gQ|*1gQBrk!r+>_|H!cxPR7R<-3c
zZZx-hLNAj(^($Lm=4?tkTcfiB?M&sJ_0Z{J%bD@5*_m12q@Oa=q_^&6&Sta|PJv+l
z44|C`-dP`=Rctw1!;>kTKNE!VriAh-CcSkpbGD$JZPBUVBYU!Vrz<+&u;tuVWX|)0
zwkG|`S0)=?=8U18?a=8*=b6Jh8=%wKmQzz=c7EB}r2l%ONpIcDoZ|<Q^QSvHeQ9Sd
z?`(+9%C?*vprx?g^#`Vy^hfTP^wz!1nL#@}(5c|#z4LfyBXm}><#ax4cAnmA(w}c;
zvf*XUOxoEVomx82eBSvcIxE_8CVg*q-i$Qq?|pC5TlX^OWZJ1gr#I~^;+>7rS;3a`
z20VEY+x@q-CjFDjCcSkpb55n5p6FEYaponwQ;p8@ww!%>mO2xh3rz_wT}^uHUgn%e
zJH629N#`j%;p)#O=ybB>%!d^j^Ng+3#}w=GwaJE;IcLyLZ*(g7SacQdY>Liuww%$|
z&CYu7nPM9~Hrenpr-61tRRil$dpb`w?`(!nM_bOnmYSVz$4s#v?xtAlUgn%dJAKfp
z;N#Ubyt6qv9c(!lPBc5aB$#4*Tr$O4_cG^uw9^-z3O<58kaxB~r(nzZ25h>;{@Jgq
zDR$r{Q>=9_bIzfie&|&2G3`3u*^)U6U)ge2i7Is_)T?PqXf(|fYu(G7@6%3ybhf4Y
zX9VwTh0d3@ob^;@XVZJ81h>H^8(!v|M?2wk3&v3!+L_8b-O%~Mmeb=yv(vkUDZziS
zDZ#pzITz5*4(L?yvGfMs*&3bCZ8<vxnw>qOO$mL^m=dgenR6lS?1)Y`I?pWL*#@1@
zY&nm?$pDU{grVz92_xPxC0O?|=V96jw-lh=ThY!O-q{wNf7@~fRWv(CWtbA8ubXUm
znRDlGvi|Ih&X%+@mv^>9=TlqGi^XPV@^(`~dLvVUbuV-7rJY^S*@AZF@lJPiKC$Io
zQm@n*8#CAx8^7O_VBO1{`)FrZbT+4*`MlEuoqySKdTuc1IqPjx!uuyoHoVMvfOf*D
zg#Ou#b{6r@_UQc6mh;5hX6HxCO$jT?nG&pfne!m+?1s*!w6lbFYS8(IEobySvvX~d
zDPhB9Q-XCba~`Ih-O<^Eb_!3q`qLAgzuR*5NHF)$^u?ywNl#4)*1gR6igv=OFSNUw
zcB*)%7dlP0oHyY7S)4z2);1;Vn_-Hz?qyEL5OQ9E-2pfo(@r(-^hW1zww#7{&CU};
zO$px}G$mN~GG{s3*$bU-(oPNU)S~lOTh7K+&CdK*ri4o$m=dgenX^3Y?2XPwv@?)*
z`k=GKmb24Lv-8e5Q^LalQ-XCbb5@|8ebCvEcItSiFFGIFa;}CabYh)6>x?OOo}Vef
zx|caC(ayf;Y(P6Bc&8saf3f9k=}_uS6mFOjEA%(TTK6(%W!l*fovySqm3R81^N}s*
za;R`H&%`?Kn-UwCOg6mC`3CKL3!U|8r-63{pz~*2&bmQnXUmhO#CD!08(!wDN;~_b
zvmWit;+-AP`Oud0pm}{y^jv95^eb;lwC-h2743w7YnVUl(#{;-*%6(^wwxVznDgvb
zXiDtU!(_wDoF1X%JU;-Pb!cZU@9c!m2ezE&%<E=i&=ynTkh-Qs>t5#cq@4rNso<+W
z@_1)wbl$h+3>{?7GisPAG48O*hL<@z(@ywl(C)S9Jo9;H7j)jUhqEi~)S*+sSBMnx
z&aUXZYY%52?Hr6w1z$5#!aD=edB+~k?zD3VI;+#|F8s~apWV=T+aAsyv~wsrRkTyZ
zJG-OvmOY%kXlF1wtI<w1@9crjoAz+_rk%skS(SEbcxO*^-mr(WFYO$TP8Zr4$UA$X
zv&bIKNwhNromFV3j(7G(=XHBHr_#<)biP45BY0;YbpB)y=XBaR0-esZGnIGtMdvkp
zIA_q#k?5>UI}N<EA3BZpa2}_faJmBPdnMYL#XH|Z=a2Sqo}`^&=&VRPb9iTebY8WG
z^Azn2M`s1vnaewa&{=2?=XbPo6gtb(&OF{Z0G(It;ryO<jz*^w?ab$$1JQZe9?mng
zGXkCEXlD`c9E8pv?BP61J0sEQNIOe-rw*N$?BOh+o$z!I<|PN(DLmuq&%x-tXb<NF
z+8K>bfp)5R=MZ#Wu!r*^?Tlg0mak~1ns*LG=XrZLKOaHv-}UHxNjo*XGZ>u(_HdeL
zXDm8j(9S^KISifo_Hh0|JLAy#oObGX=WukMvxjruNV46>pz|5+jNqLi=sar==K|Up
zkIuhoXDaUuMdulNI2Y2+vFLnCI}N;Z1UgUK!@2uyvfbfS4d$gMv@?r$jzs78_Hgc_
zor&oDi+1Ml&bQI|ojsiUX=f5T6@2t=F7FIO=ePE7E)OHyJsF*U(0S(Z&Tw>|vWIg8
z?My-E@3b?YcaB2m$^Viw6`dy9S;RX>qw^bkIK9Hjb{~h%-)LtE?~Fj_341ubY3F!!
z{z^NA=Un|6iO%Epa899}Y3MAWohsfLh0bI4aMl?`wtG4{AJa}X?~F$0QF}P+(#{NY
z{z5x7yfX%!N9^JJlXhmJ^AYU~<ehqS=Gnvf7ww#Y&Yx+gj(5hQ^YDMkIT4)?X=eoQ
zj6>%kdpIwTCdbhvbQaUjRNgrTod@mVyh1xCqw@jnH1N)NbmCWqT6=%ozw&&uVkDX8
z6m;IFomsqdEIRkwBhN~-b1FLT(as#+nSjoH_Hb6Fozu{Hmv-jz&O~(X{VzGEqw@~!
z%;TL&=-guu=SNXw|D1u&+q5&EcP68Aw>_L6(@q0AZ_&;o-kE~VUH>KLJLtSgJ4<+H
zDmr)C!`U~6Y<IX-2>aq2v{QJ&)t}?gxx*gLezX&A>w&X~cB**icyw;Jhx0AkISZZF
zX{VZZrlE7&f64hCI)9>_8s3?X&ads^%p6Ph&)Mj_Mmqy}X9hZR?ctnEJLjO&NIP}B
zGZUR(*~2-7cFslTkF+y_cTPa(R(m+7(a!hLd6jmi^3I9q++q*sQQA2VorSd1z&j_Q
z^Gka;Pk<8^MtoWQJeK64^U<kb|DGjvYQuIjXYmr|<iE?q0N=B-%Mb4XI%hj9iO6=y
z{*K-E`-aYK0eUXex#dVbL7|f|w=e9G+bP<)5S>5J&RpI(1)ZDi;rxzvE<)!e+L^~Y
zr=oL{J)Ea$=VEkTq@DS^a~e87w}<mA?aV^w1=?A}JEx;_qdlD0Xy*s$JWo4Ic;^gs
zer6Bnb#TJMQr72aeTYsab>>S+o!KdD4|5jJV@`hl$$|N2ix%gf8rcpPL$e)jFSVS9
zm@6Ax>}7RcoIP|2y7KA#R8m(^r~&i))E@a2(aw+1d5(6fdFMOm++Yvq4chrJI?vKh
z4exvxo$Kx4^h_t)eJMK6(9S^KITM|q*uxn>JC~vJH0{*!&ROVOXAfrw+6hAp_GjPI
z&IsQ59y)XE;p_-bn7GUO+`Q%JR4`wrN}WB!_A+PjJIu+?LwPU{CHmkz<eKg9M_#tW
zvo_Y|BjzLKqZR1;md?>2^#z5_#vIq$Bgam(b0s=Y(atR1IR~9<?BVQ8J6ECeB<;-M
zopaH-+8)j>v~x8&zoDJEyz_l@uKF)I*P!zR?abqxVf&b~cp`K1<EIG5&+QB1`-!q0
z>vYO?Y@#Y_9CfAhT#L@*v@@S`hR(x0SK1@b_h@GhI*-xLBHlS4oh$6&oJ%{`q4Oy1
zEa9CC(7D_m&TQKG2|AC^PT`fL&I}4&h|X+#IG5AT_2|r_ohshB2%XFROU@1GJWM;)
zymK)+m)gU*g3j|(bRMFe8s3?O&X4WkjLIO__s`IIkah<0&JWP}kv*Kzv~wdm5715>
z@B9#*cwY3MK37%X{2ZP8X=eoQT!PLI?U82;o#!TW?xUTlyz?V;eqayhSG038I``5}
z1MmD8omuv9Zlj%FpmPuH%;KF((Ye?j&h51GOLXq0ojJU789Eo)!?}}oZb9cR+L_Bc
zv(dTG9?o5~b1OP`(#|~Ixg4Df?BU!?JHJBb4%(T|J6E7{zCE1#X=g4vx6{rd-nkN;
zcrN#!&hrOo=hx`mMmtM*=PGo*Z;w0=(avq?{F-*cF@@yw<iqweXYmB)w6;Im8e!fa
zwY{C~=)1?(K8ZblIZQjZqcfLwsyJupYRq%4J@Pz4J9nV-E83~%oomoJ#~#kVXy;CJ
zZl#?X-nkZ?v+dz*If1M{ccF6&?F{6dIp}=P9!@vfxf`8d(oP-kT!+qC_HeePoqN#v
z1?`OBoM8u;vpADEt&R5vx6I>xy^!tr`Pghn>*F3j2Zna;MdxPPnaVjsKfyd_+9OXN
z+PM#%n`ozjcdke0yY_JU)6V_q{G4`X@y-qC#B=2TblvPgI}f09Bkj!Lou8u9V2?aI
z(awYD{ET+y^3KoDIl~^#Wd?HoJcQ0qX=fhq+=$NU_HeGCorlr6fp+He&d<>~%^uEG
zv=d^2=SJ&kXA$q*gwCn<aIU7EN6`5R?JVJ)o6$MN9?rG2^C&vk(N4iZT7QOqfzHYH
zaBiiY$IzKWJ5{{%OLR`Mhx04ic^sW<X{VZZZb2tL@AyyW`CQt00-bAUr-pZKMJMh%
z{tM1;(7Bp+2J+6Y(24cZf9l*u=XnyHt7xZ=cjlrq!yf%}JMBD$&Xu$?f_Hw6&UAY?
zchJsn(Yb<lrt;2h=uESR^E&PP4xP(sr-65FN9TBZIE!fK_vp-~omsqd2Rg^u!+C>t
zo<`>~+L^;UccL@Z9?qMz^9(wd(#~AoxeJ{s|0U;Hbbd@b^LXcObSB%wd5g~T96CRu
zo%y^I@B0-d*~598c0&0J_2&}WS;RZ>K2TwzJ)HMxX8}4tq@5+a6YpIVCj6J2=h68A
z?Gzlj`V-GT3&+~S`GC$7Zks^6XVFd-@5FPP!gzZ)i)rUYbS|cyYR(yUkd60ZtV67w
zFU{|4K3_UiBir%V)NDuV=S=K;=^^dBgw92@Q^Pq!(OEdg9(mTCOYYx)K<7f*8OS-q
z4q={HFImg;aAk9zznso4S8H3gqxD=_p7m+xWppl}ojTrm7@b%zS##!nXyJ6K=~kAr
z0qwkk&iS-6f_LVj6YC{w&X~ED&J?e*oRPG%5S{aAXDaVJf=;ZLtT|(=TR6)neO{I`
z8l35HKEPg9@1sWzy^2l+=ko@s(=8PHXW>834ewPHbbrP+-&!zvSC&rYxNl@bL12AP
zPiOTb8s^ejWl0S|VMj45tl6w(rHi-BYNoENtm5dbjObKw_MRhkx`pBxDg5Wz<v&?X
zt*+9k97YR&idj9S4cE}1;9NbIH{`Lb3jcX7`Hx{*0<@P<ej`+Rti5`^PtIvSq2WEc
zz4D}nps-`uURb+YYp=InS+>{QePy-RV%m8fowI0XKJPq^POM#}&g}2l-O&z5lsiA5
zoki%JNjr-;XDH4Ug)z3)vY_8ZrzvLkQd7*MbW@`B&(3G<zJzw(K<B%(vxIYooxnV?
z#+K%}M$7W_2~nQsN3`=MI^Ut4LOHG`#QCH!TApV>Ao~vM75&V4LYDBo)@9|nly=@i
zr-62=cqfjd!YH}3!+dZyR6|RN-#KEvz0Kc6!P?zOJ8z?N2JKYyP8>&tk#gt!BP`D?
z%S)Z+?*cEQe_p4ZchEVVc4|0h*f-ceac?E<pNDc;|EvWo6w5Q)5o)dSWzS1TKO*PP
zyXc%oI|DgqD2}7T2w9%+Jv}VXD)6)&+ui(K%Vp$wjCS5b=TzFM<D6k9F;CnBO7lGK
z%JQr>PI;bNR+D+&N9PpU8NoS2vE2(t%k%uSALQw{t7B=NHgdEaM_<v-2k4wkJ5zZl
z=2<vO?%WLHz1j=*9u1}AJ$(b2XE8b_(M|*JJjL3*FkJ4;9|z9M^SdZ_?x&p((K(TJ
zW^v9ibQa^@U)n!!FJ=Anm(q1p$#_3VJAX#!1lpOyJHN$ognNIf^YK{byscI~jubc_
zp)-?q=JL+((209$sk3A_ILqDgQSLlM=lKgdGiYZX@BAK}ajbtzozL2^Jg-D3cOIpk
zkI|V<JM($xX>`WQobWy+=G-<}xpVEO<a-q15i*=jDVRTtq|TmUXV59H>)^g%9ykZh
zLZ_>(am4D69Pq)`yR7$e|B5~(b*I$VDeNrz<Yy>wzbOZNlZK!V&ZDI3I&-Z9mjPVt
zWp(eIJoGnoy-&BV;3TOtwPEMbh0o|E{SeN@4B%=Hl?=@1&Ssa{L+s^E=uvP6u9AA(
z!t&9BcLF6IsC9IzN|k%|7Wal1J|ou-m^q;@rO=tErG}tToa+k1WNSxUoeQvbWc6w$
z_IX=1x8+)V5u8L;f1p#r`L;&tbPFrMtngl<G^<6;Syo-(lz_F@?}y2(VAl^>CDB<0
zN)17wINuh&EzfH1dyrM*3;#m>{|7jUto}l$g0pL#)ae#>9<#!`k&>(`q#AXq`cvNe
zTFk1=Nz(8H4GPYsBY49FG~j(gso}TN%y24CvEeBi6r4Gy@`j6Oz`KGHL&d|Zz%bz%
zj9k`d7F-~6_!|uh&XWzi;Sw6;?<cQxsD@5eZ{o`-qG2Izc!mZAXT@2(;RiI}9Y0A9
zm7AA<p++{$-z<mFtK`^uj)pjT?BqxdL7`X!6poaSoh2h+?9}?Up7MF-ZEzA}=LI?y
zoCD`doo->5F)O@hD9tLfrA}2huTNt!tBHS*S;6iA<{3SmRi4xk6pD37;Rsn)W1KUJ
zR8?0GNmHKH32+iw!Ra436`TX-OPy|ES1>EQ>nP3Y%eNq_dDT6|tiB-)!LZnaVGf;D
z5pO6&1Kwkl7~ZJxolaFpv!}9XI7zlwumc*RXhVtA5EP2_SYfEVy*_b)_A0-Byz=%^
z;Dl2?$SRU{3gspBPf#e<WrZPf=f-N_6n14Ocb=m2gjofg5wugqJF!kH94>brZBnFi
zxwCS*a_6nTsQw=etqD#A=fG;I(=F^O_C36tD(!ole08eY3+n`meeW(9vZ05wm(`kf
zb};;8FpQ$J(nt+Kp;$u}4wGl~2=@Li`%*_J&#KN-GOLQ{RB(2xlRDkPe#ETgwf7sx
z`$AUZpY;{9`t2o|RV6gMO=lG$H3WrX4Otj0%PPJeoQt|F>Q%a5R#NK@ctvIfGY_<>
zf^*SSsnadYh*{wsT}i*H(&L#<Rm(KBmY7wclM~gioY63X&dMM)1chP^SvXXlRm?)j
zs>jpq%KKGG71CJ+oguU{hj(I~SvW-I9J}U&B2|^jdH0n&O|;Vmox^EoF7L!zv~aN8
zx%FI;>WwG4`;|M-xsZ8QMdvWuna4Y^UM<wgoqN}V^OsM5Rqkw5m2_4^XE5!|=bb;W
zF;X~4?mRvLoVQlGDR;g}J5}f$N;`{qC)SgN1Le-^?}PJ{0cs?rXUGbi)zLYGc9!r?
ztmO&^$eoW*f^&B&tddHdfvw4QuZd0_?Nn9ZY8b5d3WH?Mgz_oi{AA=f<<8#&Nhi#-
zFozGKooe2RwLxKjxznX9I9CkWq}=%@?W~Q?fwWV@J8@kud`s?ZG!2~dx=&H=tQkb+
zSqGg1XlEer#5J+7pWNv-7@RZwwkdbs8$>$mqBDqg>UifhoR|8_o&Jl#nbK;Oa%a{M
z(pe9k{b^?e@B9g!edNx*XTUkCZisT{HQHGpoo~_3RNi?VoxSDG5pRHVV8zzToj=h|
zS9JEHod(`ngw9@aXY_S&_IN(puFeMN>`Obdc;^jt_LMu*8-dgN=YL^6x=!cW5S@K!
zXAbYYiOwE!=ldtX+31J0%JVFuosH1hn|9{%&Rgj0E_bdd2Tqr7{)P2Of%8pt_M)A6
zyz@3XyUCp!E`!r?|L4l{yg}#L7@a+7XFl(|gU&#?bKi_2mGh&|V5L)9hqN3@&Yx;@
z_Mn|byz?$PyULy49R#QG<9}h_(Ta99L1%Z`S;9N-p|gwJc?tGM&gbVtk5Zba8|`e0
z&Th0*fRlvHo8gE^s3i0fgrLy-=<F<aJ`4cofs6&pot5B7hd6I(hR#6Rsp6dv(Ai1m
zOsvo!oa;t@tla5LJDa1kEA3SC&SG?Slsg-kz&XDcM6a~n6*ya<vkUFi@Xm+m>>zix
z^91J<?Iq<-|6xwV=K=?}M5luJGf?X68TvCi<@0BvU->+hbL#S?=ybJpcEp~qbO7I6
z=<)1j^&BuWxE1=8)SXgar_e{}lh>VzeR|}moFnR|psxn+W3Eo%G60Fath$ne-O#0A
z{~IB7X+wWOmwca|IHayY<veUhFuI)0F6QYBo^+tFmsL+xFjRfY&P!9J9=FiP=#f8%
zN{l<KQ#p5i@0579Rx*M#v_V5S-RBLwp#%-`=R1iHzS5~GA98{-Tb9GGw4p5;!e~Pl
zZ}=4r@@E!FK2yLje$N%r5H^a;p&c3&oX6(yhTqU2e;$!sX&pS%Uwe0!XvmEt4en?d
zN#~Hu88UV-L%{|%|G-(R=3Y5L_jU!hIOE&R2C;hu@81^<4jH7u0}Tq!TJtzVs0nkB
zKkrC>vmY4V&;Ly{9G^uR+M^+q&LN*OWbDKo*2{7Ti}PVQ^oFNntWTbx4H`5kILj^K
z4ZG0riOdk5@jwUnLfa1&4aS9J4zP=X`9Z-sZ3%DKjfQn{!;zgjRkdBW&WnahACd+y
zG$=TOg%ZfJ7IMqjgN7WLVRS=ii>hJsz7P#HJ|Yd?Xi#vzs^SfM(Xdu-=<^;JG^6K;
zhTmv|77Ys44mEGshlVwB!x#rJsJg=J$NHp+Hu#`H!MUi0Glc%m3|5}6B?r6><05(I
zGtqE*CD|6fXc$b7%|PDp2O8wht&)4T2SfB1(9>8BAFL(~erQl|?yBPq8T+v<R?FMs
z-j_O+OV;66qT%ow(%_E<1!t-eoFVj2%t8K4Dmgd_au^CtfH^FIOC79sU@sf>LjW2S
zoR_BZhQH7tf8La`qMS}u(Pj8{(Xe(KY3P6k1!tiK-tYts@@Gk@zt7aE%5Q%$Uo>Rx
zCJi0YprGE&;tfyHAb(CY&bciZR^NLn8nzrE4V}@T;A}9LH~ftTd2KnaMQ1R)dj@Vw
zuyHZt3~A_!1_kG7`Mlv78vc2{BYl6LlhgWhqG9h1(h!IS1!rYNyx}<-<j-!#_1X(L
zM1A?0Xt;ZmG;~9Qf^)DE-tYnq^5-(+hW!PG!K)^T2IFs}p*tEB?9qhE(seWRB^u<<
zT*f7=1w*IVcSXbE7o?#F8Wfygsd&RHG{~Q)jC-_Lr*hg?exhioRIxlYNA*O5g0m?#
zXBZ)%LH?{{JX<fEqQ8Plm5qysv;mH0ppH^-?xf)j4rq|?N7LS~s8f}DGhu~jm|cm?
zp*I>7oGAtJ21hi=pK+wE`3ek`hePeha>!JXhCXOea9*V24du`ve}0knH;hfkEq{lK
zhREuqp&uF)oUx?x1}8MgpG~AUfO^t#LE#J0u(dvEcnb}k=^Dns8_J{MpXUy*=gFsm
z&?lYhz=<(yi<q{gp+6cr(S|JEPyr3{XA0?>Ymh_c@dVMZxE*N-LPJN|ki#1)qCx(=
zAbt2TFzD8NAsU>!l7@k32%rslyrB{r<Y!sw<1T^0XXXyka3zp5=+NLt8;W>CWi-go
z`O%<ilyO=#9O_LPhM>WRHVDqr^<soG8sumA>GS5pe$y!&cGIj+P8&)Zg3;hj8`Qkv
z4K&El=S4%K@H(PlN+@X<h6XR%py3Q**O;LgKWkBb-^}Z;QE>Z(<xu}}C2Gw|Lqjdv
zQ1phhEiw);L%}NR`wO>>PhCaBjmwpVmQdHRm$lm7u~zV0W@xUUuGYY9uGh~X9Il4p
zGx7W1lp4J5ISRT-bv$lmvwL^-y#8viOc46?3Rbs|jZf64rH|J~CdDVmrRm3K#z*VL
zzuDf?D^ly_<L~9}srB`D*J`!??g3G;dUww#AD_s8C?DTw|LCqd&(5Ac0e+tTUS8h*
zEp=X<wHmLMI`7W#AKK2{diL=S$V}`Wn&umu?&m+oH#j|M#NfoiV|4M8hNt!(H!>;4
zdqVug-nxJmUa>wSB1a}C4w@LBI?2y>aR21UkiL@##}Atr<*lET1pj-&u*k9f5{CH%
z5A5C}u7!6D{J*+yaImhur-!GDbB~ndWPNmcd`fZ$b$`7+)xBF{e5T&Txm$F!J~h3A
zx=s5wF3v+DljHOq)KQbt^=X~GJ+(f5UhpsG8KCvnc)K_cgMWSZZgKi#_~QfOqsOPD
zrNpMY_tdi=G=7r%pw#sEr1;5^?02;H)OcuIoCgeb?=ifCdf=pP{rpFa=@rx~J~bh3
zz$6cE9}h1NPY?Jr9`FafJpAy#!mj{jI{bY1AboON`j`%C_!)gu(%|=bd88+1c*G=n
z#FYLzkEB$OBs0PzIwi@)*~OXl-1uZ?s^`vUy{5%;y65U7y+&{gyN;uW`$T`u$Js6`
zM(I>uf0h4R?71grI12{owCrWA=L*Te3()YGHbh7b+OQ%taPO>ThRv%CDzAHOnu@3F
z*)F*ivR!tjvP`}O4-A#Eo<=N0&t2M+D)n><yMdla=|~biIp7HvpFY*dcFF6R?Q&wP
zrRzIzWr2&mtmZU5coDj;(Jq73)idlSy71Kd^-L$a^1u~7Mtq8s?UMg)w#%iTt@&yg
zoT;aai_v$H_GL+ZL1DMhhdWx{R|LKRuqR+o?Xq2p^0KR5_btm=lXgPH(C07E&K%x(
z8=bi8wdSn8%feaB^>|s%TD0>6be^Z3xxDiZI&o)g%~=!n{r}{ts^6h3XKmW~Avz0a
zXCCjoi%#4<TXU9!)A!fT))UKe>fRyy=Mr@0)6RU}c@Leq!?xzEHp;?Ty^(8K&g?~`
z^CNVgqn$;(^FBIp7jDg|x@Y06(IBfV=jXKZV|1RSoh7{U0XlJ~Zq50ui>1@kzbxmj
zC1jpU(Rqe;3RNvDBOxfP7@fGAx8_WqZ0S7sye#K#+6i?Q%uA<fC%kFNqJjhGLv-Sf
z->S2_rSp)sEN7=>WS-gR{GN8IdFRjQ#8Uxl&byZVvu3YFWjQCTCY{UC`5o=l@Xkl*
z#FGPS&Ry;ndDhJATb6SYIEi%~&V-=d70jQ3QfJSwU(jh~{@j@g>$)+rB06C{f_2l1
zlhs4h!AI0XE75m_&QT}zbqafoK74W^&GE!msE1Cse1blxhonB{ngK2YltS!fwH`_i
zUWKmfv@1gD(uS3w3vWY6U6+0~sJsri=+WhDb}`Qp@USN<>}Ayx6}%cf#k40?>TwJE
z6+L=c-3V=_Q@J;2UwVRjls2qE!vor2;0?c_Ax3WaU?doXT93tgzHJVf!&)@lrwv)W
z0dE8pN6QSg>g~{}+D%&2Kr{^8NE&j`aE~_R@P^+phbXxr{SX)$c_oPkw=YP;Iy5NQ
zN96JbeDYZ=-$&H0+eW8qJ0<Ir(zeJY4e%#nZn;C}kjEST#2g}IIn++mf}yeYchPWR
zr?b$;QNWkAap71mcs(;T_n-~=5`)7}83&o++?`Ux>su<L;puBVw~XKV{f|GH@YHzu
z`D)mCi>JohUlXA5`d@rH0VgOP_Boxn1U-kCQ8!@ky+!w&B1zAI(+PZDT|8RedvD*>
zsoHEgR{FfU*<RA{DH?9lh7#WJ1V_*)nW4_O&0tXbO%+GbQ`+zu8g9@Ap_-&JbPL1h
z)y4Q3X_A$$&YmhdRqLz2jus75^T-@FqM?X3sCdKQm;-*+j?{1lX7$#`e>@`^-aSPc
zHlg7s+MwYL_`JFpKf^|1s5^ES7+Q6O6A-q_tG*`<o6(@)6ef^2JjWd5RY$!>5jvGy
z`odJvaNI~5zC^>1bPf@`;RPD-4yGiB`c2?@RI73GU@y;dm~)pjY(c|S+K|c{@OgEy
z{4~n7F|<X?@e5r=!#pq;px9zBYby(!9BxH}f}Nc~YS3mJVmTBnlCCUm8W~|_F{s=!
zS~nIeKx1t8XU5pRdX~w%C8Xyo^eEWDW$~WF=vgT9L^SKbJda=t0Vg5OmY!L(Cl@^m
zc4|4iCl5UfY<cdtwDb%($MR9&`5HY6c4WD{=LmY{%RT-#Sw82d%RTSW`D{baw{#!Q
z<2^^wGtZXiOf5^#&;XXtY}x~>5>#uaXiq-xIfkD1<(__Omd}A7{w>cA^qizUMZD)Y
zdgj{l>`t`wgs#Uqht6jwdcL7OCA{YZdgjPIBSx`&HhRcCbHPK@Cve`YZ09bhxOMpz
z^AzJ9aLGLEI{PD-1K(%~H8abE8QA>CUN+{y-Do&YXQGlCv>D%ECbQ+4j5@_KS$ABX
z$ywU72R+AVkDB+KM9+J+JgY`pdPcdhe9qCHz34egdo;Y~6nbXKJt-AfJ_{PkJ^8d}
zA9{|^o<QF7EqZ3kJ!zf6lRBqZ?kS)>`_Yp}d*E~XEl(Y_8Q-DjU0a@aq0_!zv!W-k
z_EO+EfS$v&CxZ8UkDhnrp1F5ednI0wd(PAO97N9{+LOwAPNT<Q%M%xG=^1l_<#U1d
z974}Q+GF57XV5c4?pd>t<umxmzvVfMo&&Tei}##G&vaX!pb$$>a(|Z3MLM56^z5fS
zIlSi_dd#1xR(je1HDSc2NS05xnR3r1@DOVRqzY?<f;B5w>TwGfn5P)uA0u5O=D&nB
zqC%4{rFHV(<Qj1l4SVTK@}vfBMm}a@{;V&HOm_INOnkqRXELAm97E3@+LO<F3eaQz
zJS~~WvzMhOZ71t93uq6lbkIh-X-^UFIgg&n@;-d756h>H_rK*ifu3Eor-b)hK#%!O
zlSMwFNA<0xXHsL9&q6w%Z_u-o_6XIvHR2+ACd%`<+JNO#{tvll5$!pNo*lGD#d|KH
z$9!wWA|KHsz<rq4Yu5DlSw0Fpr_i&V_NaN!59q<~eT6Y@;VB-$@+k?DdoI!WKr2Ik
z-bQ;gyyr4{%-^df^Az8-^vpD|e0~5A@dW8R^lYL%fl^PWj4S9#l=q+F5jl`g6{wS;
zy=oXE1qWkf`2=x)EV?d(D+|hI_Oe<#PY?bcT{*N%Cw2AAC`6a}Nrfb*JaD<(Lzk;D
zQq|QMS$mT;-#zfbqf~rZ_00}GjlN~HFGA`I%D9R?^I4O`R|LL>x6#+s82f&>F?P|(
zvYhv6C!F9xe_KjBQ+el)=ro^4$((cYOP!Hz2OA?b`)zqyKP;x5XVLjF?KJRCBRb7z
zRx+mwcFNEXn;IiKE;dF6J~i6#GUr3uc@CW)(atR1c@3TBeWlD<304+##(v~!j9tFc
zmX|pn(N1U`X!j+wGlzHngidp9BXdrICw*d`gZ+$=!`B&Yc$xDt?JPj&hqN=7cV0&)
ze$FUAKeKU^_O)f6Ys(uWOTAn_V9wr7Z&2g?JUSJ8zi1xsEJ7!~SJImE*F1BciT#X`
z<F<==%Dv3lhjzkF3ff)4XSC<@&Ku}7-w2Sk`{WH~=Y&Sa$f<LTk=DJ;*_U=+MCW3<
z-HUkVO?2Y>9j)bAHO%as^R_W^!3krebuV-Fqn($~xrla_@XlN4#P>v6bJm3f#Buat
zdt>CX<;F<sUWHCLMTB-=NIQiZk~%Ob<2E|+eUsLl%et02V>cBVV|Q#ZMq2kW=Ua51
zm(jU^cB**i9dw#+qRRTG^AvNQ2WJ=~k3KNk@G|FzwDSr&=hIF#@4Smn^G#Hla~hmX
zitT>ppfU17D`TW}FLN%TorUO}M>{pV^By|QH&JEIhjYx%D<2pmZ|RMZ*1gR65$(K+
z&i83&An&}7PV-GFnKS8Av-AErW29-lG19tMq4P&{&ZV6?-ibFS3(PlBWlrz3QfKVd
zCC1q6FN~4az0CPBou?6<b7*G-?<~eV%{NhH&eI>6^L#nM7*)By(T0~fm(tE_=$uVE
zQ+ek@beeCX%A5<HnDhMOQ)68DTgFK1UWLw|(D@$iH1N)!(P_SkDswjIUFwW#9&U_k
zebN|f-OHTI=sd5ZQ^9wcX7SEP=rrF%l{v@PG&|dS8l$u;jW)c@nN2&3&^eRNGlzHn
zf==^IRGCwVG&?(#H%4_$F-BSUDs<jJ=ex8smv=r!r}-wT%(=rnj^fmR7~@)wHbz<Z
zGUr$qvi^kKJ*@BV(9S&GS%OY{pR2X?J^sEq&$oIQqXsTC+VC=G0`0toP6O@C=bgWz
z6W<GK&8armbx}kAGDeMvG)7tXGG`*~gk3h|so=Xzi+Ja6=*0KST66vYJ49UHqegvi
zjEeCw+VCoL-a+SdI?oc`X+kHyr`DSDW2nT?8P{!`F|PNIMjKw{OrrC=i_U4ZQ-FEq
z^?MwJpp4(qiSN6$=Jc6q&U4Z=W7Ld3MjKw{Os1W1`UCAgm3FFl=O5_A_vTu2e%rz9
zoY%k@wfH?_ly$E{CyYvPPNAJ@-uWjw@%_8joZVn%7W?Ol5yq%o2V<0VFLREAJPm??
zFRSNZ$-xiMsbK%Ekvg^E4$N6>Uf)aK+Y0Y|bDjUv0MAf96zgQ?Y}XIQWV<dsZ}t%9
za`2=Ta+^fw7AW-uW&DM?;pcr?%WY5-b8h=C8Kd&L8l$Y|$DBLqe)tfb3cj;c$2*^(
z6F=|MnsZgA+4+4<V^q<8W0Z9-bM6KwaX$PrI+fI!QfH@dM{Hm7xR$hU4z%y9X6USu
z?YgQ{w(CZfWjpVo^LvD@OuC&@rLLfir<fmp4ym>LE{d+E#;Ch3j8V_d7^AG`$nsO*
z`~{sEw9~*l|3+sAYv=3ieCv&Z(sqt^@H0kN&#>iX&b@S=kI|V<JF|Ev-rp<;u;m<j
z!0fDZ-5A}lpV5YwIS+%AJriIrtMkqD;1YBym=|-T&Yt1rus`~hIwk!v5Bg(ZH*~sY
zyMBE;+x5U6YyC2h&hc0Dji+<WmHL7*o@0Ca+sbh)^mv@Nqnm6uMvs4BjJBR9%h9na
zSx^3k&T+Iek9WR6r#VMi-P`e>_MX|w7`^bB(T0~f%h65~I#X$9KIaT~!uIyC*4{;|
zy<^2Zvt3XBneBRWO<C=(!1+5mQ)p)q?<|i_cU#W!o6OE9y|Z0k<l6GGJe}w~;i)dH
zkIA&NgmY%R#CG?!)jzAlPZs;<61_2clZ!FhdiyhHdD{6WI+JLpP>ZW4U!l{-mh&>q
zbfR<X1Y`7}oyKVEUgoSoJO4swBJEUh&P)NFT3gQ5;+?Uk#^~dXjWN#e7^AIwnX?k@
zgwqme_XOIh=ABrl6?ofnrkmHxm}(D=F>PMh@-k;-+W8cnV`-;`cVfL!;AP9%{;kq>
zkI}>#V|2HSHoOX*f1@*=b_R0J@CrEI+m$*c>kyll*1lUh-Wyb!mEFMQmuy$-<DNN}
z)FS8kXXqS5J9V5h6W7ZEPg{AuTx^-=JFCme^CQ~%9G!8rGlF;GJYS%(<*Z_^hhyec
zG{#)%Y{d4Lds&_z)6N&@jHR8ayc6g7g7&tYKf#lFoR?y*Z8YlNTx+!9WzJ=^^Cdd<
zw9~*lv40kr*G<{_{&kB|r@nb*qrT^RMjKv*&R6J+p`BU0vm(x)=5<r%Tx0H^`avU%
z`i!nd8(!wjCi5Hy1u4v*(X=y%bB3d{xUH@6{&hd|cyBFaH}JlgZDZUs=TEfL0i98_
zGnaE_R>C~Z^O7vja&^q@K6#T-Z>VXskt=gvr=5=IjHI1;oHHDq#cgcmxn+zw&tP44
zgVD{i8(7bkId9U=a_Eepo%x(IvohvsZukEv&s((937w;9XA$QNM`v+sTX|kAJtxd=
z5VI(|LHv{K2G(<Bc`9(0N9QQoS;9FpoiR^yyZ=Xd-lp@cfX;B*Db$wMpP6r<)12pj
z<Q!RtTHl9NL}wW7RPoL#=ybES9{nrhJ&bl%Lg(AGQ_VTUvE7T!PFcP5>v;2cPl?KI
zFfZL!KV|*%NFy@O%IH+^y$u@9ndyRgwz5Z_$7!cCIu(4kLm=<0iq4kyaDGEO-$18=
z?|;y7&Tt$@#pXO^?e6`%MY}ib^IKW%ev)=pL8pT6h=|~wIF5?VdCHx4EuDQ~jki9J
zvi@1+O|pNwpi{y3NThPk%xc)~Eo`-Wn+>9qz0cM-`cWOD-ugPvoYiP&Rdf!c$Gd@d
zs?gcomUDe+y<~*<-x?$QZ<gg$(avh<45pn~yt6two7r-POe@Wk86#3El;x~JJ5}f$
zN;`9SXAN{VwdHKo)a(RfL|W&voEkT>f5I&|sFR1#&RpJE6P-=u&d0~tdH1RqvlEOF
z#Zc4R?w>xi6P}iWb1?19<DB6*&lj7=k;QmldcH{2;#uoPqBFYztVa#Y9`6dAa0&-b
z1>cX6&pUCRFE)=O3+F}^I3Lz~tla5K=LyvsI0w;r7V%D;mx|5f$ijJG4>&KC3s>&+
zqn+^E!8wq2mT=C@TG&6;vi=Eo4O#ze5?9(k&F^<8qksC-PS|aMa{%oW;7?jUPY=iW
zv)DY|E%Lm%2J-ys+A8IFDsa|CXAtdFan8)zm}g^op11UnXYg!TLGV1pd_S^`JOk)F
z>!Gth?NoElaGd9h&GV8)p1&C(&$VZgmFL;ti=02}qw_7=so|YC&lj8fr-k!HE;v6r
z`l)i~GTP~i&VIBrkayxdUu<so*G@R=1m~=66O=o%X=ej;_NARV&Y4*U`{$do{t0*Z
zpnq0%GOtJG`=({|&*ikUAv*ie&IsOF7oCmdPVGu?mfPF2bR606na}T7U8leas~gNq
zy=iAE@2rQ;hH_`ulp<BDCtIf|cdnrGd=s4tzO%)^JL{vff!sN8AvhnbO;qk&Njn>(
zQ^EJTWbsZ{bh_GdI^HjJn(xWkXn)r3t7)eiojvGw&*7a7&{<#ZEZPrwhJ+n6J4^5N
zmEpWaJDZ@hJMGNnoZ+>Yv)DY|E#{?qM`2!?v~jEGR8rU70cRGR7_*o4dkn*%>V|Qo
zVE)XLI(vrWx@o2UgtOy3Rf|yp7trZy%gNgN9-SjR)dOE3onyY#7nIo$+q<5uz2VLR
zJl{HT`YUsLm)@%>qrD%1b1p>4URHC=9M&A2O6pFjvr{<E@5ScxZj1IF-8@It!n?*;
zbk^W=WcmHzL*0uT)&gA$_UR>3mo^;d^J4S!Rts1B6N9RSTgw!5Ih$R~a|Jx<5D|M>
z%_(YFOY|r>Zx^7Vv#2NC!g1a%Hs2?F?SZ|GPSyOa*gwV3I;h^2tZiDMp%dMwR8m7w
zW+UuVb#3*jnMI|23h#z)Z&udcuyY{kbVFxH+NtK9Z=$n~E$0twEu3Q_qRVpb=teqQ
zqq76;)bP&6=&Wta*>jww^S2Mma-Qi=I@_RA!S@0M@=i56YuR$P9&O=_cUfPS^ZYQ<
z*%qDtbe=li*#w<6Z8_VR*J9Q`$5yFdmh%$rY==$--*FVdJDZ}jhAroV(lY_PV?B02
z^|G9oX{S3ned#<?d1o_pR+l>$K7%!6^I5pff_p>Evux)T+UbE#AKGc)oz2myk~=rK
zfOF9fc*?2N88(XSpY749rJY&4vjsY<$(@IGf^*UuaZPEeq}{`5rv{zgv@?fywnS%D
znG^0mfzy4+ztBHN(N0fvdeP2Y-q{MBE^=p^7vOa9TB5w&N7GI(bb8XxJl^Ss&MI=}
zJFB6l-DNbNr7IXm5wz1Aof_Ji&pTVA^9{N4N@sA6o(*M<(s87~sYPdd+F8Uq+o01~
z=7jq?;H=;EwsL1Aou>~v6?{5(3GZx+&dPFU&-aQ{%}pIg63){1fU(*#igx;<)1A&!
zfKxb&+A=7!9Xcz?of%!hdGx|H8&30k)Joq=snF?%&UUm@#XH^6SyApZ)CA}5%3U}o
z=QF>DmN}#8JpIwxmUgOnrw2MK$equZgR|p87@?AJREG0&+8Kb(Hnda2JKLkPyv!Lp
z(^RBtwxdFXa_1h}*#VucX=fns)S%Nz?py?CfXy~NTdLf-mv(kUryK3m@lH>4mXkZz
zmIr6{!+7P+{j{?aI$P1s2;S+1PDi<O#};tTy!3-|=K*jMXDpr3sbKz0l{$N7dZSZ5
zf5Q9r^Hj}3yTB<Ej3d{7>LqR*v2lI~d~;#lVlS(E^2}i{Yrq+clDbps>y)WQpS<pb
z_rd3=ntA<v3Vk(rA9Hy}k*;p&QcxFV@h%^9$?MFx2J^wy@G`6vkegMP7F-61ioLAn
zl{~CFx)kgqbEGb9rZ2kW`*L_+wn5db`p@go<!sK2<-|P1nMx1zC^);#m3rJV{m^56
zru6!b80@)ps>a2=Ap~adp$$FJpx|6Kk2m<E!Th}FwIN|#l1}yJH_iHphBQ5yLvJ*6
zqvwMn-VlHW^Rple!}oK*koYYWek_OUQ%D17m7Q0X@P-a(FrWKc7;eCKlfOB9`|qOR
z25snzhOTrD0zBojsDs=xJEB4U3@33>icZyNQ^iQp&}IRd161^oLl@eh;tie9Ab&oS
zxS=i>mi&5FG)$%qZ=s<xZBX-u&S;Q7dr9j5NT+J}^ILF!#`?oo*<=p=(V*b0QNtU$
zph5mzCFxWe7*fuDEE;ZoP8x#Hpx_)akT-NigZ!CE(oYS*Fk){x(QubG3_yc|GeRA2
z2t<SY96$N3Xq~FTqXBT5%i5yu4l;*<XizY3NAQMjXpo=#CjYe_41qbY&t`^P+As(W
z3eNUYc|&(J$k&dPzJ)rK>*GONMT2md%waGZ6r6`;@rE8~ke}D4oEQy;@fS9ThLy)j
z!%#FRI77<i4L#8yKZ{LyxDyOPTVSzdZPBJuHEP|AMMD#Me#mu|&XeKzY_{0^9)0dv
zgx6o8F#A0LLqa7%Xa#3)>}9Q%aI8Hnjv1OMcz<D@#NhDbh$<|H%kx+b+qd@Ml6w^e
z-Jh||w-!u$8mO!1<m47ifAdw0pTDox&o{u`+dJCVUF)mYxckTGecYq98og(1Y=BR6
zRMhM5<o5Ir@Z-OeJH#&|(PzT=e!bGWjq~f3G$}D9Aw!csDRN*+q+e#YF+F+@pB$YU
zJ$7V<S9eYK<bL|l;IUrg(?Y#;enWeXiH?g8?iU*}cxdLNO!!LfF_Sa{qbCOV^_kqa
zn;pK9+soI>Q>)cz+`atZF9ZC1?E0PD+SlL7?S<dT&A#;teud5N<o5Jb^rhUa+uT=+
zkI-1zXRX@^QNzYy*KJI9-F!*65!^C+;qZ|^BEaF}ma!HVEM^!1j~&_XFT((T0+#qj
zw4sDEjBsIwLj356*Il<|WWn^R_jM{Kr<cb>!`<<u0WLv+p#g1BHINSB5mnKEAHN_q
zjC+R}R<#ig!={pkBs93v1~qS}h6em-1&LwCuH8CSMbl6x(GdC$X-GjsJ=ze+8}OQ5
zA%1Lv#PCjaKb@+=@~1}8&~PScfQNO^7IkPt1aGL0Ip9YQNDYT3=v3t&4uC?A^~u}Y
zNCWg3Fw~|Esl1^E8t~%;q=w&Df?;RfFwyYccG8fBhFY}2z#D3!0pHp#F}z!C3m8^B
zj}Z-B4w42Kwva<j+K|N?YM}w&wk|d3J_W;w{aZvsi$kO#0}VB3Lk@4KjRt&6y3{bP
z2^a!aLIK12LkVmJh&d_~4b^EwE^nxV2E6_tHN3b3^TU_bU`}I(dRIup1T?5<LmqFa
zi-!M?ygQGJs%#qvKH!eqXy%q0qA97sFzlv=iaY9<2r`PXswg4?4&XW|0`9n=luKk*
zW|?Sa=89XIrp~x)X0*DLMjrQEe%E~+4>0#R!*!nD%kTN){k@-Oo;S-!zFqfnuKT+0
za}T~sZez%F>2A<g$@#NbG_?4IG^C@UK5ek@hNfu1*RO31bEfS#XdT^_?i3AEX~PsW
z)TIq2yrCHy@YQM?L)Ha|gXT=YGSRU3PcjZLo5Q%MO&hc=xaUQ4G~jE~Hiqm^!og5w
z+>1GCQEC;cPnywCgEkm=!z*aOSEA*Hnzf>#2*dhh*WILH78<J2h9ut50uA`Ov#sHm
zYX)u2TJ5%rhC>HQ13XcnEvnK6GjC{#20SulW61d|fEh-`h=$Y#RjIbfL_-zYkjood
zp#fj3wKY7b#taQtiiRW2Ny8j8IMRj!-ta0K@KsbB!@O$WK>qNk${o>glr}(t3);eg
zHWcy(XEfkzrZ$H8wcdsN;hw|GqTz8HG7i~j(9nh=-q0Ei_-dxDArksS^|c$1i-w+U
zNka}Zw0%w+EWE)54fvX%jbT9s%#+pTEFB>l#=4P)xoCJs8;W^D8#Lf6fVPI6&>yM=
z4OuT5esw1e^U?5xHk9y&wrIfDl57kMZ`^?AW}`MAiiY24!vZw?OB*yTxw-l^G~g>o
zwuYxZU~tgF%7x97Q!bNnScHa0w85D-v_k{FP9!(ftW_skG<4ruQ{(EW!H?2f&$02a
zkC~y3if!%OR^{X1a3untS=V!3Y;)O`DVpjZ9EU%-Pp=SXkJ0f7aVe?EaZwZE6UU^)
zC7a@7;>5q{;i-@E*8BMD-8{X0{oTCT*GLCMkB)QmjP~(~3W)acjq#5uD-r1RUjBTE
zpnFgsuK-g*kKrl4qf`C-$NGk(P6!{8Fl4MDJ|i@#_ax(lSg*AB^xlR5r~&wdM;Q|n
z2B*g-W%&6H8ITwi)_2N~_+jbMUU3-{;Gd5l7B#Nl_+dUFgL?EFQwc=^AHBEU-yezu
zK3?8_eqNPaB=9LK66ml<pob!XcLhZPz3LjlIj36Gvuz{x-5=?`Yq9A!8rKNSGj2*(
z6Tav-`hNK>u0qLG|DecI?7PV=YiS^v!H-hk)g%u43=J0AP;6`Pj=((QrgZ&FnW5!&
z!3>6nA>vk9e#`ww@>?G9WaD`^cwhprXsh#c^c<l*CAOX}5twuE$K4?&;3)vlGsr>N
zmSTR()7A1@UYJ<kwFg|p7BQ@<;JLGxc4=NMKgKmd5v|xfb5q(bv58X=xGq7a$F_*`
zTVC6g-||)yCEs4~<wM-qN3k8VhCy)|d|%N%t*tLO0&|p`QoYH>R}8+nt<mR_-}33O
z{8o<p{)f)Z=-fs-op~qbF*l_nsWRu2kuRLBYQCP|s_rs-Ue*uy(eW%q=a;lo$2&3C
zxhWk<l{qIuBSL$-<hN=%CcjlnYrY+?O6L}IZl#@pywe5yrF1kv=FIv|a=O>gZ?$-~
zJuh<>(eZ@J5cJP2w9~*lF=x6d9Tku{^I_nM@dW3q(|1+m)U+eV5mb-BSx7r0c_-#o
zH>D$~GN<NYIj8f>Lo0Ijqn+E(xtVq*@lMRWZc0Z|WzPF;$~&FgSLEEKBjfoMI=`Tu
zX5NYU*-hz4s?7NSo)o3+-n!MAik!P?C#;I0-8a$BT;7RCd~ZreQf1El@W3l`hU~A%
zxtDhCK<8()vygYX;&_*iq{^JVAjd6pTKiPw-04rY`#0#^NIQ#o=j-T{j#SB<y<z23
z>U24^ry}Qb+6mP$X!lQPr-gTRK&NyhRpz{DF6V61@km8ZO#m6sUFh6EJBxW|M|4U@
zQf1CliRGQWFID7x5=c6Cqw^EmS;9Lzp;J1NDs%4Bm3M|UsmS?Lchb2BogdRqjk8TY
z7aZY+PU%Q$Ip+~i$d|5dE<cXiRP6kuC+Xaa&W~uPmUp_NQ#z7b&Upb|qt;(odscls
zchk;&=v+@boq4ARI;A72<(#*gfOG%c9_pQ&2a<Vw5js`OpE_G-P=pSh^7#{T;v%j7
z^Fvy6HqUPbd5A*0vpi`R_=xq-e)Ory=WKmlB0SM2&pRO(F3{>fcy$Q+8uC8o+6^wV
zMpMx`@c_EMq1)GB>++7!qf0s-RMx(b`<k`-C3zdr<s`Y7XD@hC!NWd^>z(Lf2hnqg
z_C(rxTqC^D!(Af->qKZXgVrr<U=wleypJ{<Lc>AYki;9j(ZF53!VEWh8MK`a?}D8e
z7Ki<`;V>Ew&;~Pa@Iixgw6v^U+Wy|!pzZiw(YvA{ei+#n-=bkZZOG*fzG#q+mX;aX
zz4?Jb+hO7u*ezyp*hU+UprMF16z~Q=G)PBF%Ne%sF=$_ZSn|DScqM|2!%;NsqYZ_;
z!5<CM(b6(Q`=R^5Fd}4(Xc#z}G{CA2@);F%iXz?+fClMkX_>*b%R+<JH96rO(Qq}9
zG#o?29y$&d-q0Bh@><F3hR+Pz_M^gKx0v;ZRT-q=I2v}-hGO3E1{$QJrDbvGFwV=M
zZ5PzNhG=+y25Eqv18uR3Hk9y&E@+UBmX;YhZkr6R(m#G!S2S!jlZF#$*hw2St!?rg
z*NCoYkdBs?89D{m07G=tOQPZCfjXMkAm?EprMcSirD4~Z!R0n>C~zrnaJUqXYpV;B
zq$6~H+|U@VrMrz4Qs>P#G}X4;kV4nT|5qQO^Yeo9b6$Eke=mQ3U!C9o`vY{o71YN6
zg9CK;uh*eARc>IXxk-1LLfcMr#nhX1+*6}u?+&p8bWL3+H~)z4H2=#tRlI!tbUII8
zotu}RpSQoCSLL3(lx?c8lb4mVsWPrzT`DpB6DPdYbic9K^c#(9I2K4QVM4?<1jWh5
zqnR*yMi+xt+j0z)2HC@Bs|RWL3k|DiLosKF=!TQ7JXyv`SO4Ix8KU7!FqmP!Wgn$U
z7dCcop<xkiD6utohhqWe5}x0-iG!(KLo>wTjSs|xT`=kX5KO)X7L(Qfb*Y8TZS>5c
zJsK!LmV4)=OLzwslS^1&<2?o7`MgA2*a)WXZ3R>BMde*<!IcXkVjsmg%^3DKx~9=C
zt*t9491AO#@Et|oRRpf5utb4ERdc~KBw8?qey`-a2tL>ksAyvc{_P-%NTGesw!YwS
zET~+3Wc%=h{tWF{3_f=#DX~JDV2UabOrytD<h(>X|3POm?bPv3ET~+3XwR7+Ejdja
z1XC9DIb|>FhnHz59JzsbPNJQGyb}v57a!PjIyy<t1qQ*iWT#+K_NsIW=uD!W2HuGU
zm5cZ7Imd62oU381eDF{(DSMgo2Rfd2(K(TJM)FQ9s9d~f&v_O~-D3az9LCO8U%{m8
zWzH+K^By`AX=f7e^knnT#k=;LZ^5!pbnbByOb1d0ld@N(^FBINyl-OWoqBW%_MDar
zlJi7g!E}17U{dxn=Z|zeAD~mk_gUrgPA_!cvF8kWNpk*DBABil1(ULuIj_>rhv*zn
zw|fEa#3Iebf9yHG9wa#hcfs^9Uoa_qnbReJoaY~*a~$m~<egZ^xmaS)*<s!bXIhm6
zA+6?l!KCbE&Iz>hF*@UEXA$qjV$a3D?K#&#DGSF@+DjXSv}TP2J6`5Yq@DkwQ^ogL
zS$HQFgf8B;=WO?><ZLxVNNaOlu;XRUiL~<xI>*rQEash9G`e`po^!o4f2O(b7Sg&s
z7Sfcx%$Y<xpQ2O6_gR(jPAn{4{L7xxMVdd;f?|cVekTPxUgkVWJD;I5j*h3MtxcX8
z9Nrn{r9bUCr$B}y_Ro-YLfXtbf*mh&o}!)4(HToSwY(DxR2OgBbFPb&ob$dF(sFe|
znzC1&GZeB@$d_Vhr!()wBG$zl_MB%wl$@)o3TXw2LYlIdIjeT2=Fd<EbVk!o9q+_K
z*Tw7hoKG4`&ce@ywC#<BG-WSyR->Jc=!~MBfxHvfh8M5dbB1)0oV(0ITG34*P1(zw
z)oEuHbgKA1D+BL*6UWgX_MG#fvLlY8<9mhlCi8?eWiNBqpq*9G`8FNTNZuKU&fo1h
zb85bDrnk5&q`Qm~(v-c-S(A2FL+2>knZ!H0qw_a=&dm0bQ@>hB_pdJ4@iJ#E+F2c)
z5wz3HJA0t>S9{LMu$hDHp5EiKklr^)NLThUr-61t86M`Pk+d_HclJc*FZP_9UX`3f
zn+oZ}X9;$^%sGU1LN5a62-;b|JA=^qvpuKt2+0`}Dx{As64I5uDxI~^X{4Qnyt5ZN
zi|skrj+2}z%Z2pxXF|HNmpR+_Am@2lWkWo}X=f4d?2XQ!>^U2JEIH?P5z-fZETk)Y
znX?1!tc^|;-)Cjvoqf=G)t)o+XUX~Q6d`@>Z$i4VmpMDq&N}E+@qJdsyt6Mlf3)X(
z*g|rCx<g3c>>{KqdzsUXcEXkyw7Z&nvUz7ebY8LNG<A}k+ZG7v-`p3{mA%aAPCM(N
za~Rz}HLr2`XMc45V9$B?4as@TTSz~(R!CR&GN+Dq)<<Uu?bPzl0qDGJ&pEwx{ybMx
zNWYvcq$_)w)01{;(K(cMI`ht8bY8OOymv^7=kL9R^vAb_bY(AdrqIp?=zNQI>Uifs
zbY8UQ96J1kGo#u8A)|IDAzj(aoSC!}vRN2MLuh9p?;M2A3-+AfE|Z+v6+%X1jbO*i
zoO5U=RDr;0pq&QZIT)Si?KxjxA~|0fCuDdw6f%^(%$ZF)8=-SB?TqA|26UdY=Uge(
zy)%5L2^nwvA!I0fRXSfr=OEgd#5;$e^Q=AR%TivK(R-(m5!_a=<7LhqI-ZTuIgoam
zdFNZ`JY&z9vq@_A(1$|C$Y{ZimpSLs&L-$o@qJdgymKfzPup|ehdn;blQR+ugp6b-
zAw$`#(%BT91L$}b@Xio)TJ1Sg7fH^vR3T&9Rl$yzId{_WY=+MMw6l<R4nwEKp7ZG>
z$vLa9kdeJr$WZn&=PugW9Gz;ukA-)JqVtqJ=aSbY=fW03#?mYyL)pumyJ_bu=v482
zRu<kFhR&1roE~3E&NW6MW8EPkL)pumduS(Qi7?Oiq1(NfcMeDA346|i36gVDzL4>y
zqmZHOWzOn7$#q9dbgKA1s}kNBj?V8Z!&!rNwnAqwI-Z(#T>fc9=kdyL)})<~B|^Ig
z(M~Pz9D&Yb|0Sn0I#t}8>dZSwqVv1TaNeNf*&3Za=y>XQX9PNrR)+IW+UbJM?zA(I
zcaB2mk;-uXMLS^^1Nx_m@3k`U&bQI|ZDlykLFBvyt6gxuNyjsicSfS~aAi1W(N35Z
z!P$*=Ch^WFbRMb<XD020pAOEhwA0KxqtSV=GMw9ck?jsuUvPGzow>X-2Au~g!?}ZY
zx}x(9+F8ImW6`<4GMwMgPRPC>o+|FYE##eX=q#!X=P}yZ0i7!D$SvZXqtUsqGMs<)
zCi`bcbgH;V*TOr;pmT3!IB(NVsQy8_tN4zrV%|9xoqH<7SwcJA(5d21;1b>$kIvnd
z;e1Xz-O=eok9Q5sVCBwv28WMB=dQ|dYWk4<(*vC<?l;!*&hhBnSsBg%+NndQ7adP$
z-kE^TZz{vtnRa@jQ%^f}ymJCNcT|S6Szof<_2~4Zoq@bF5uIOGhO;^C^g^eOb{cr+
zM09Si4Cgc2>5Wbg+8N0^lhFB9WjHnc$aeQZr#tOT;+>Pwxvessj<nMkohmL9GxN@5
zbbeVG&SKi>hfWpWk(J9kQ_#7!GMvBAPJeWEq}#oKcc!9qOJz9I`jh=L0G%CZXCd#L
zjLyQ!a2}+cozbb{JF<#+rwN^#E5mu1cEWBc<aH{(Bg?`&)6n@vWjNOjAln^IZGp2r
z-R{M_Gaa3qD#Q69?d*!qcC@pEcV?jT^U84Erk&l;`5Nuiz{=Dn|D1x(&nm<DH|=~A
zoo#8SmUm7?=f=u#E(j+3XCOM;&`xLGISrkkR)*7OFzM`$P8Zs#<DJvdxuG(gn+&A0
z2Rd8R&OqKd1D&5#hVu*B*%O`4w9~*lXQK1t%5Z*7JA=^qD(#Hqon~}?R2j}4w6hmF
zThY!W-uVtX*H?z~8`{|$oh@mnnRm`Y=ZBTyTs(vvM}5%Qf_CQe&e`Z(R~gP++SwPK
zuh7l{-kFKc4=TfXg?9Esr;0C0Dde4V&{<F!&L3%Ke{?pZ<5|Qzv(Wi|WjN~&CHv<9
zbgKBm7YpyqM(5hfaMq)p!RTy4$FrDs=Ad&;WjO28&VlGu@#QroymKx(S67C!0qq=w
z&X?(UYGB8~CjXp=&Q+D+Y)Cr?qf^C~;Ana0e00878O{RQX+Y;obUdAT=K^%TTN%y|
zXy*`gHl&?8-nkH+`IX`Pi*~++&IYtIkasRZ=gP`(-lCmD(W#}K2Hv?CohvHCIXi@$
z=R?q0pLRy_&RlfnRfcm8?Hq>AdbBf%cP>Ha^8b=E6rFWxr<r#yMdz~0a6TJGwtE;l
z>(I_z-nk5&ODn_qoOTXJXKmV9z&n?tb4g`5HKAlY!_nzPI}3Sd9y)U?!|6afjp(dJ
zJBxVd3Un_1FF8k`vnK7d@XnR!TvQp(uF=$8NueXrsiHn#Z0mG2^<hqH1Lj<C_~DE1
z<L+p^lH?Ep7Zy&={#(2&sZ9)Nh(Lpi+ItCa=!*ue+>mjU8R}<>hD9dQFbWMS>gt*f
zHhH6~sUI5Z%M6naIf3Ez!wW>i5-{XzD!OYZ^lda$rTdK5)({+?k9}rgW%QY4bgUxL
zsiJ1?Z0mG2^~YG%lf^1|#5%ZOa*6wkSY4V)#wrR8j&!Vawua#FcQIBADkD}ufHM`^
zlzkNMw~7vpMyHB;c%ZG*)ieNORaYLXN&O*K)0#dK`_=5ZWUOM)prK=Bur&mSzlX7!
zUm3AF4Nf9fvFKD$>yET_x|)J9R&`{tN|~}8E)7lA?hs?;vXnH$p+Q9*JBc?8L_=+v
zA+`NkgZ8z<v28^|TQCswz-VS@^OSBcv#lXGd=<9Wyvk^=HLJ*2jlo!{s8Q$II$ceJ
zFjh|TSe@Dkv1+;do*1jOU?5^O7Gw1<9jgLcLvZ+NjMd!Ah}Eg}WUS&bRx0Yxg|<#t
z(_oBMEm^E4U%U$!!8Y3Vr5LL-U?5^O4rBF*j#ZJZAvk;u#ww>WV&(J&8LROaD;2e6
zi>=euWWZR}l*P)F<!#Wm8B^0)j8z@lkbnjib>m{*Fa!<K7e18bMQL8C2Cd6CBNmE=
z#XHD2OhAK*ns5nkcnb~EmpPO(6mJ7VoiAQIJ9245A{tcGdo>-oyl5yIq%UeHGo&ws
ze%tzON0{Z<yFXDyWE>`<K}9WB%Ns(_P*v6+GOj~gI9L4?c7d58=sVJoga#FLT4&xc
z3=LIehN(@~8?>#?O@*C(X2_xqlhB}|2CL%@p=iLnGHr78sXd@AT5U8m6%8X#ka0*x
zgNpiUAa4jmgM%y%(-L+Xv@Ol;r;3IM+K_?<6}3|XZy1gSjoh#X`a{dX_x}+MU4A0t
z0I3X|8&OdgjpPmC%wTygGfaN~ZSl&zHOE9lwPMmR84W6Go=LpHh=yk}!_2oJ4$a>S
zS}z)&{XsrcOw7>c7X3^y+Zuwy*D}M!Y-X^%zqR8uxF5CY-WuxPA1uB`#wrbCrJ|mh
zYwL71jlftvmB;Gu-3D#5r=L80(P#AasON7w#_CTxRt2_(;PCe`R$1~``5GWrb-#pD
zH{v_X^t+Z_X=esHZ_>^}-dTXoIdbP4JHc6F(`EI}QB%oy!i)iZ?>g<Y@Xim=nJIVn
zUR12D|MWwxdgt4;a~e9Y(avJtxelGP<<8LW!THzHU)4MB(a!1U{DXFu@Xim>IZN&w
z=?l(l3umZzrW_^P-Hgs(X{U21o17##d_6kfkvm6^1Lu#kL)1G{Y3DoW{DpSvc;`px
zG|Qb?e}Hp$G~{n;$9w2^WISh~^Jm%_$U8qq=S;bC35@spTZZe@JHu$_Y;+dWP6O}!
z1f4VF&JP}f^Mk&Q>Yds~^{IJ&4mz*W&LrNs0iDz3&aG@5E%7_6-Wg6iv(Wh??KJbw
zPtiF|?mUnR&Ue~>tln8dJG0Swg?8rh&W-4tDtDgV3eKb^@T5~aj(%@KwtEgbf1sTO
zyz?`3PLVsW8^Jlk;ScrBt4&GgTy$QhorS#fb983Noe%TD+5ev%>YR^Yy>q#hSPRdG
z(y3zYG%Iu-Ixo@ABHp<Po#`?s+`kOY&OgJStft+WbJwe+b3QsR(oPHS`~sb6a%Zzf
z;Ot<9-5IscHO{1S0Xi?x&SKuV8J#A%v(0sIzFKzoRK@uxi|1O}2^A8^>(0~865d&e
z&dG9Tx5wbD`q^sr@$A`}jOQYBo}--_H!cs^g3eUAv){>LZM{bYXVg1;(ay!_JWD&Z
zymKo$Q{>LU{@}d33aUeD`)7;`8P8mFo}r!2yz@(RCd-{O?|}2*xZl+~V`=9Sbe^W2
zI^MYros;CwTpc*SG=8n#8Am&pqSHz{19|6H=uDD33lhQkVSjjnsBL!@&SmJd&`tyI
z+>XwPa_46~z?uJMk$R^-f$X1o=sZa~lX&OX=uDJ5w>JjoLhlFao!+!_1v*dAPBZV^
zfzAnXXVFb?&g$T<-swX-SEBQK+L_Bczd>h$%nA2dgR|2amFr^mJo2NRkfOlz=s4{x
z;GH|sIbQB`83oSP-!)esPk-9^E;^6V&O+X~3!UTS&h|&a`O3lV>Yb4j$Z_-@I=`cx
zMZ9x2I^*R||LWkZ{Uv1JYUiaM@a$r_X9fA^Ds&#Dofh7?2c2W(&b~p#+PeRKXjJd)
zNjo8{f&O`fb{6x_z33bxcMhKg&OeuRQt$kkcCJC^x3sf_ckV;yXt{H25jZc;damC2
z3+-Hs&cn1*<Id%EMd*x^JJX+m^H{P~y>mD0dJ+BeeRLk8om$?xADyvs=c13nxh>*N
z_0B!CvjCk3X{R&qJb=y^xpVDr;9NhjfqLg&+W7%G5715>?>vakXt{H<3pkf|`465)
z#w4=c*P(Mi?F{6dhtL@%cYbppoOAX6!Sm<?+W8?mi)g2TcOFJ(q}+Mv7&vFNAELh9
zf7?mM^AmLLrk%OG^ILSjEq9(;3(k}l|H1R<I_=zm&Rw*#fOj52=P0@JaxysM8|+md
zPu(suo}Z#~C+#fcok!6bA$LB$4bHy*M5}k|Y3D|CenUHpc;|QM94T|c{ovsA|Jhr;
z)0=jFhRz+d)51HCp>u@X*;oTkxAWuGJEzjl&(Zlc?JVY<$I)q&J3ZmMGV3<nm8#zP
zE$!Td&h50bgm-?A&TzT&4cM2dTcZ$KN^Smmly-iB&aY^v#)Hd4PM~wR+!@@qSX<{o
z0qpdtb#B;Aj`z*z+(tXKyz?YF!{pA9(crw6J6OH*AKF=n&M#@FGw(cw&QQ5C*$JH1
zDSOmA@6gUI=-f&>b-dGp&S7%rw5#C!cH&+2&Ux_f1O>SYzPmScD>_xopMkc{pl~ZX
z73R<Etwq{8yG$L>*<8p_t|zl~`&sb8;}t)O`v<1bFVUwa|FHFS2|tZKdEN>4f){A(
zY*|_Zeem4{wm#-M2QD+X*hkTo7`hEzD%NX}wl44RGw719)8QU)v$jsb(WmHwJL^Rk
z^L!1@c9=dZI-~v-dQ{XilWaY%;b+k!ueZZ}-v(`+Twjw$!wgmTkp`$Rz#3LXt<uaJ
z&Y?kGOP|un1O|_DkTWnt$65|l9H8aEprU?K%p1<5L0%`H@_9Xjw)V<yFAV!=1GE+x
zRMbXFc*6xW$ZOzJtZ=TZ_N1n;YG83Vt0m)5ga#G;Q>(Li?zo0uM1#D(J++U<pmln(
z-bpk#3?~i8(6EP|0}FV=B{axu*VF311qSacGetw>DAMpf8dT)lMZDoM8sv59X>-9)
zYbQIu!P?@Bk4eJ`G^og>Exh3eG{|et)6TU5Ln7PzW`>jvq~RnQRLt|myx|HO<n`p~
zVK6Rg{<Y#oe>k_9G@L?%iX6CvH~feOd98T*#b;m`*J!mEhr@SC!&x+_$R7edxp8q7
z4e~nhjJC(X(CWKaL_^5~(r^w9Dslq@Z}<rf@@L14EsG4=8cSJ?g7t@P4@tv$G;E>A
zW+ZPYMuWV5JL6UhFoZfR5e+?_l7<UtD5MQZyy0gw$ZNAR{jY<;X}eZ5)avR;Jufbz
zVKZ$o^M+s0Ag{a5jP*BYtN%3bPtkC!KWVsxhA(JCE^qi14f2|**%O`@)f?=2A{u%d
zNW*0`Y@!VXyx})A$m^x%FQyo@)$+RE5e-5%X}E%h&uBvtZ}=Sz@>;0*CvPysHi#Du
zPI;u^M>K4t4Hn+;2O8x0rulgx7<&FwS2W}mkcO*h_>?vj^M-3^kk>HZ*=jUst1fx-
zWzlf@L(=dQ8aB{|65enf4f6WrEN^({v1<K2aITEaQCrWFhM&>!F>TQ5xw-lV8sxRd
zS^e%9v{fE$Xe1hzo+Ayvpy4Ch;LICtqCs9)oHZ^H441NZh=v7MNdwI4kWa3s4LaWN
zCmQ56!&&CWU^tlEPBbL`L>hiW!-upXkT?8=26;VjR&EFwzKnV(8b17!G{6ZEh{HPC
zVBih6&>&x{&id#H7}f-j77dO9Y4`&TAJB$K-f$ZY@;ct^9+1OS(G<e^j*SbiyN<Z-
zG{dj$tUa%xVL5F`vNd>z|BZ%0vf4sswLi>S$F86L@M7(msog1LHg3y29qu_&YxL{r
znNNGnww^BGCFtp;<S78ph%qnL=$XzBh0J!*LOGW^xN;#x?4uZ`8KF1OHH&uT+PZ?m
z|3Oz5C07x+{(?0z)ZUs4nV!Bvrf-3u;7hyjNbUXIL|+E&E3owihu=Y;my)j-d=Ze7
zV{I_Ad#aGx`)Wnb4B82q42-*U+F8gu1$64|Ie%y-IfrZ&GQ(O3cD$?~PNAKDp)-wk
z7V*xz==8Mb95hUFjxh?E35SGCWiNA1qn)?VX`-DL-gyt5I(yFjFc`#kPs<lFr#lLn
z%3kK2PCIX-b29BL=AHM^>0!_54Xbj|nSEZ!To@>1Dtno;Xh0Qe9Q}>XRN7g>J0GCa
zUD>H^*$#S?TIW}Ts!(f<5_GPlof<FOe8x1AIW13^)8^gJne6>F*U9gi#b-yWRb;IG
zK|?Za(ApY;!yjU-+~l#U&E8*Y*?N}xSe?8@I`5!!676*6osZDjN$zY6`zG3!jbTSd
zZJVB=odP<OXs3>MK1OFpx$_lxe@)x6L6Caqt6i#6W8^M6C(_P9-uW*&JII~wV1Gy3
zvU-wwrwi@8ht5RWY2ckt(D}OD>07{@_hFr)w%yy(&im+`KszIO=TmgL%AH+cA4=P@
z<cNCb+AOl&AD}aVb|&%8XXtD%clL&TC~eE%1@%tv?5b3*2CD$bF;Zx!+142p{v4eO
zb9h*bB5=-Gi%!VZl%F;18RH8+Vjt=e`lisnTw7lkqXvCG@;D|ODgfUA*aLum*^u`!
zm)Gg4)LP(QbeU;ap{>i?=zuPT9Cx~-8C<@wP6wBh<YFFg@T5Yz%|41bcXTLJoS+?5
ztObf}J+4Ma^z@O(X<?uNJi`mbXPjnbb;|G@4LNj7N_ayRH1w7m7R>-di?A4t<}t)!
zb5Ipcdq)j^l;Ys{a+nJ<v{q5$E%Yh>tatdqSd|&hm)>o7t%k;Me{{Pj>%yl#hNd-Z
zHC?9B^ywAi>@hk%Auc5~IWB5KeBzjtxMWj&Oq}>PJ!1X*eZBpB1Khm4Vtn1aedBa)
z{;_dBZZY1vIM30e1AJnlqu(@mcJ=fL@bmQd^bhcBXV7=`*6G_Byt=}Fd3O!-o1Ea2
zmfWvbYWGQgy(VNNOdLO1mzohZXkwI~sr%TTy+fzOB*ly~PS*F(^+@a&H#}sVJ~?H$
z-rzShXl%@w_>g|1!-fnsWtd*mj~<($8x)fs;MZqL-|nw@#lnA_`-X%VJUrb!>pJzE
zn3xzBlNvuUv9t4lxVR*@?g{axxVlc=V`AcxQad|$@aRz2>8+^5F>#%pqcc+DQo4Hi
z`ss9@zB)HAKR<7OKQEuUPQ&0|->v(YxJ39L42+LSo|rOmbgElW9Q&h^Gu#FzrN&Q)
zpAyA>iifApU02s>;83@op`D!vWpwZ7A3nBMaIg5J@nZ&NxO;iK>)k!w;rF<E>ftZ_
z;1{0me&|evKi@4lE^$oi*v`)IXY`$z0zc2w(>*m|vU_ZTd+dv!=RP6HeS)NLkC`~3
zu2Wqn)@`bPK&6Ob?Xc@cspz^k-A3bTtcG1TNb0&`w{dM`UDWVL*q*3$ue#WEt)G*I
z_GpNt4I1C_T^9`1(a=+7SlnPJGu&S+8cx#&S2Vm$8??Nk1{!+E4PK$JHE``Lq<^d}
z&d`R}(J+cOIP->@Xy`6C^o3GS4eP!ZWd<|Mr0k<Kjc5|XI-p?)ZP3{oyp6Tc;4L>K
z{$|$J`0Pl3aeB8d&e&mHJky26q{XHx#A7h5BYOJMo<Lhq7o!t;O4Hra{<%2uw*v6E
zOcEc1*2S3%tho^_%DbFtS0{A!p<M>vRU2KU=`HU%ZYl5ja(8)`>sMsF+|bpVc17~8
zI_N4*XL(n>x5~MeOzK?Twe=zCaz|G$+Lgq+>Y}SOedS%($Cr1lbT04O1}@gu*~d<Q
zhhzxShhW-ewsm<M>!GW(<WT0C=>q+I)$+dRa>D+#WTi9f?+YK1bD<7BVYDaL*5hid
zkDku5@drN}wu5G;^cLrUAD@#3Shzq;LTN(*Z_uJ4KyJ8I1cpv6o{EM$4pdqf289za
z45JN&yrBUa{AGrvpLK)npox)hhz4VC(g4XC7(!@65pQUS20yvshlgP3=CM^Ybb5<4
zc%xw`ZLsi$m(buVGc3Ezwu1uo0ir<<1~xv}$IcjmCqKkN#hg-XYw$KULW6uxS-vI|
z%Ky{5zw}~^EZ@+<x_r}eHb!QFr{bki82l9QbfsfbV(aN*d>K8?vY3De%Ky_FCcl_V
zmT!G#UA|+iwVW#xT)7Y;_EC(}j4(fRdDAWp{LXS;BN1e5jIJh1E-3#`-(f~qbL;Y>
zA6u87)LIpM!cb~y9_Ej}j<io}>kBqEL0>&3AC&*6cN5#u#k&0BZ`S2k2UX;}PdlM!
zLi={0ozA?oDLV1`TXsEI>6{Gh%bdGmk;F<e*5x<gb9;e3FYAX7XlG}1s<{4H$2*&$
z6R)0Ca<-i(IiDS~=2i8!=Vea)NV45w#)Eje((w%Boz2l%+g`h`Jp96$SHGq;uTipf
zxw4lzy=i9`bhf9R2HyD!I-Tq}Ydc8JS9@FY+7?>vc$sr1?d*!qcC<5+ceX%hEql)N
z(~{F8)0)?LxHV7N%bf4f&Ti;bagB5m?`(<An)aOc;h+SLqr5i{So3;yvgRp!nR7Pn
zd=s52zE;u9J6oZ%hCOHMKa$g+vE~gMXSL&H&N;L*5S=Qnn$G2&ucEWMJ?E_zk~6ZK
zHE(=FYo4-~IgioK?&x%(`)2{~bVg@2d(KH($(c0Gnm73mYo4-~IZx2e9_VaMI}3Sd
zYjjq%=X@kc&Z!1#o_VJ=Pua_yEh5PIvnM*8X=f4dbU|kod(K%GB<K7^*1X(@);wh|
zbGD+LLFiQRwTc$r*#@1C_MFv+NX}K?Tk}45vgRp!nbVne_ClwMYpsiUXIpeS*mGt^
zO3p2**1YXkt$E5`=8UDCuwsJeW=p!=OL*sN=+xMAIwncZ-F>Zj`?p&2l)cP3ns)X<
zr;4kuHIM<8%R7UO?U?fdUMs7VhnQzd&hN9VdDaqZp0bxY$I?z%5kovxT#v2go$b+y
zSI;Ur8$tZV=g|eDHSfwHYo4-~Imgk?e&}pYx4Sd%bVVm#`>N#JdO&ji;%?2mmT%2d
z_A=*q+6fgkh-Wj}spFlmqZ7CHm7GHcNzPl2*1S6j);wh|b55Y01JK!&b_Vj!4(R;X
z-Z=Vc)eGke$Bot%b!S-fl)cRP!zgl|4@PGb+G*gO9ntyNp7ZCn<(w;P->t~G=WWtC
z5S@)_XC&|Jgw99yoaYVYosExH<ostf=^TvCMzqt+JKfOvQ10Bc9M*9YzLnN-tld{u
z>=bAx{9D5~dWm-C@=kYjK9D<ij0I=(u5k77yh}UbDGbhrw6lPBdZ6>Z+_~p8I7fbU
zPrdW2Psw(F3!M#UXCd#@q4S>Hc~T3`;E#@|cWO40&Y|d3alLmD@AO3HUAgn>AaHic
zdsn@)3hfL*XMH-J7T&2xryzIUUI5NcbHv)Yi&e!qs!BVDp|c+CEashF=)5CyLhS>b
zjVE4GAJ6KvGZdY5X=e%V^hW1Da%UsB62r0j+n=d-)}WnX=v47_g_-~^uk%4?iQL(?
zuvqJGZ}1HD&RVo{I67<7@znB8Uv&O0cXntF&XWGk)H{!VL5_DLI&0BR9q;r*=WV&O
z^Kft$2mGnt*?2SQ9D&Z7v@?)*`lIuf+}R7R7;!k~@gF=lo72vb=&V6I4ZJe|oqx%l
z!^VO0aI3rO<M|5hj6i2~+8N0^JEQYYxpO>RG2*bfR<wF&P$AjwqtIE6b|&%8H_&-g
z?wkx)j5w@+mapE~i*~+^P8DA{Xy%<=(0N1dG{e>J4(|%5D%A<q0LYiB(DBUWon6s+
zUGB_<tKS{w{`!G>XKy;5QRsA}odvwJ8#=Gaou9+ePKU&!8`V3P(@yB^5Kjl%S;#xz
zMCTuJ=XN;S=@7H$XZ6mcE#x?YLv!HN(9R;>8Hmo`<<9+E!8!cPrs|!^v@@1DU7piU
z3-9cX&fnxtYY8~}uDki4Ide4??rX+jJXOq}#kS5MV-IvH%%4{d6=@y1)}M~f=JxVW
zwr)>>I1>B8qtT}(pR@IKG4@2CLf&~Tzd-BYwPZW`8uC8oirq@?n~y=4iuJDsb`s0g
z<-CnS=#sC~p%!D-I=H_6F1nl~7xRn-Pb#z{`zY>DM~96?kBa)R*4E={?8Q76<@I)0
zdmFTxDvw}XFvIz*T9jcL8dT(p2H3SM7ZX=wZ#2kj=_{KtgXaD#qT$d`CylG420u!1
zaBLg~*)JTGRdKe2ofRoFI9!RqdF(pAat*J==&w0y3>l5}{qj2n*Dy5IKd@Y*kIH)L
zqrCM#{(3i0Z(n~mZ*OmZw}9x;ac-W`K0Z+a(LTO0{xM}oW%YV5fBvX!_n<yr0j7i=
z!&7`mr~3Ji^$kg#5I!Vf$XG*sMrcy+NyZ7WUTN{^y$u0y7S<;`%9xliI6Xco!_Rlf
zfW)Y<zEg(84@-~sip!V)|9t$gsB!(q5Az8b)T8H^N;oX5*TD&2AHB{^uh;2yx`4_(
zEbCKtSXPIJW!c$T_z`fZSNX84UiDeobF;{P1J!WoH!98pC2{@66v6uLDLiT}d!4GO
z>*U%${(s+ZymkHo-rm06Zr+{&-d;MdfJ!}NE$cVzkagwso1Z>*qUJm^&Uq@<NoJdV
zqj8PEeB@?h_M9)9Z@ix7cbc}}pw&NchIx<8yHyKG!#ikD@eI%94VY`(d|762o8rg}
zE+<99x8FEv;9nF!O7kw9EuO^;E|2JZr@+?W9npi0pPP6d!6puFMX_eBe#`IT{*P0>
z+u@V>ZpZyuOpbtu$Qx#(r-b$t+IqS~VBT;8_sw`u0eEh=5c7t7H_N(wxAS$%yN-g3
z$hR`lb&Ylv*}8%vFmJelbza_81g_&-#C$8??T`NXZhvl5@_h$BST5p6u^qF*=Aci-
zS5;YTeZdi!N8G^r1n(;b-?FvnbIEu6r&Ye&{hW%N$7p93I#qmCRWa|xT;m4TCzPBm
zpeM8a#(Z~&k@@b`zqRLO{ZNH78=We?s;Y!{_F?1V2IkjF&i9r`&Ia%0yEmz7&&!;R
zc9QK5!wJT(im$5DbSa-VX@VpAq7&;AO3pTuC1>l4`R?s|<hv_-ne%1ZITxLm>G7lG
zo&C^>^$8{C2QV_lcGow~clR^ryDNK{voY<Qht5m1)0ubnM<>=Nl$?!<Bxj$!`R)T<
z^WBxb%-Mu?&PV4(+NtB61JH@}2_<LtzmhZTNxpl;=zMo&FLO4foeR);fp!M+&R}$6
zeL~6kudn1B+d1ET!uou7Wv@!-LUf*|od(`H5S>_`P;$md^QU`Cy?pmY&iU@jUgm5@
z$8!-n&(Y3E-Z==JSf5aG23(NhdFiiw_uq>0?Rc59Iqh7G&a<>LiFXc0=dbeIrYM#@
zkGv;HP8QE)^YYy#uWekJvnB0>$3D!TXK1IHcN)<7i#=zn!;+Kv9*-5{$-MtpPIzj7
z^EB<u<()&&`LjLe=t9Z4t$M!uH%VeV<z5!gfP>`oXem0aw6lPBzJ<<Wdrm)C>523F
z^V9hr)w<-nD|?wUlXfmcr-gPF^3I{?{K=kk=R?W4_j11bp`d(sWiNAP)6V7SJViT;
zcxMPYuiA6QA9&&P&}#ENUY?TguIy#b9NL+O&Xcs$!aIkd^GAEmx;vzJo@$EY$c~pe
z=h4m;=sZC?i+N`#I<MGsuC6A<(|J(7M`&`syRw%#=hM!W=v48QS|z+Q44psNbGA#C
zoFlH}d#pa2@1g8v&V{rSmL)JR9jD`|>B{Aw!_j%!p0mA_hj@Tfx2k_d&PB8ns<Yr!
zaV4~tcZQ?$l0E0~l5+9XJqW4DnMXU{L#K*sqn&xD5uF$9IZtGib9&x8R*`e-A#$Ey
zh0ddNyX$!82y|Ys=bSXLoKruf!u~nwq?4wdqXs`p>te@7VXK+5bpY)Qv~fCIHsU(&
zyn#8{dCWg<XbjiVJ(>xba1BILZHt|8bbauD^%V?I5`=pryxlx?-u^y*K9yS>RJ?(~
zzk;Ije{ciCkW*yuUW2{+Te{a6Y<dl>sz+k)K5wsgA963>yPr3zXcYQiB%QFffLZM@
z?TqA|SpB|n&YrV<r*clO)r~81b_OT0%k@4wuhY&XTc@iLs}vXIZx`SWQ_Whp8;X_A
z{XdhjDnNsZFE2CO8iFH6VVj<{7pwS9<znR>zPzGX9ip8dpz{D7t6bjsHagG9oyXxz
ze)S)Z`c1vF?k{9K*P(Mi?JVG(k?1@vcb=~U&Q&3=sCQ~<=ZEMlqMe1jGYXwnx%1C$
z;LPd<wKrUmundK0_Xf0cJv#T%&LZ9!jZTZ)c|Ql7Q@!@7cQ&G(AE9$E?X>XD7<8VJ
zIiXq$&hc%e%BYHXHm02)qf^BfPZaacSahD0JDXGmr}3p&_3>;<J3m3EiZ87z;hk~l
zJRx_s?*Y#KRip};ig-4oog2`p;!89%-MCDDG&;YRJN?Yy>@3t!AJ124=cnjY@kJY2
z-Z=)H$K}p}uHbC@qf`-B5l?5@xe=Y;(BsINcaBBpF}X8hG&mcb=%YTKt!XEmpN1Sm
z#TRzycxOC1zmq#BtOsY+J<ZfR+tAL>(fKtU&p_Te4xLBk&Smq8wVqd3hO2iDr=5^3
zKs>k8P6O{8kIo}<XZ~GqUR-idy>r^1<n#RtbbduUBY9^6I=_`Wzexh;j!EyTcTT6B
zo6)(Ab|&%83Ftg5cOD7?=cdsX_0Acz6Y8wc?qAYQGw)19=OMZCF}%^_nRXA}nNiF`
zN-Jez1(H>C-T`MW>?E^~(u!F#BWw#gRm`8cw$7l4iRhHipHQtW(t0KY)<kFXe186X
z;bgv9;DfXZKZ-t6*jDtZ$vbU*T_TduC(k>f`dOg$9Qn~1^flytlFJM(_EB^thJA@H
z6%~;}TbFmlBy`CuOi)EMYdv4-6pSt>$;CXgAx^}aYa4o0>}(X-dR!xt(Iej}f*jYN
z?bNh?BXP}@NgKXGgNj`X3vWn4gM1grXKY`Cwqva>iK5|)yJQ@;qd~=vL@{qjMT2~Y
z$M*o7ZhU?7uf0V>&F7@yYc#0XZ7AUllhGjGz431eac~Wp=PVlXYSgCs1Ju!B{!y`$
zpn20Ke{+p6p+UYg6OcU0pl$cuca&&&swEBIph3khftE9va1Cz3w|QarQg^M2#xSC~
z+ng)r<bT=a=ZzMMhQ19*!%j4)*a2|n3=wG<2l>uV=U$l*hfc9hqM<)+*o_7iRr5gJ
zkd6lVu1@D$@Z~<QW$yk#G_-$}jKdx@sHlh=ID_eJX0SYZ@jNQm7Jt9P+9JQYXn37A
z>_vl$YIh`Wz#4)D-$u6S5AQfFV}@yWMMDSLun!F?=ItcT5RrjxA>X-rqh<oMMf?Z9
zi3WXJvMq|xa70CJz#FEZLB1>X#&P&!owgtU1QBM>3m@9B9}OyMp1GXCgmn@NzHx2a
z7VA2)w)lO7Xn4n+jKcvmsHkTaaE6Gf7zg>TR~JJ)h(qfUaQ+CNo3!B|8V=EIQOFrg
z(Ks%olYV96V%Fp#EDjBQM8nH|WE>8mK}D^yh&N!3#e#2Z+qA{(Q&uoE+fiRMtb3C*
z97cnRI;4d&82hm}Tr9n5Mcg^j9T(;dZpSY1&V%(nYm1L)!?$Qqk?R$61{2nBEciCK
zO&l`2&o*e=f71JuX!wLS96^JM`e6xgh{OJXZ+hDrg2TYDy331svV=AqMT3gkpeE4v
z*=_943}v^;l(oe;_<}-h%Zz(s9K!q6#@yDdf&Xi81rpAZk<CsWJ^zlzp;JvwFAba&
z{tgW)E;HBK8oZ4I&`|nDPnls)CR{SFNy!%TTVc-8;li8~2Uy=&4<2G2a11@4(&N<G
z*3-opjGodr9?N^+GJefhFV+FVoQo@jIaf91U7vu9SU(*{R{`zP*}8&^1JQ+fR@sgt
z8#jA0i@^0g^jTQvH5caG?k3C;HrVsQmV8Agg}+DNO4=7_>kBpxLLctj^1fp5oos_X
z7h%q$hQgd@(<*Xqp!?eibbdiQ4Yp2i(`e?jNGAu&=Hbj)Q_b4;qt8zg``eYwH4Cp~
zu6w}x+o#|m;&u`}d9)|e))Q<TjB&#~L8Z8LfBQw;vg+*=vKqCu7eAFw=p~TnFQ=Wb
z94_}Jl_uB-frPmN_XL%kGfa}Rvy+hZW~yMv%bXkOcv{f8jCPuN=MZ$_ew>o?1Y|O-
z9wKD*&KI(R9fd4qFLQoIJFVzkN;`9T=UeE+{Wv9O!vM({dS1vH8EDU|(s>%4OK4{S
z?;MIwtcxf)qcSDum_|ZY!VDox*~^@N)A5Aa75Zl`?JVS-A?U>YI3?#Fg5*qlOURnG
zTgX!OGN-0LIo{8rb205K;+=S+?E>z{DLE%zkesvH30c{>LYA_ZIUQ-|Idm?fofh61
zit)t#I3?$;KP2bMlS0-Se<4fR%bZnd=XrE4q@BgQGYp-$AE)Gua*>>yOhVSyVj)Y}
z%be9{C$tXq&jqxzgm>bJwhOo)r{w&}Q*!R;FJ$f6CS)mlnX?A%yok>Ev{Tcao9DwZ
zp12>U<m~gV<UDal$T~Ap$Wrz)XNLjgIJ$(+d9+i@JB{eXda{zUP$M~ieNV``QB}xN
z_A+NDaGK%wvyYwp_A)v@pq<XPPH*D~bYh*5IZJQ2UfI4neCxoIwbRh)WL@cb*}Bp%
zh<V(>L*%zm$$@^DPkVH>o-W3b=)rn2?}2aGc+wj(8F)T6w65$k%epf7uktPra1r?}
zEDpe>VqOfibp;tC&{aAwmXA{rxGtrktGRXMTcOsKVMR(lJ>B1aL|+yiH-oJ&*f<J(
zxWC57tr&a*;N%0#E37M{ms?kkc~+6ri*{Z`=N#G@$vd(Bb^-U-l$_sflbp$?tt->J
z*z>Y}m_R#!LT4uJOyZr97*E_^Q*yoq3AY%}*;?z$oGI3o%3kK2NIQ$sIh%Hxc_-Gd
zF5vzebCzEZvUQESR&)wkw-bdd;i8bGJl`<qBybYr`e$^i$tP`{T}*gB!6MZgZPqmf
zu&()}13DXC$=nciC3Dm9^6Q&qI)1;P>m53N1-7nWV>Gt&K~@h|YUjh^dK$(}{toNP
zwebIy+ndENm3ID$PBZN+<ef3-JYdh+6aHkeKYqBtx^lyPdtT<8Ogn!==S<pJ#5=Ke
zbz#3f=hv+y=QrNgm3!A(S1Nm%GmUosj?Njh)51HkzICC<p0k5da(<U=U3v0~b)~YG
zIWuS{WTWuhnNB;4dFN<s_kH%98{#GBr9$h<pWykU>}AgFwDTG|r_s(5-ihP;!d`n$
zEv!Vv{(0lJb>-tu)|JX$=G;L$ucLD+?bP((@<%*>bYYJ@XJYINXTH-oYkvK+)|JX$
z=G;j;Z=iDu?bPy4Jb!dyx8&sK^>u%XP9f{*Wg)vtkiGexIR}K0dG1YgX3$P&-Z>8Y
z=PrBBI{&_KW;gvy$Zi#C&&!;HXy>2kOsAbX-Z>tfJMB5spq|b8r;zQwT*&r%CfM;Z
zr-63<h0ZkE8OS>m(D{u$=g$o!XTVq?yW44dUgjJ^J8z-WL^}<<a{@Yd*mHJ!k#7pw
zgSA3-$P^)4*~^?mY3FTpPNtoayfYD<U)ytTfy_&6_qPWL*|9t9d6_eWcEYHHc|MhP
zCh^XR=-h74=}{s%CoT}OQ|}Ae%3kISrJeAnfis16nt5juI=`~#%ny^CbG(J@d25Ai
zWiNAv)6Rd;nM^x#dFLc_ZnNiXJVtWn))cbyl7(z#FLN4c=N)uTqMZf2GZ~#<+H=lb
zCpkYV6tX{SE@UfvnR6uVgeoJndlKy|<ee$#+-lGH1Xix%IQr_gkiBcTkge=x&IsBG
zCm_H%k#-jG&Qx@6vFDruGoI-Dwv&*3e1(v$>}AfkX(#MJf-{kJT6pJVbQaok{u&}V
ze>f{-|J+T;R`xPy6z#l^&Iz=$n0K1cx!ImG>P5aJWdE^2$o{LLkge=x&S={C0G$c6
zvxIl1q4NuS&a>}J@qA(savXNr^D<{F?R<#N@w8LZlgmHx4Ag~9_MCm7a)$jgr_LfF
zr@=!ZTiMH;xwP{UI>*sYE$__0cz$lrc^EQA(b?jAA;-m6u;XRUFC)nO^D#Q(X{R&q
zoPy5J>^a@vlAQWfA;<5kkfZEn&TX_4vRN4KV`-<3cTPp;MtjZ=7D~<@TZNpyErc9p
zFLQoHJD;F)4DAf$ozu|ysXb?-?<D72B|^?{qmZNQRq1?+&e62fz&od-bAvtSbe-fJ
zn=j-fItn?;Ugq3R$MYFF<7j6j@0@|oPwYAWeN%F#BnUa_=Y<?)FLOSnozKx3OFNTz
z=S*~dY|oiERdUX4B;+ibA>=4~ne#d691a^9Fpgqqr<r$}(fN@*=lNeG=i1#u&iZyj
zj<Q#!(*d2)v@@4?zJt#7_M9P*F^co&r@2DT7mtM;WiNATMp5(Ua7T1T(ar+iISZX1
z+H>v+mz?|jg`7j{gdAlrb2`w@D(H-)orSz}HageYbL#RW=P8qrbGBH>QTD2IRz>IA
zw6lnJW}@>0d(JP`OU|FR2|2&F5^|Ki%;`wSvl==_(M}8RoP*8+d(PI<x;W?WJ3`LA
zkwT8LmpQA@PN=THc#oi+#k?~Mo$uRozAx3m=4y1p+-mO$cDyQ`HPAVdc9!tYY;>-*
z=X|N-i*}#;@<n0pD?J1|UgoSy$Fn9nN6=195SM@EpmR-SIIGdlTIe*=PA%`8i_X>m
zC8rZQ!)d28@0^FuRg$y(zA)Q&J%3zmcWeI3-K_b|H(2e|m07!2r{h^0ox^FTj(5&S
z=X;WquP6T}{j&x*bKwcjK8oiNW(==`P8IWKpsh2=G?qCn(tQ;+`-DZXPq+<M3h>-)
zekJo{pDT0vpHSK_RN<?OJ{9w(f%nCuPr9c<=3CsTyf5iXC11m_Wc=!(PsMy0$@{P#
zZ;{>;l=*Vkl=Edxd|k=ci1yV-pNe@hiT7b0-Xh&gA@hy<y1Xy1zLKvo?bD)9#r$aI
zeOQ0DNcU05eBR5-`;L1l`P$PysN%!(P{q8M%lokIZjtVxkokODl=EeO_o<T4mG(76
zpNjdgfcIg&-6GvTA@fy>F7JCBqvU&?_PvBY74u*r@54H~MY?xF=DRHJuZZ(Y&TER}
zcWDwieqk1X_6?)w=_1~jg!7AZ--OKf!+Yi8H@B_g_+3W(UPfOi?X&PctgBn3_oQXM
zneb33ouB8L6~~7ugN$Ee^bMnZ#k?;W<0suOA@jY{tekJ&48`%0LHnAZFNF4$@II`g
zTcmp>WWN4TQ7(<&ylsllx2d$RDf))eKK6Rd#*J0rL5^?A1evgYZjtVjkoh`fl=q$M
zr!;<7%p%(tS^>t#TeMHh`><|qk?xU@`MLy_^UXi_j*>5*_BBV}5ZdR=`><Yak?xO>
z`A$KFyR>~5czmbidu;(3zgN&_pnW>thjns`bZ>;rXEm4eEp&fV$rnuf;3)*{JDBzb
z^1gH&ztVjXGT&rVdEY$6{^y!U#;+y%2GKqP@58#d1<#Awz85!ZD$7qzP=PCL-$gn5
zl;YPBd^s@U*hevcHVubUQV>5C^IxQ`uZs!m;TDDYZ`}hpXV)tU)~(=!b9RtFm-Dgp
zM<;MW^W#U+l{oxWbg9YvY+c@_so1UxdEchvW^Ma7mKUMRNpdld2kmi2kD5G>_h6k{
zDbEu<;rjBPLj##-)mkz>t<j?<uj4(_F+K`;o#=VmzMN;Va~Sh{4xUtKFZNMvujt_}
z=uuI(F0l2uny_wdk#4vx8;9_-4cZn*lTV57UTy+IKKyw0Q8Z)?Z-a(FdaM=N8iI`r
zSWGUwTN!KCBkM_LTXeojJBxVdLUiU!&axVSAKb-L<Iiu`V%xc>sR10Lov)#@8|}34
z&PC{4DR&0{1<vzZpt=BagDU4q+Sv}BU1?`A?_7+|6>?`-5jc;3+(W(7LOWq(!Cc#g
zc9!tYTy*BionxMXbJq%31*nbZY1-+E&NpbMrngN_7i?UD&gF7vdKYkRoO4aR^9=2L
z9i5$Nr<QjvMdvcPbNa{N{Kz~@z4IJ6iMg=@I#twIoNb-1CfqBt;5#ZdIl$tt|Ax6y
z_rpnXZah!Nsv{cw=~(G(4Z+4`7^|gHto|qUygD1mSam|Disx*gt<%+HW=@NAvv;}Y
zh;Y!LedS((j~J`^U?83&ZfNkOV`Z>41RIxQtd>+ptd_zgNjTln=|ejsd1oFvb0ufl
zb0lX9^#AuJf1|$tFQc6v==7$YNxX9fIu}dM|4H9F_B$C*9Xh>er<r%IMCT&OSr*T=
zE)dVmNHM2U^}IVyJ3Y~<r=7XHGasD`<<1TF!8v7Eg!*<5yhFwlGFy1wdD6}T-uW&%
z7s#D^*Mc+l&Ex8wy9Lteg-#vqEaaW<p>w|6dGZQ4Lp;P9xT<#F3r;9$RkYXPjZQz>
zS!C-BGOj{r=^S3xKYwaoq^%LOY6`})xxKuRtpSR_N311bhK2T4lP}u(x)@iZuQdNI
z^F8iVpsnHBz8HNCc^`9~0hbx##y*Pcg2dsz=;}qst=QJ(ZCrz{(!J|a7rd`w*4B9G
z@9)v&B)OQU%3bmq=Z78@HI))ukE?MldP>irm3f+PFlcMkybU9c8Qy<H_IZCabfjaV
z>BHrC@1r40>hooD@`2mM+WL>{9udc;pkn{|^kXts0q9gwKhfGcU5y3kEInUV7OU5$
z8MM`({u(dF>Q(nTRQ}c(4Fl;|IrD}O&`^4ItjzF6TQFQZaX~c9?o1lqKtnKX(D8<K
zXed1wR%RGc0EQ!*rizC1L8PGz8V1mYK;G~n8cNT6l^Wii`NW{D_TfBOXR&_UY+xNK
z=jn=ucC^7@YX~;3N5ebvetY5o^xG20r|SFdzqGR(I$xumk-YOGbeiSPGo8SB^C={S
zY^|qed_4gtu{L=VoqcI%lC9I#_%S+5&vTWw>3air7_?Q-?HMYzX_E}n5Qv68w86|9
zK0!n2S*<cdOe7fgeX?IPyfKS3bVoyP+K|f|HlU&O99EfO_7yO^pB*O}b}l3hFbd%L
zsp2_Rz#BeAgZw%5-n($;X4Scq&WMIRv;nHNU<jh)P{<oLqM`KsR9PJEEdqmE<JUyP
z`ekGsg3!>DHWcxO&(KhMHmcOHD(bvJTV?;ozM{c*Icb0j48)-aZLsi$&(TnN?y1bM
z0q&BkG9?yPmu#+k{e5z-gQq_jTGEDMTSKsM6B^RxbI4T<%ppJBftsq?ImD@ebiz*u
zXA9a{!aKh}XPVq8Yyju6AK{6k))@*;Vy=VM2d9d<s|J2&xxGqP<7RZ0o@pv=)74Yq
zZePbwmRu6sG`NT~^h1M+99hd73eh0XkykIN4u+-EptrDowfHD$=#K^!^-^cvumuhB
z`t#~7v%oNE#Gj&}+d0xO01YZ?p*r5M6%F#*^6DcUz%ZhBxM(<gfiwi8K}DT2kT-mZ
z26^3hO&f26*5UchjiTYxUr571G^nUy8hFDtG{|ehYtCH-!$AM7q9N@sa{LZL!^`ye
zjkGlc8^1zBl6?F=n+D@|-{}<f<M-Ar(m5ENjc8{Q@7#{gi83eLBM8n<cmJ&3d7E|`
z(D@SWH1p1{(U~ZBwt5K8wOgC2cm54dVm=&#P8D^|TwABBaR)j}>zt+Y;aUe6gAT3h
zE*1OUQ2)AAJ`Y(U%*k3hR)w~PVB<GvNRY?s%~Xihj3v9($7&(%3_)jo+F8UqccOE=
z+}Yh7oYQivs&_7?ox{*sk9Jyk=Pq=PlRJYQ!8vITtU%R1i?7hmP;}O%oyEL!H#+0x
z&XIxOjGA0mz4PBWWd969XC2yE!aMh%bFAE%Faw-JVt-Qad`3Hmqq8>c)IbJOF1HCb
z?nUPqxpUfXaCQ&bqTczOcEZyc#=8^k)bh@K=o~F~X6J&_x8HU3&P7>dyBpD2i*`Em
z&LVWi$(?K9`vvPedqdAxJC1T`=LmGxq@6n6xgVXea_81!aMo^hP`xudn~dj3bk?Aq
zfxPnoI%DL{J@Ea4^))X&R_~lgJ0s9popu^{=RtHv%bf>X6>IA~uD3$Hv)>sqo}<uN
zjdn)z&O_*ok~`0g1n13XW7Io?Y3JMMtV%nRc;{hsM#`Nxs)F<E^>gZ-sb|S}MxwI{
z?KJbwZ_)X-+$mfH=dr7`)jKEC&M0&`(#~Aoc?6xK<jzO%J&5%VUHnA7(?mO?(dj@t
z3wY;IbVkUWaQ75Acb?p=-Z_VM#-LL}I}3T|cjz1`ceV-z=lfsoQ17gNj_jYY%-Q-m
z?JVM*$Iv-K?(~AQL-ppaZKvL;rJYdi1m`o_Y2ls6(P@-ByPXE-%w_NdQTyC%Ks!gH
z^C|5t=AGZ8GhFTrfwL3!;-?=|?>s^~VK#<%KB1i@yz>M)hs&MezkxF*9U`DMo-10{
zqt<a_(fKd!)IjygCjUH%&M>(%b_Y1aC#+WQe3y2{qw_KC)bh?#=nR!RQ{n7Hy}l6>
z)jQYF&T;5`L_3{%rv;tE<j#3;cA}nFpDXH}@6*ol=zK^!b-dGx&JejXFBzP!U0+h~
z{LY2!p9$!EKsy6@=V^2fl{-Ic4$g+{-%;=UxDDx?fX@50)4)5=pz|%cbJuWiIyQky
zi`w!23GGZo=RMjP$ve-YbBNq|d_}Rg?wuO2Po&m4zbzS07?m)8-ld&Myz?A74RYtt
z-N1R}AE<GubuOTtN$3=4r<r%2N9SO<^RI^BwEpp(dZ$A>GM<yrd53o9^3DtB93*qX
z9a-SqZS_^}tV%nR(fJSUEa06N(K%4=Z151ApY5-u-dTforl7Ngb{6u^OXv)iJ6(Li
zxvKC7_0HdDCzO(59Q{o@i+JZ{bPkX^{jP#DYZcVZ)Q+P+Xy;^f-lm-v-uVMM`^%ku
zTYz)&{8!XF<CDm7WJ2dH+F8syub{J^+&SC`&bZQh2UVQEN}!!-==_UzmhjFW(b-q-
zOoV!J-NA8Cxl-HiU(wEVbpA;@HL&w&lYd@CXCJvU{X95(8JDPceoZ?w(0P+~YI)~R
z=<F?bE}8*OkD%x3od=W2{y7DmH)y9b?<_`VFS&DlJ8(AhfDA`%yMLTQI;W!ZI_=c)
z&Y#g4BzJ!C7@YOmu2=8;gmz9t=QY|H$UA>QXHU8F(7Ix6ok#T>sCRClozv0z2kkWQ
z&R@~lL+(5a_2fD?p8cZUnUh+NItx7mohs(fNLy!+@i%lT%%8uvD$>@uxbrh~Hn(@a
zj-9cX3%(pph40nQM4y_x)7IC;_&fUKc_-YBRiLeNbj9E3YsmYUYaY1F;9?&;XQAOA
z!E;>2I^AsR@;3f~F8Mkg?!q!_>+D#z8C_12i+RRRu1D=b!|Dn4gH+Vpb8S7Y#%t)2
z*W2OFD}%Pqy6>R^$qWg!VHO%x)Y1!h!*w*sYw2@Sox#vA<ww!bXBQcV*=SHvCokj;
zH_#xjlh2)T7YyCv8;OQ{2S`IE8dTK4i+ICLG{|e<b2H(5RGokr=o_ppRv#t}bI_oo
zzHQ+Rf1*KN-=4Q&r$Jl$<v_@|m|;`(`c$9HMuUo)a4~QA3k~wx^}HPq!BAD#Pc)cb
zCJivXz&KS=?=9gCx6mN3OV2y_y+P~r_%)cBSRB%5!(23|sO4(lBvrYb%GG!q4f2}v
z{1LHWh+YJ<H#6LBOvYgz8dTJ2wY=ePG|218^KUIRXlq%X{H)RZ3x;Lz{Dj2~eiY}-
z=;8CxprQur%o|G3Ag>iKsL~k>JFg8E4Q*c~4GYkqV&2yAhJVl?uLCb=`U@D=Tla{D
z-(5+=LNutTod)uTJ7|zUI~IKFV$jxn@LC7a5bHr27NJ2!UDUuE1T@I&w~L(D!MihS
zzIS{P2OVixj0P1o&q&^I7Y*{-?4lFU7S;cL6{<k2Pew$LhFmnLsAneehI?p`*IgI=
zIu8t&Yr!*%8Ro+dGchh;Wdw7Sidv<aH{3^qyr#N1QVWKNg=a)V-gwdgRX8xHs6*!R
zh6iYn*Gm^qhW8h$_e~EJ4Ub?2OvGV18dTKo3VFjrG{|eAxi0X$sP^9RO`@R?vNpny
zhXxgOxgy^12o3Ulb4i~NIJa-w06&=Zhi_meCJZakprYnx;SG<`Ag^IA)xrEwWnmGF
zdS*Bbd(?zsB^p%J(~5b+zi5!xCznRTdmL3F*f~9BsPP$T$VY>UT3HEic!CCb?Q!X(
z=3oe(c|kPPEF=x@qCrI+Of!&sc0Wafyso(PfC0`||LcB7G-Pcf4ey~r#Tre^8=j#-
zUNc;J0mg;n@694bL-7I9unG+->Q~OZ;W--Q^}waK;JrCVOO+F%;j3>+!)i3Bs7>iO
z!w3x;<ZIPsbNs>JpYXkCI06=8T&zKZin>!EZ*V|^ypFfL{dzd-yW+TmXh=Ut8rGsg
zMNP@T8ywLfuhA`Enhb`Hk?<$8v03w<s#F{{py4OFzER8>BBn9J4e6dD{WV98A)~R^
z)BG-mdIqijLGYKN!Kqqx$^bJ6JhQIQ2JIl*u{oj&#-X$ZXnXFuX07TQMZ>{eq+v4}
zF46{P&R}|n87voAoyYc05_Zpq>*Qr$iH6N>YEW^2Sq$QEfi~zk!-%RF2YHPV`-8US
zkk3WK=kT7_WQ_(tin)Ev@PlYLNE?c54X<y%$PDAPEDnpmZ~pG@Z)gmIm)<M+Xj5-^
z2c)WI*Aw``PoPtdZ&8mxgttP3iZA;x47KSHuSd3Fi2a|xKx~EDkzwW4&B@K(zcB*B
z@$?u#XsUa?J^HQ#R)x&$*A1>fsitIPvr|XUzoT*Jg!eHfhC|Nv+{1YT9f?55PRp(K
zyqkAm2)7O|dc^D3Uey?$-3)@cS)(yKJ}$|F9L=$6wQUYns?>CFsOrc(jv7azcZ8ou
z&lcK~Wb1Kl-Vr@Moadl*=1Y4aC{?e+lbjiT2g4UId$EsFOdM8+!}IpJ$EzmVV74(h
zL^tom3>_aU8k$zEI^k=LrcbXBXOGeG32`Z@$#GE=;uFWD#3h^JW8yr-zw4ok)kg<-
z#s;`W#rb%;dHY01y9LDhM!EUNMEl0*0%D`11N=Rb;^SiCQpQH5jCJlC5@PW1boZ?5
z)N^8DVq8pW{KUl0&I97&lH9r{#GB&kI(3hUiAzfD?A*blgY*lxUWqXiW8sH)b{;b&
zKB<#)Y~1LCs8smP!+_(~eN0>;{0|1k$0SconK(MtEhvutQOOx@gOgI@C&W*QVn4;h
zQ|GR$>ojnvThGwW&Vw?#_wx@Q+bg(NeA4(a12f#ceBJf#p6>8_+&u%}FTLOwqB0f!
zbhqHR#4)L3J3GUl(05`A{Iu8v_t+Od#(hGP`vmESyT?qNP}ixh6KlPMo@5WYfjwv~
z-FgM1Y<je7b2sckUbd~*>#22SlhK9-RULk9EB2uNLrB9dG`vR}ig|-O8uXmu85qVu
zFLwB~jc8citA@rE)~@WM)QcS(8zF0c?$N3fZ7_^09|wmk5!0FB`fD!?w$Hq#`UjgE
zR@95JYkPR=qrCM#{(3i0Z(n~mZ*OmZw}9x;ac-W`K0Z+a(LTO0{xNSFJiB`O1o(OS
z>-Ap#?F{;^-a36dgI8DhFYm71gZg*{m=bynPw^d{>gPY!HzajJ_>hDlV-4{cp-H_b
z87IVgrNyWBHUzw;AMFz!WlT&MoF1Q);paPKKw?x_-zh`lhowh*#br!@e?ER#)VO}*
zhxvpI>d|w|YhJPNpZ|2+ycLx=Ca$w{bVh1iN>{y~-d7*s=j*2T^Ye$l_Nvrz<5M<n
zbnusc_)A|L-^wFL@1B}4*<H=}@r@_@4dyAWT<Lxj$@Lr4EY@#MxxDB%ws&zgb)8%b
zYHs#tzyDAA4R#lAH@&}?r>Bn(Oox>?-^%(8%(w29({GOD*3h(vxrTid=bM*}U*LSx
zj_x<Pw*BUZ5!G0~Iam5#Vd>p6EU#;-ZE3tl_nTNhe_wAu-vBo+uNYr9Z{Ikbn}2Ma
zk6VnlF3xlG=m4LX=;*Tf#?wE*kDqVC{3a*(q$T(3mD+uhU#|%n2@}Up)}>}d4VoC`
zXX-w-XYbG{F-bAwjFa^}bUhOL#SIS`r%z59t~dA%4H_FWCO)L!=&&I}O&KPbZpLQl
z2F0WY`1P66w|gbbHoiVOPftHjy_>JE&R3`R_p8)i<6Sn}=yA4Ty(XZ7*~ZgT^>p(+
zbeoEos773pysBbJQee|<G_DadShu-x(e^Rrvn9XFlcsEGw)U?0sB~CL8gNPSs){8^
zA#a$825DLJ;!z2Pu4CaU68!@`EJ;|}^74Apu!RkuSI^VKr-(P0(QsZChi<RIE8+SF
zlifr^TiUP{4d-Zsg*V{x@Wwg0VJno`^$)I(6%8joC*uGMYKX&G+EC0JW?>wpuXZVG
zi#P8;d0D^x)6Sxy$tKbOMJ_O$p$#RxVKy4h$l?(AFRaWwHx)b-4b5o-EU3Y7nl@;l
zTwZQr<{FWShSM@b_uyPGj5NF?8h+kO#$h`eth7PP8|I+FDl_z$T4d1b+*}|PVB_L9
z+5k%?h=YYTIP-=qG+1PYp08^RT928NXNU%uePkSVpy3p4(D8<BG@Ozf&IcN_?x&C5
z6b%~>lZKsWI6)f>ydeh-CuN49kVaq#8L(V5#1xZ;-Do&Y8<IGK3CD#+njc=Ih8_V|
za%+ue<)dlgqT&1v(y$i|-_eF#-hktR|LP|&ENQr(8B$nk1ATJy9n!E54M%B10cRLd
zowdaU?pT+8hLAVpQ-fC9GIzgd*h(9U&~St{6mkX=j!la+N0qh3l8xa8ZTlauu)+w$
zq2H4l8Z-PQ`zWP+nnWXLVQlWC4MnyF?-4aH4!*2U_I-IsiJ0=SI6Rqe*1{cLuq=k-
zf=<E;hkL?`8gDbt0Py4hg?$t~CgTD0s3;y;Y&~5@)I^V)lBWPXv!|h_p|GOK8ev7t
z8s%Mszy<rV6<pzI#B$@SDvE5ywyvNNwb0d8$yEfd_N~y>Tv*Zm2VsR<FD2h#@WI{`
zeiY-DWjus&d!KH{5?f#J2q*NtqU0+E-^QNka}iefHxpKLon4W0Htjr&P8FpcO@hrc
zF?d96bT+r=Y&lbM_6-wO4BT(e%lhFQ+6kLOFfP{6@znCpI_PX>&zTEP0X#;#BI3EQ
zA|_r~q3mVOY}$DQovUf5Gw-a6&ZhR9wIU_w*fYY4luraZUgn%fJCCAs746jV&U)x<
zV$V4VA|S?d_V2=qxr2oj%3kK2PdmRur;4&)An&Y?&c^nfm)#}j@;1VXcNYpPl)cQ^
z^eH*skD>EjI-UmJsYU0@_M8L9NzV0A!vA6KKA@t!x`pu%iVa1_-j!If;eay~MMYy5
zb?k*A7VM6wh$V?3CQ)NWqhc3(SFB@quopyZ*cE$=ieioJ+h-q;dCr+}Klk3ecm4nQ
zzIE^1^}cr{@t1w}>E}6T*6Nd~vut~r^GDiw5}mVYXNc&`i_QY}oJaDcJ2x6qXKh`S
zI?J|~IgirLcyvb7&M?uL51sk#Ia{WtJNFMwoptDX>MYw{<~&Y2PoZ-b?Ti$i`O%rr
zp7SDX+wgjHdQ<AG3&m4s+4eH$N!po!&Y83`N^}-LXI^{Gkgx6M&F87J?sZO`W!uY~
zr)cMCbk3liF`}~|I&m9O9RIL>^W5w7c)pHKo%O*Xb(U=}bDpN1iRk>3cE*a%Lg>t6
zFP@Fv)11*+E~G~1teZN^wwF2gWywyBL(ZUcI_<QG&cf)-ZO^$2{(8*M=tB8Zql^EP
zYRAi*`LmMFv*?^gI}=4`5p+7+bCx-u?yRyqHQK#=svR$L7Nni$&>2NLlSOAybmp?>
zoR!{wM%Q|u8eOkPYP4-HbC#!_@NW&{rKz+tMRXQJXHI+09L>|?>F<>q-Fk7V9WQfM
zpq&@cIfZs=1`6ZP;^=g;=Nt?xZ#+M{-As+{-841YwpXPSH_=N^rkz^RSpuCo>^bi~
zO?M6{nHoKOTxzs!FLPF;<H<MLC(%w9(OD9m+3h(yRZ4e`2}q3|cQ`fLwwF0wY3C&@
z_ldMqCpt@^Gn+l91tyNX+-GM_jb1P?HQKh9Ior|B%jldyJN-mwX>?|_=d2Tx?p$&)
zHF{OO)M(pY=4?+pub}e}+G!M>F6hi+&w2Qdbm!XC)adO;Q=@HrnX?1!yo%28v@=9>
zeuqv+d(PI^)17<VQ={YNrAFKKs&rmM=Q!FKCOXTYGqXMCBgb@S{Gin6GnZ4NZF`xs
zBg8XOqxsf)5&T<2JFjB?9;tNdBgQhP`0OcLyW4mWo_D-7d_Fpzu1(uk?b@_m(ah5c
zJj8m@4fLoPXDU6u5xB0KxR=E(<2W4mz%!VaoEo7g-?eEcE?k>_yt(Ki)?;p>>o>YQ
zW0WrcfU;Pgne3Hkzu(f!^LF9X=m)=~M%yk|7QfDP{F2eBW?ZRs`bLb$^4w!Dep{AX
z#qZD3PpsqToQEveTj)|Vjuc&gpli21*ET*6=jA%1R5xpvmUi7nmzr^-=$e48UG`j^
z%UQ*1#;E?*E@KfgUU$%?W}GOxCZcPnJy)0YR<4;NZdtq9(yqJcQZp_TU6atY!=6je
z*L`?7&RlrZ+SQ(R-9wj}aiB>t4)l$fj4rc1*XJeH@j9=_dtE8A9Pgt`&A3l=O+nXo
zdoE2?E7z=ZioExrT@TQuW}GLwrlM<`J=e1DtX$F66?s3&g^brjbg3EFiLNMgZMElO
zPc*`~j^|hO+r8HLRqi{|^$1;R#&M!+8oIXFb-@mamFu{*>uPzj|9*@v744T%>C#6`
zN0*KEYgaV%-=~W5buQ??p}&lNdz|$@;T5t|XGfl(N5%Seh|=R4@h5r?OL2lf+o=66
zY6gt>nITIZaxLH~8q^#XRvP>R$}z)52WGIf26Ptw?fBf_W&70G**>L4+wQZOvtC`&
z`3#-I=rKi<=q!&;jXkF>eeWciIoI_4mUCfq()k>n;j}YGbXH)_q%ZcIcfZcDne&a|
zTh7=Pr1J$jhtN)o=&Xp&&-R>!-dL6UoP#gE<*d<`biPFAVA`1|I$hEE$)5A%*Eu%C
zb8eo!-*T?_gLJ+^=OEgdB04Lf^P}X1ePg&P`n@H@DxQS%HSL6zS(w9^Xs2e7qVM+)
zsEp1Jva@71aNb>WO1;xKiHs*?5jY3ZPOa#yf=>L1LD4S3{xUev&t0V6*@kw$Mdtw8
z=^{F-qVv5R&)UC&^WcOb>Ya0G=R0)vr=2>{Sq+`<WM_*waBdmZK)rK5?R<~Uezen1
zbh@GQt?ca47n}=vTDPA>Jz7XR|3+tD+G!M>)zSGzb`D($&dKe5Qy<SowDSWx`_Rr1
z(Wyh{YuWinD{zje13k#s{+)>DJ=*yZoxN#inCNsz=PTJcXEHc@yB$*R)J-ParBCSW
zMLQ!!rw2MyW#{UX;OtmxmU^c<?fi_+P}&(KI%}ZwrR?0g2%P@;{|oKB3g;Je_N1LL
zqEnB~7qauvb#VG-{x7ui=g4>lz<?V1qaL&~R&*NBnIbzc6bEP3)G+nsevx)MptC#e
zw1`embUv4z_d0{K#GU%;okgcm^(Y_{I=j)%MA7Mm&S$dog9A9To{ClP+(<h!qcend
zCW}sQbUu}wu+I!v8^75*M!j=0?Q}$ESK65(I(^Xjm+aK824~6+enziMDw`h>?Yw3o
zS?*cT8B9AhP%qZ3f$(eaQ(ympn&^BYJB$AW&U@?ItB<Dx?aYeKAlj)Fowd;USa!OX
z2WMh5U&BxpPZiE==nSNtE~3*HosVQ^y&mA)KW?V_cs8fwnH`-0v{NTKYoqg_>}<Ul
zoEwMtR`2wuojK6ig?9Rh&N}FPAUk_E1?SvuU(ZI+^{55ybV6rm+G!M>b<ufWb`Bp0
z&OchOR3A?j&YbA%L_0%7ryn}+$<A?y!8x+tNcGN^bUbsRvm@;c6P@+Yc~^EW7zoZD
zRUW8!wxXTR=<Gl{BSmL@bl#DjtLlNX^LHiHJB_q6H#*zX&M49OJvwj8&h1CR*(~3R
z|C%!jdJy)rd3JnsKpu3eXg_0=&ISPu&}pOnjGJfC=B_&lR-0jdRLow#$<{riA&%pL
z#(p+^5dm8CsTp@FeZBz=(I<~PVIMq3o4b0MM(E2Y`j~4rxFUhXel}gEfV}8ZF;BNB
zUHX7V=#uB@u%8>L&0X~RWOO;DyO`(u#nf7QKtA-SSRYPQdRzk<GtWhN&l$!#aQ)?r
zBxtvpp&@O^j|LTMzsaJZ2^!?J^tmhBgP}{^bKH>Y92ti~Xi%|UsvWEtU%3V}MT5Lf
zKKD`{FjUIZj2m*(hQeqFqwBtlXlRDHA+LeYP5llGxnH&6hVbiT9EzYp#d@qxG&Dzp
zyuLl}>T|dTw0y3C-0<cRX();Y6>F`2qQM^x^4j%$hYN81<(K>GxS`&2(ohTyD%Mer
zqM-#E<aO!!eYSvMcBFwD%B7Ho;%HE@Mj9d-TB1Q-b6$|MG+e>?=0-nms8lKkvDX#=
zy&KHmRkT-;qM;QU<n`nQ9iD(;&2(tzS^Hq9LK<Ku1qKyshEbxyhz5DBc)_{BV5n9I
zPK+=^H#gD%JI-KGv3_L{4Xx22uLCcvyA!S=jav&dP-YlzAPr^Epki$*Q8ctcgWPv4
z3|$0<dA~Q{27MjUP!<g;)}4|?Lt8Y+>$eNze*%NP)G2P*TaPr9LxYOGJw-IMLxa3F
zyU6qit^u9?QzmYB-G?+(LxYO>PUH}wzi5vJdEIr<u5Dmw<UWQQYDSO-cQmLN(^^DB
z2Q<iQs*9cs0z*L!>?W|B3>rlmYM`MV-Df3>hK^{E*Gpr3m&0|ahhkw=zzoKpNP`y|
zjI_aJs8AN2&>*jc#;ke@hE5IOpUe!ee<lq+XlO|r{6s@%G|1!4n1pj+@F+E$8~TkS
z4Rz7bgf_&8hAwE3*Dzx)uLMKI{2RF8#U#?;hla+qAyza5pg~@rTx{56)H<Ft!-_X6
zi*u7nLp?M!q74?&5QqkO?Q!wZn_%#%(1RN;(1!YGXh<6pMMDr8<aNcxmr8=6QlYf*
z!>&za92%mbK5bxw0IM}a*MML&$ZLj+pB@H7e$7%Ihi;om1I(77->gR)w4$La8szoB
zC1s(l&V2pER&K~=Aq|bu;71!=L_-J~<hkmSc1yvqZf+HBsDGR^G(kgM+Mp8+-OwPf
z<1JZ!84LkUA;PR)>^(smnxdf&ZSWHf-O(Vg(Jl2@09Vr{?1fbeW|)44G{9^K@}V|u
zFp7pAXpq<6me#)thJEXjx#9d3($E|YzO*4kH1tG+ytcM<;XN>PZ|%Vi^KX!b7HFtR
z8zMzRC>rE-vt{*K!}Yk9jlH>H;78KX3Ju=0Ax1RxLW8^}wrogFFiahNgBwh=!H5Pg
z+7K%mdZR&J?^-r}92iW&zjDJ5*_|}-x8l#{noReA)@bmg4HnVR2MxERHMeE6;Mzuq
ze(W;FOi(Wp4Ad39fu)(Dl#25PmY<bvb<iKo@aPmXz&8mQ_aEUsFCK3jz2Js^O-O?a
z8dRJmNE8eaGngUqP?{m*ZV^0J={jt3DmT1uP8x8YRZ7J?D_JlE^u@ABwp|w5lFeUn
zgU7V2nn=h8_OqD}roi$T2NmOLE&M~Q`c1uQ4KtX}GsCH!mz*Ay(-;dZU>CW=p9h!Y
zmStsObvZ7}jft~KPet^o7-Q=Mk2w$X3~H6;sr;b4#(3gXW$25z=b)SHsdbAiBUkjO
z*faH0dR$FwF+Mki_+0Y4+8WwVN5^Byyo~zY&Z;Q|b20X_RYsX|1y*8)5?kpyYg8B<
z&YIRS!*;z*16<a7+?T#~P|aPv8P^W#be=xqwS%DpI{36}XdK>dV7s>7gIW$M@6o+}
z4bNsR4Enyk8}uL5c1Vj>t>H$&=3!lWcsKvPLEB+{Tl8tzMejWzw3mPTp<UW}bm$x&
z(X2rm`1=O5Z{gFZPw$5HM|r{D(XM`*#>4-C%LjGU{@F_^g-d}w*`>hWycXC;)op{U
z2K9$*35P^sKU>+N=^j`aGgif}bciBbG_GbX)}Ssz4QhHR=dElkW9yyd89RW^*eaN@
zo9T=VQy3i1n)5Qlz>PKykg@fkeV{H_{eKzzKfT79C-Ao}vR0q5BfP1*#sZ;bhVg)k
zed-uRwrE^U>#>c!u590a8I#_|9`)oIo3|cmsE!5|d(g3h!JH3kO($i>R!O~-^Y)KW
zYckha&kd_+gANTU_LnV!!L$M6a7~UwTXtK1=EDcL;dqstRO^9b^-^la>SGk+0atT=
zj6+A8aVVhC)Q9~D)`AtOMjBdT9DL~3BT6usHewvE+KdAjj>l;<nZd9yDid+Fc;HB8
zD4}A_GvznyI5=Dj=*J8fsxSjPTdsJ@qDb}}1?JN&*uVO!Uw1EW4}+Hv+?($0?WM2b
z`M+@0uRC184=)GUzFA!5UB4`ETyIj>;s;J(c~kNeox7T`)_J3G4d~DECh3MUZz>%-
zvoLQT*uTl~%FJ_j;9sO+5*k!IspldZ2A~1k(~R5&!y>=g%y1a~dKL#0ZJ3OPzv(#W
zM8iNdU|Xg%1gwF*lV@wDa)ZY+G7eMF@SZmKi3SrIupLnvJ{JN*^Xx~s;ZudoRC@|1
z<RBkj(uP>kFbEA-q<n~}3(xXob2^rr8{YYnhS_L%P8*U%Ll_z^%Z7gN{At#k^B-};
z-?U*48lKUH6wxpk4VPrYJh%fp>xKa#-0-C~83$;2p)8)z2A6R{-5i33i;`jS))?3`
znAtXk8#31+4GYllm^SD{!%#FN$%fZZH?y?M54$p~Zf0ph8Wy7A5pD1j4dH0GAQ_ev
z9}Nb#rz5x_8yH}Sf<K$H6jR_LG+d(%Mx{X?FboaHY#AcKaKM?L4LY-=LYp&7s_bDg
zX%v>3I71b<9z92BkIQ&PZuka7pl81=PYie_RpV!<&Ma}SaArxpp4KkU!K5n|T`Hb&
zGK#L@=-Ow`6##oN>^o`h8dA#IwS6M#+J>%ubi86j*9dg&wdX2*&)T(qowdth66xB3
zuHCdNQFM(&*B*PW?@U&%rR&OAyXMobo#@&{yOKrMD0J<%=gJyr?K-Nrb}gV?yU?|h
zcBP1}AJDbSo-28nwd-jyYuA(+WI66e*ACjH`9r9WKcWlo>rnLF&_=QPI5OJGwXE$s
zYgfnZWV;132<Ssplw*j}r4RTCT^2cBRrWx;RciDpbU9&t1Q%<!3}&(|hnXFC4%2Z8
zQ+iwjMx*DX<bgjM_IF;J4ZJOn+eI1<qTvv2h!hP!qv3>X2oDFtg;|%mVcb>Ha2O2-
z6owoc4Lk<-<K(cwuDvt4jp98~jA)2N!*R*5yp0L=HQw&r!wrvalLi<SLRrKq3=Xyo
zv7+G@G{}A0@{X6l@N#QMZg};PG#o{Pg*I43!x%IimE$ll5)9WCLWEgP9{5BWj-g>c
zZAcUizoOxYY}haY4D*81#=IjkQO{up9!G<U{wY~B{Dua+H$%~WEdRR!7+U3nSp|#3
zvofUN1RD0zaYzvjzoP;7m=uN;dHw=J&5wU`!|Af50oH6GC-*1}Ic(*m24=2S`#Y`y
zW6^L>DvK4pCK<JwJ1aJE!|<x4As!7X`edzW7>9-fvf=tFFbvS;;)e6zlZFH|sOaZ(
zqG3E5;$%ZAJR7X(P;69MJ~Sl_r_rG7(`=T7pJ@044RYVHGIw_{)cOMJU@Rw-nvsS?
zG?*3nV6%-fiiQbjkjJ?z>y`k6Q^I?02qvGZ4LpYi75iC{qG2K$<T35a24lgH<@gM4
z*f1fhrgA0?{%p-ZG8GBD!wkh$%tyl}TGtDQ8$lR{hlN-^NPE!mbYN6YdVTL-{&XO`
z<fYf^4Dgy4{3joHw9E(I+WJpE0>|Fqgk?m#OML1c4`emy(M)oG?Jj2TQo063Dl!LF
z_$FcY$}=C#-t0NzqImX3EF}#vM}k&;32lfH3_)0f9^t4jBYVAi&u(z}EPKUj|Bu{I
zK9)2*Ktl{|h!qVOhetT-Qy3a<hStpE?foZdEy+&O@DL4)XoE#GOlD>A2uFPiL!(>M
znZXS6B9;$bX~QElETj#IqG1XeaMY(TG|qLK87B4PhNTC{I6Owf0@{!)8m6KFM|}!I
z6W@GbI2zQK8<x=qC^g8*`LrQLG(@2RM}0~|Z<Y`9JQ{Mt?2}|1{zAh%+Mt<a-KxV&
zd(+U6ep_1F$s(v1P4~da)4kD+v>tZodD8F{4RdLORy0gUL;A_03`4UgFxt@-j)f&P
zmXpJ1!!tC@p$#sg;ZHQ+s83NA%?rV-u=-!W2XI63B{B}r(J-4f=tKjauzG}}K83-*
z6O1(6);1i@4Hxf_h8Jj<MH`HQApqNlBzZMx<)9>3eZMiQKR4XIM;cPmFoQOPiH0ex
zERy7vpH)qIfg#JjE!<F}I=Q?31`R51HH;Ar*gho5t30blPk`0;)8o@-g>QAF;Vl|e
z+`t+u8nAsxl2>$A7l)ZhR*%2B@;FSaMH=3rVJck~7SVw1L(&du7O?sp+W{D5$jlAr
zBS^y+G^n_7TQ^zRMg?H|kYtt(?_u<trCpxyxuM?}$`Ax2erT)5(s3|~25cXawo8UJ
zD~`ZPgO%Mkazm$yqyZuZ1{F6zhlvJkACmCKRK@IgZBLk?XMVICT0hoKHrYcOvY=rM
z9fv5<Fca(MRw)i^`)&ZkUAD@^4A~BlhOB7#g*L>9hFNI9n^2W;m{1uE2P56MVdHVq
zkPQuyv>{eBM5AG|9EU|Pp3J<V-#l&@dx|t<N5jvw!6F)FqhXV5c(M=--AfnehFPac
zLk={IrVWXrVGbH%CBr(eeqbncZZ0=0x=b3J(C`y&NEQuq(ST>?6#203)k9cK?NsOr
zH^jp$HQ}&3$9}eE$C~azdC)L|Hn>a?+NgPG*dWK@?>1m)n-_KkSiLyyOd7Ok7)~2>
zqG3K7)=P%<#S*|!<3$l}=moc66LH9g1{F637)8SZG^~>i&BucwlVvJ5^rj8@(GX6@
zAw)DRM8jIy@MC>gMLZJ)Ee|V;%y3&X5r+b37)l$$M8hI9tdR}J;1q+y?+wOs!}hYI
zp&%Mm+(sKI8e-6}S~6_N0$+$bG|9G^8(yBIzMcrup+Ut7J(nn<UMxn#D%*zaIW#a*
zWo6N<Oip6wJg5d5RDAhpR2uZfsxw2i^2`9^>Pio)YK-+ms$OT!06VeY_cff*vpTWQ
zJa?;8r}csi=xL)OH<TXNVmkEb1kVkBpVmI?ys;zvn=(VZE~jP#j9A#uR(s_zKgg3A
zN))CIkqU!D_hRnMPzAq|wu%Wiz<J{=b-uNlSG`x?0ii>y_cVC*)Oq)+QO(oa$Gw`~
zyH~GjJ~}V2YCXGoy6Zi=`*`;X)mIPe8`>juXrFFF`?xe|*Unfy{Y1Dav`2W~L8h86
z%|k=Os?{6NHzL&8sa}sBp<&@QT`E_voc>>`H8k}Y)U&UtcTJbxqxyzbb?F(}Ye2Vf
z_>2F+m9>nM>mCL-54Re`x%Hj{+<JyG@sN>j1H;?~_U$ob(9l7>!rgid8tClg?8Hj%
zQFAhbyfA}QeA67IC_Rm9F%QfjH)RI774i3J_qQ>xqvlIZo<S`-lLl`zw4yU8Ml{qw
zLp8xr6bv6Ai#1<-xS`C<TvRIyS{M<xpbZwm5QL-AN4Q5J&zL>l)~lk?I6_%0t<BfO
z+1j|Rnv|(X5UjPpy10sW42;vPTR4Xs5okE=oE8V=cTq)Lhh2q!j5@jh?_U>()o^be
zd~f3Jt#kMB@c0j}i?i=e{^#rBEOWfu@bTg|#*B?HdsTe>9HPh^jcdd#R)Z4L*L%`3
zNB8{NY-hN+#C2H2OrE_>+L4CFXi)L>bC_s|MnifHvND{W%?w)ya>Kp54pc2}i3T4P
zwOBOFMg#8hK`pj2B*IAq*YGW~xgqBx2WpJa3Jq0hL!#24Hy2=rLCsh#hOhc6Kd7cL
zt{buXUHTZI+ezgZf#rs?7j+Uhs4aT*v_~`Dx>bR1k_w`yz2JFoaKH7QjS<Eec}$vl
zXVR2|R*n5^wru%=AbX%?`;|6m6$Xb(=0eOcaG6a5j1g|Z?3rrW{_prENvHQVcp3gf
zBNBHX7?JP+ipMwh`qX`y#PW9aEHZC9V&3ZLobglS4CHNL%-gogoLRd%J#Qmpc;5Ek
zPZ~O-!HqVAh=w9)Xd@XsLi@0~^GU}Ir7WbO3mU4?hA`1k6b-Fq!|!*Q;o4SiXm^}6
z1fW4hn-(b=ilM<M8{!)=!>l&kaKK2NYzhiNLq$3c7ST`~4H;i2W4j9Z;Bm1SGfW)K
z4JCp|LpL;3pbd$lp#&OQN^#J;&xJLrRql{!tX>@MN}YlX>W+q@v>{n((3?x5p`L8;
zHAQMOFL?PKKLu&fH?D8c`>$i36(Q7V(V!ma(bAq2rN`G?3O(MoJTc(e0`ot1O4^|B
z7-`T4KDKtHfC~oV__NjLXhsM1L{~Q2rTJ6Q?=>)&Mpt!PE(^HY-b7b1gTD7ZgMOf^
zE#C|9!H@xeHhp7*LYc3`XWFM#`uxo<=&NAMmkhq+)zMeRp#Q0tK|dz(Th8;{NM|o}
zs`#qPMRb0LPF(ZI7|%ex)BBp3vvJ*Y=lGfi{p4l#yetosXlHM9ex&266P;zyS<YTO
zca2JSF1T&bFZDO*ZF`yX`f4(sCUm~0oiU=bEIP~DbGrJcJ6CNt==TL1^tQds8Dk-x
zgV6bkcE*a%a_B5$&zWzTwex(|Z#fs!&M<VQ(oT!$ERW9b>^avSwsIP3-u;&IIqe*b
zP8DCHC5p}p=yb8?{QR4>^I^GfIZGWT%Y6tsUnt@Udo%KB?qtzf5uK&&IUioLc7BTg
zmecVF=^TpA6onI3DP?Dh=yXMADcR}24%(&3mo}((W~H6s=v46qpk{`mAM!U>LT5>P
z&XupMoStrDzZFl<qhvgXp;N`FOs(jwjLs7FoI1!J_7ai7)2EBUv(6!d9@-}xUe+%8
z(9Q^SKBdduMRZm{XK{PZ9VOG94crW#O=sKlGH1bKWITtX^Do+|6P;DjS<IfZ=CO2V
zt4s#ZL8A?xw!O@m={V^efld`)X8MWFYUnH~JKGe3dNkeuBST*9w6lLA=^Tkp6<==}
zMW-7&i`a8I<+pauP54$k$DbjcFj|0dor*6!LqsR;5e+JA&&h6V{TffNp~2sBI-Db&
zKcMp=ou6T%Q-|@yQ`pLJUEpIV_n#{4RPW40JK<C;#Pb2|j1-;j=qxD5bD%3Y2Ns&B
z-kF(p{)Eo^v@=R{dZ4p_>>M&3oW1i_RPP*K%#oUR{EW`Kv@=$8)<9=|**PW=oE_P1
zzH0OHFzt*)=N;N<5uJK;=98V1mx0s&P5S)E6WS%B9%+k{@%#myw`pgh=ro`+uk2jv
z4^GeI1?uBjyM!Y(ABNULUAvU5bT%-1qEl`^p%1rc9oFvP<N0C+JMm=wP#xO$EBaKl
zM=7Gu3w?6Cnda*VYi*F1X}<Gk#deeVE>(0SzETf@Q8vU+%{XqRVjSmd_C}vP-h{DG
z418JFl$Ucp9={A9bD3QoHBb@oXLB9F6!bf~-q87{Rl4+MA9Ts{a~S(XY8|3F7RI<a
zrMsAC2YAB4!+thB-Gks%3GAdg&>k11$JJaDJ$NQT(XV)&hx2TjEYmD}jqH6TGA83N
zCMxExI;BBxu7w79jtz!LFchtk9upXMdG(pVVsfl9=^2k66?0TS(c_CAc`lviDcB~>
z0~XenG0*IBxu~4kgq{<08O1~^a#?SRWgc@vTAStcz)fTPWz?pjEFIW6mfvBo&iWh+
z^ZZba+<o7So(r@mR_Spy*T(qZ2>>}~933ae@ti3$m^5rf!#UcJC>TteFeZ3Y3mDR4
z5+1+qBRhrQm<pAJ#o_y*xri_0g0?Y3@e;HlSz&OvVcN_L+tc$zX@GsQ?NB5B-#%Gw
zcibiOtmdKf@p3o(FWfx&&+L}f`kl<)?U=o1=*&q`WDe|>)xjE6RT_nOJst%+6VFGu
z@$3y6OB&2*NTdyHh`J`@?MPR1T{PgmZHij#Jr3^i%iQKF%y?N1a-K%EY&+1P;?5SW
z(x5l{p+WAYecF3RYBT+|WpP?d>(gb4!6zga^E?L+H0}7a*&9X#!CVMN4Jz)ea8Y`E
z&GpbD&tAY21D+PI(38*L6B=Rg8Mf76<$3|GC~&c#P1oq4UFh0Gmz7TGYGAI9u3S>S
zfXf1|qbJZ+%;57wDT7bscw4>==g3^zi#`=SREW~&YTCklX1p&dqcz@AIevWsSJoO|
znZ|P|@hTak{b*Q6$0$;1Xkh*xW0cc&j2s=0G^1nG`x+S|3;K@Iz9^;7)wC63g!fq~
zWAvaUi&3`zJVs~kk}-n*74mxxZHQ4C8kiekjGXMns1)>?IBI8kRMR!sRvx+hMfwh)
zZ#C_U6@3lSm&2a#RBdbD$QibLEuNC?!$I`L(mspQ=WA|+KCSEv$rZ!Oa31=gePHp+
z@UeEQCAcD?X<$E_?Sm=k5V};{RgkE3>CKJNCC|p7jfw<U#~5@urMsA?743n&7|65j
zbexh!PZRXWt5s>9HlEg=(Vv+o?lW2Uj-W@yeKRRakE^*UdgNWFnxj9ndme92=5^1f
zq%$?sI*JAr_swYLDEnK}HfAtiNXwnH(IT{w8}h+dJ8&|j7&q*3B@NIsL%FE9Z$>K`
zwxc2A4ttzQFvI>E(C2ro4kK1p79aGa;UpTA_pCVB+6nR#4Q4c)lj5-P;6C=nOw~2q
z5L%ZsoI-<&em+Dnn44if$h&*BDx7Ee;02>97KZ|jNkak}RNS)?CK{TfLEgEmHNFXa
z?Yc5)88<lhA`Pd}puA_rW?4iE2Gb5Ki?ecByn?U5GnM)1!VRrQkcLDwsA#*QM8i%r
zoRJK%rH{eaDsK}%a6`9Iq~Q!2RJ2zyqG1;r5+%c?I=f&M<kFUk+_0WDoJGSny3LFg
z4ZG2BS~j$UTLCl&7QiY6%gNZE$vB)t!&cg05e<9LAgnY%`>-h-+6T>&pM1FC!%Wg}
z0S%jJL$Y8n`!mBJc}`GkX&0y$lXkD?hL|~|AqfpC#@i{Pp#>V`U0~m05nw3TFgrJF
zn@bulqCv%2Lo-*|Uzl5>LEho@)s+H+rur~$IJ$^5TtdS}x-7J!p%ohB-CN&j)8R|>
zg$doc;ipHW;R+ho(*~VrFrq=;nf2WaU({tCy&)?%6n{k;uA)K3+`>;Zv_^xx>+1XI
z3i~3zJFLIr80HOWfb$s8cdw=6U=$5)&>-&!)b3XXzJ@>YW;Hh)pbgj2pkn?IA{yGF
zK^|w;{`mwLVs91ZhQB_Lakzm76?23z(a;VJ^4PNW@>noT*xivEp4H1ujpc5mVL4qE
zv7(_p8sv3?+DEE_q2JuJKI^+Cq~Q)4meB@_Xy||jc?Yxh3s}F&QfCmfJS-<Kv?2|6
z(V*gnr$o`v5e@S0WSuFaVNARD++c1nv?mSs(4gXmr)1I42@UejW1XD|V2D@+C-hhx
zyrW6O12m|(;Yl-3XsbJ;LEcrYbEO#=+K+p|4bclp!$UNvxZz1F8oHoCo}1RqG8YV$
z1LL`&_Da(52n{N3cybX90cgmRHik+2ng&jv)^%A2hCKCPRKUt&$41id7!4|Jc+!c6
zKs4l*4d*(*94Bxpw0_Jm=P%Om1Pv-~c=8hsL1@5l0~Kqlb)UhP2$}1J-{*!)FG<5+
zXi#y(lTkDTqd{IX^vf{{3>7**=Z2lBq~R$VRNU|sA{x4)L0*&dD-C^C=DZC8x#8Fs
z(g0fMH&xuO6e$`)&>*jQ`RSq0%JjkQ1UCfa$V2rPDQJkM+v+IM&<zdpx|ZJqcJFVK
zA7R#z1#%K5a+CpD5{QF}8=hiBLw7V}m+D2mOmLe{rfS`;a>Me>q~RqRX3}wp6%9Sm
zkWDs}%>)MLdT>sL#bFhUuVE<?e>T_3x(B7AVFqomh=!hM$SNDW*Rc6!707mGIFpYw
zyh6jDv>{P6grXsfY-kC$hB(|R6u=F2OOS@wXqZkLl0`!=G&srz6ZD%7aj!pfLj_m^
zAj;wm8m7^P6w%Nd4Vh)bZ!phtSerb68+w%|4R6s9MH@8pg}%EF8Zya-xiHUin04YZ
zH}tDa8s4E{Ds9k;hQ4TUkPUZW9mc``m*d<}+=cua_ir>zrVTp5VA{(J=2K~gjP=P)
zYoTsx1~hKY4b3Z%h7V|%L>v4>!#*^`ONPyPlfjTB8CEt}-7FQ5op{eG7-ofEsuw#&
z8=@2jc+YAHGn`Ll26n5^{YM((gApF1Q`x((MYJV*z-XD;)&Ez&XQlUaui;fgudk-}
za`!g)xc{@?^y}fHS9doZ{Exc_{6{Z#BZr&&x1Q!x`JNTan~KrdHIdM-u%FF-#T1+k
zb2psMn;1pjX!HR~S>7bgP0yPL?i%B@vCnt0KZ>2wc?)A->r*<+<2;+X1t=JLLg?>R
z+!7Y6^thV#GmrVC?Yac}4d;1Xy1I@u<UoUpTf!`YAz&HCWO;f_cwN$aq%K>R$Eeko
z)X(OI<=aVv6B<<95|$_$mZJf`X3wb4U|3$KHZv^g%MB^CAtxGsq;n%#G^{|wQYj8A
zX76Q&#xUz+`7n1M8HZeG_<=U0h=!GDSRxr#X34?~R~K<Z+lQpV84aUogJyxUuQgei
z!F)o_$sUDZe&{%HAvdgfK^k(SVI*zPiiS8e;7!PiefZ7GU_H^%vDpf4SVtT3ph3;8
zae^UW6_&-~^s-26D|RProKl<_&O)of@<D|`i-zHJ9CU)gbO7Ukw=pZ?u*K;wX1H^d
z8`jft$cu&u+TbS|4x#~XV^$hAA7F-BFxz2q*Z_u-nKbyb)oy3X84RO!=<nlcgHd5{
zI1{j%8P318Sr%}LFJz*M{@y@ei1qC^qy3vV92(KbTW9D3?>sl{XJ}rpMnpfa8a>+j
zc-0u*aD;n*efx0lj;%Zl?T3zR*=vY@yUtCUM+|Axx6`n;tvkZs(z4IUj`eG_8lvwP
zKG1z|%dpmAZ996x|G(iN|Nn2l7>)OC(Jw~-7drVi@5#m^KPIe-PCi7DEbsvDAxv1j
zx?7R3+nnpOguOM0C+z8uq@e&BhSCWeCK?W-;jq+*ZZ8Of<jj9xy21_D;g-E`PuzkF
zqG1Sah!hL~YnUNvQF^8M+Oe<n`;&DhG0-Gn#mz$+3ZY>zZHN*LYtgV!GOU_#ff?Gv
z);u!|&Py5!qalno#E6D<XjmW_Ru5gu3<JJ!!$kvWD1wGTv>{e7n2umR9Fp^)H*~6*
zSC4}w0v3mo^+-ceG?-|EMKl~m!$HYl?&S>&J8S+p!wm=8kcMJt7)TouMZ+;P9FPn<
z)@orA9onciHyol3#nCW;HYAIN<7kMJ3_BNYh6(K8wo|wvo;H*~Lx0+kA{tJh0k73k
zv{Ab>6~Lf<If@%BA!J#UL_<H?pn-v#_2FXENi^W&IZ8twHj&rdPE5-O+E5A&eQASM
zFa)e;hNStdEEEI()f?Se-E<$EmJhU{G#dKQ1{c9#?#B#+G->&eu_02AE$nDZ4uK^j
zRyPmR1{XB+rVTp55U>H`Fi(oZn&>ag&}0cWEb2z)!*^)tMH~D?!$vfGog9DdFV?&t
z$_#Mr8ph#vpB&T#y$l*U(*~o`pbv;e!(=HAYvT?_f}uO~7jXF1DRpi9oYb{vGqZ9z
z*f$4p*gUu_dW^IuMCtJj*o2<nY<Xh9GvA*dCQV&??PBWM+x4tn71xlia_DMByTU}*
zW_0~(&(+J-%C)XYsI|*`9qEFlTv*U(sc^vpgM5WVr0Cj$t}*spe)X+gb(&kd2AN4$
z1$4DgxEyS`qD0qLbp2w_Rqv#gYrSurwX6MJ(p3>%{<JGbbZtXdq&*i~;D>zAhxxUB
z{A6p_hW(_g61tkvE{o{ej;^2WxoSVQa&7QiZ0&M=O|}nJ(50e2CM#X~05iJA%C57S
zp?z>Z7l$rrAD}*hi?t7W@DO9{s^|%z<CLQGxCZP%&os#cf3{KUyl}}6yv^+JhBQFy
z3U#iF!eFz`X<!k^x*reNiH0cIV7v*2DbrhU!^_OnRpP;JXi(8^YemB@G)$EZ{a=7#
z=<p8QFgGh{sE&qCia6M;<1V6MHyWnMhU+lScXr4Mvlx~SgPll&4h<b?gHAN;L4(|X
zZ7em<sLf?L9Lx=~z9$WOG_<7+VWMF#8YW3`*f`-17}|9n!wqX1kp=@A+R%nb(XbB<
z6D31zw!TJf&WqPaaKrYNq`?ynt!YD)XxNX239_Ng4`A4H;1_PF*oicFp+QA^6(brf
zX!t`m%!vj=!{*nx;UI1BMuUp6Lab=O#nhznvf)B`FgR)d;D(md$T-wOgNlC6A{uZZ
zGijV;*p#!WQR{U6%3N-!GlMkvqM<pR4~e4TAeM#PcWfFH3WmTQZ@6LYY|>B%4NYl7
zifF*KsifcKI9!GWey6O?>$qXgQqoWt4Jw{o(8LJ+1+Gmc$z$40&(<5YIa1!i3Il5=
zudE~uerRY+$3ZI^a6KeR9=~p$Rul{^JGA14dzVQAj3}YsY)Bh)q5;=KlH{@K=EWVs
zP`gnXZWwZlG<=VS2DHIXG~jwjk~}WmQl~R~<Px)b4>z=bKpGmL;d|O(6b-l@k|d8o
zx6FX+tg|<3JA@m?JtYkd(NLc@gop-Q4@r{8n_Cv00z=&<tGS{4Gt$rq4JxjD4-*Y1
zv3(dV)y*wyU@VtiUptu_a=#@FjnSau%J)do5RZnRB*WGg&hSCO^!Ww3p<Y?)@rYok
zK~OKe>9R->4X4oXqihIj4u)SQKIDe$uB5?;1~1y6SuC_s32691Hv9_fLfHa)!HkQw
zQ3J`RV1iqt!IL&<MZ;+{jFJs=1HsUsRRL~T9!$oeEgJN+!9_GAqG4pZfp0>-=$Wu_
z+DF*S(42x%B8!9D7wW^z;7~M_p$#d5!Gt+!-p35`I-#TEjd*UT*Npn0Ah-`2O4A0H
zCCYp-VNRO&%7zNL*q+WY$YB<TZEZ<IUo@1W4LZ?)IceS_8*aETgLV=(e4-8g&`^>#
z_=yJ0N%L;Wu%}2lXrpqR{e>G0UC21}M}vwhRg9tmbJDy^Hh9NCy?D48R%uvSln5XV
z1JO{7jzgGeIK%3Nd8cgn90`UpPjhlZ{n6B+<zQH8hj!ALHlzrK05l|xU<Sq7^;XtC
zXiGMN(Q;OZgXOh@ra~qS{%mfH7YK$CIBblo7*|IvwXPQqSAu4-I6TCI^wJ|c@bLS+
zee}lozx;t4ex;2^HIEtw9}k~@_8|!N9#z^wI2|5@WB=9r8xKLKd-R=UO~b6z;{(AH
zSk@F*aRGUZB5UAb>1dWUk8tNFBWrw$&h{U8h&}RM33dXR;U;aEh=z}J?THl)v(bRP
ziqbG6j2SYQ=LSbD83$;0Ar2pCgGDfy&SERF!*(l@J;z_LKF{Ld2oJf0YxvP(TQykI
zJ$MQl-qVIe!4NbD<A6PzG7cwZusEE8KNriwk2Fk0!#moLEE?vb0ed!up~VG%W;g)j
zS!TFJ8=}zgmNuk_hIwefo=stBdGI$d<T(G48-~{-<1h^kZ)k&NnRROl^<q96uxC>k
zT9uvx53a8t*^(R9H75<z(V*fod#z|#fClW@6b54;j52hCYr`RWRu(TZXQ6tP+00O^
zHXVmBg~8!U1m>jpY#Mv~3Lbqb;u;<RyGzvZ>VJE$g1re`nC9u>uCMXW9<P>q6?VM(
zpXpU*7S5un1Y;5Qv(=JiDjYlqv&M(cnn-2VTo1t3^gN#JVB;ahT&0MkrrdTqYt+12
z`Ty%fdg-H)8t!_7mj}Fq_n&(xlONdo)<t_N5A3n#rc{S4R2K+KxX=whr4uJgkvP!o
zF2p7eyJ5M>^LSfpFmLh_0<sYIL<Y~p<W(`*k5L#LZkYQs!@#C#LjmO>5cr~`Ru(#W
z|1Wq??SChItzK2D@r}W>x>wa$_Leu1**hPzSH*4rv5L%rmm+cSl$bt{O?x5HWAU{)
z-z{UWG=^;C*}G*VX@EmwP=g-RHOL|waPX9vK8Un3jN8Ese?#45aVY#NX;_GcN3<bP
zG~nPVF?|r3VVJuK?ip}xn)rnqiqZzyG=Vs%xbZq!G~nPVF?|qeWw;GT99@gX4C98b
z6UjKhf)W^1+^(M@8n87>OdmvM80O7|!F0utN3gxZ%Ay->fQ2|PsJJ;_vs^il4LHYI
zv!sahr3u~@rxs0!)x)>#j*gY`aKk#<0E-@AxJT!MRxm^?Vur-@fow(`=AR#8)K;hv
zTa_Dp=VYP26NIS(3}kh*!9`(!?*z{?!+AXFi9?cX8snQ@m5!ZZudEk=v)7mDR{dZ7
zogh5@3-5#bcvSQ8^zo_T;q}iBWNm*Z_z#Up!ncui7-}Zuu8Nlubc(!zyMG6;yfJ-N
zjt16uHPkQvnl0_Q9p<^~xQjHvKN$=vUP15^4Fl2eNjCgAlNm0R<AzWRX;^`VTXg*~
ziUt!JKFWqWcqDW%Y__qstT!0g``z~6@D5&yb+|HZ2vHc|25)T3wmYO5GQN4<153S7
zhj&$`>+t^tBQrjs@UB+F;OXI`gF5yfnOLNa%-DqVpBb6eJVa*iD$L%SbmoL9G6!n$
zAk5wma`t}yoz<WYuzAL^x9r(0nn;)rv!AU=vBng<8VzS@L!{E654gY#Nqv|Bdms;u
zanXfyu#g0Q9(-|Ze5w56n0Y!~Cu6b(J=bYZl+xoGkc6J0Up@E*G>i;3<$A|P2FB4m
zCXH{9hP7z8MjK*8!$mX<kqsmL;A5ECcVXPa;&AUCX;_DbtF$3jG+aW%;I9T88C3c4
z%!WR&$(=pNd@VOby&w(i(Qt(}SVY5RG=xcpjnnfo!;q%j&^k|6YVN%O4VP&{qF^wG
zF@x!EW`NDzw0SS|bl=zgiPe#UzTD8gIB9@+4)k=FXhX7S7>tJZvSAn;ywH}sS(qD6
zl_3qWXt+olQUrquM~dd{X@<03W@~c%zM_*@S)A_14X0_tCNw0`1`YJf)(3gbLog2S
z<T%8@AzE$8El0T_5e$*6{eYjH_G&X4j?)IM(x5kCdu3iN$Dvhhq&C~RJOlUv>-c?L
zev9AN^%<+D%rhP+>}S&x5xfOGDsE(UQF?q$*j|}qY<Xh9;{(g#?0|gyzJ3Sd_iZX?
z?MkUay0)TgKOHBX=)yM4yvUwwKus&x{?U*}8S#1vu5bty``L_F_uy^lQqkY|DP6AS
zp_oJXrL?j>uRY9iXjLlDp@Rl8Hn3a^^?5HH8>7<TYr?kGywF~3eubk4U(3wWdxLds
z4uLBQ!oq$wV>3F~jIOP;D@5sPV8Zs+JkyrT0=aY(j%9$WSiEImk$B5b9WbW^-(m2<
zz6$<q`o;$DK%a`+L&KClf72CKc4j=dopI2HwLz_7lfhT;H}sW>w~VpGTPDx=A3ArU
za}6EGNYQx}op`w0mUBjnbm#QX@s?F9?0H$+aRlN?)P-H>JViUBlulQ3IM#(XY2|Iz
zxBZ1Tdi4Il>%!zZWSQ<p!z$Vkqcr%Nu3@b35W1~c{V~!yR$E4WD^^o!=N@#fq@A&%
z^Ex{5pt>#RA@6kOj=S-e8z<r|tZZd3E7K_2xfh))Xs1PV-ascFX1C>>nJwLUS05i|
z=ofFX?N#aAhfWo@&nAk_o9M&?@3x$d-P4?LHP6S#^(q%{vF&BfX>>gIqf^BVwaKD0
z8J&12-j*}CK)SR4l=!$`Jmc+nnR7brw4hVPEw(A5^A<Ys;Jhv8okHo(u`%&+lbqt?
zY<rpWPudxWP8B!ZYG7T%Y7FOZx{XdeTyM*HvxK!X%JF~bJb=!{bUo6F&O7MD1NgR_
z2{){rG4;RYoI%I)AUajt+Up`Z@1heA>DzKnZ<X#`zAip4HZnermA~v|<$jrV9zy3L
zI-WYwc@Ld<kl&Vb#hY~Jw#V^tNxkCZY<rpW3OFNSjKO|3#~7yI!|2>jJN=YSy?GdO
znjT4gVuMVf>;vm*7t!ftXyEK)XpnCy^IWClb_6{OXpd3p@i*PaxZ%eKw&E6-Ej?~m
z6XWCF+>Vd49Y2-Mqv)JZJ3~b019ajC3bvd#^QAjK`o|y0H6cFEwwF1tK|G21(lK<Z
z8AB?azUBxl-(*|m%RX3-H=;A2p+OO6LxVE6tjpP}2{{frj;^_M{34Yuf73&Z-)LK7
zZ#K3~IBy-l634z3KX2N30-bYcXO!rCgwCJrIZwjiALa;U;^SC3yFmMGznpz&=Sg(V
zrkydO^D#PqwC8N4$jABL%tsZ@cyvb7&REg;1f4(Fb2h4<7S98VU&SBTo0Z2^_Og0Y
zla42xmV`O$EZS)ioqwTols#uQSh2-&KX4!{{$TdA@pin-S&Mcipi{-|%!#7&DLO~m
za}I`C9Xb!@_KiQ-C40ObFLTzRou|<`gN|pi=zNAwJREPUy);#@b_UJ+ma{H6i8*2-
zI?c2*Md@@6z&Ur)AQn%n_4!uiAH0MY8XO(N>hL+D3d0#RsOXb5s}y5K*8rSPCz-w)
zzOKpt0VgLik3T<@8x9%CIGja;ikFSFq5<crNdqOr<~yI+&Er47oSx;(VcKvG4Jy`W
zTtoxTL6ZhZhAqZMa5+?5p26IZ+J=k+^d`^_Y@zc(CmL{mnbco4Tz3M4{#PGv2n-+%
z7tpYoHu#AKoI57<`)Wwvo7k8N`&QX=XyKpC%3^R3X-GnYir1Blq5<cHNqr^5rZU@@
z;TD|9V1_Zh$*~NKD4{IWjJcEsU-NL*hL~<L1GFI->o+h~Wn-C%ov;l_8_V>#Y(17a
zJAfR^Tte4Gx_rWvE`QT=Y}<yXxvcgIx;}%k%z>cy>f5$014-v)bWWh1k)ksNop=gJ
z(FVhsX0kTR?oQCQW%L!_ZiCMZBg^>;I@OH1lulps2rTCt_R6`v-nyLUe6lX*z>%cu
zD!SB+u|(HMbX~XSs?Ns*Y5BMRj<xH;DAIKuU24WEqH7eouGw={x@#S;!!4{`v7^a+
zgPA|n*Wc-UOH{i2O)oIthDr4T*3u#0me+^fTDAE$=V#J+6P>@&&ScT~5}o0)bMg#u
z&h!|q-Z__cCZqFL+L<CcQ_+cg^~(CYWfV9E<=Us-Sviu-$6M%}PCGTL72_9Q^ADJh
zSMB9vX{~iWCVpp~j|0b(<$MQSk+jQ2>GC(d!ua7i17-YfoPhW>xHVgS{2u&4I-%A<
zz4@7T>O|*jbmCbAg%j4VleLadC#J7);h6s0?es(1c@Lc`Zi@F4oo~>I=M|LBUgf~K
zrwgnCsjc6SXy<)&{zS*qC_3Mw6UX#Q=P#b%TwE7sHENxWCz0j;0G&T7oH=Y=N*5wJ
z-=P!7{Yqy{eQ=I(xvkz=elqENh)xx^(uax8_vpmAfzlZp3C<zft?Hc>Xy+qzj#9+a
z!B#vYMd#n>#QB5LnbZrM{*PhrTWz^lq@9n^Ig)lpiOvt`#5so2`Q|n_tDcBf?{o!c
z6f6_7pUt)6(ZNs9siOUiQ92u#KB7}@KM%~GV9{nCI|51t;#n--PP@eB2Qz1p{mx(L
z8%M`6R_XIKeL|nS76R)?G1|<bVP5FVC;FJHYBagV{uEtPXqQFl(wjb`OJ384b)!ga
z=3=X-qRT1W#XQx(GaibN{cM(FMDR28s2P_jJ-+52na6a+UjKZfFpm?i2{+7J)VhCm
z16MeZ*w3b`d+>8~sTf};D_yRpFBm8J9KpdLxGXQz;izeRj#+ClX-GkXiuK79!4QD^
zidN?{)7M_MmK^|>AU~^Jk{jxQfhZqnU7-J0QO{h~2;--puzW7tE1zS7tjniDoOSt}
z1Xm;!4g1+FA5-uvbg8IcI;Bf*9*r&=dkOiLvc012D|jCByr~e!^7s^8R<F^cVw~xx
z^tcAxW}c+pEKV68n8MlBtuI`mtX#s}cv<N-lKBF=aZpw&UPCjAhC68JB^kEmstJZH
z?V-(Kad4*%Z_yA%w=W^0;Vv3NzZ%llhc;_A!sRDb9LI6PmCa-v-l1VCZ3q($_t4N&
zHteeguPqO33}ZnShu&LB1FV)nS*U1dBL#!`XJ#-xVFu_&GuDS1R)}L~-Ks$;GsFIU
zq~UKgOs3-yB^n~p@K`qZ!bO+bY(;ve#bG~b_<)8<v>`?`{DKB~Pq$%Xcs(i4C+E4`
zP~1WqKB7Uznpmu07^GnavwY48+j4EbUmI}4qr;@(6B<;kcUc5Oz<p*&>R~%4v*&13
zIjt;?Wu-oX|I7?U&(md*s4zHO55Rrm^XtDF_<4W6p8zk_9N$lWt@5w`2>$E0Dm8R9
zJZtFxL*J@cy;}3FZ&m&aAHg>}PA2acOy2Qy;v_2)2R>FAgO&K9+>iv`gG&71T{fP)
zXU|ZEt}qgS2319epCTH5MZ*KxFy<r};?6eahUw=?Lnbt+7_4g7Dh5NY=HJk8Up9<4
zfMHKOOo~~f{`M(p$czRR3xqDB;deCLlMPE7gCS-UOj(%0DTOp-LBkk2AN)kaSTx*~
z4LhELVdDJGY5DM(G(hI48<>WOhH+@PBO5OF2SdLfpqXTG*z|=oWJiOF#j!BK5b%&0
zlDaWN#wWb+q0W|dp==|n;|p#m?U;?2sC3PN1{Dimk)q)d8bV~lgH&cH(SsXy&;}<o
zs94mB5)F^h&{Z;Q?Yx{B*2HqdVka^VInkh8u(G+p5+fMQ<1rs@%lUBQ0^~zz#2jvL
zC`=lh(V$|H$08d3K*KHB@TD~v8g!_`4Gl|?hTLdSv4E2(8YZAYo)|SM05|65sqP1V
zJ*yW*E0cyiXc$4a56PloA{yk)(ME=0V94!a<c5SQq(O^@;j|$|G)zK+ym8ma4{r6&
zleyqHZs_Vo8uFqcf;MPi6Upkpt!uy&W=IPDS}$<Gb-}Ux!|ZS)rlVu0TikHLn>4_Y
zDQG8$(FUz(_zMj|vSG$UW{5Ar4GkNRhWuy<rwuNG!8{quLf))w)E+(_%l+&NEKjhU
zEYOZL6hMQDSMPM9VG0`Ljmbt41Ho|WCTzGcLm}Ew5Di1<IQR*MfTvg%fnUoaeR905
z@paZt?itPv4ce1&D1-(TuihC&!!tAl$cEP?VS*l*=Poxi??M`2X%2ESjE+NyU@%X`
zvXD3B8qInHWwCz0FE@PbPa2A#VGwNy6Ae*lkQW{s?KusGadUp;hJ3?FLoqZAqzzG`
zVHz6b#kEFfhl648uaCK*_Gr>j91R0#LyTycj)qGt9~27}jb6g|A$RK@Q@EklucQH5
z63B=Cv>{eB{E3E(vf<NFFf{6Pm>UL8B@M773Wk2P!6Fy}@Zd~Rm#_8WYg_$fJZmS1
zrRBrQ>7=0)8dSVEmna(WP)t&1$?)j1g&D?u&*P9~0cj|WhCXy0l10M{Ru)N}z8cco
zsO>rOL;KL=BaFsaJNcS6xS*joZAcLe<{6j|Nm4#E&OZq9LHB(PZuqjAjKg<mQ1RlN
zX1%iSHqS)E1=&#J2^h3xE^<TpjijLr8bawfXhp*;G@O?W?RvwjLC-U#<)kxwiNH2N
z*w5xdd-two(a@7NxQK>mG@O$SqgsIB__f_U4u<2Tp&S}|&<34on2m<BvSI3LFl;^Q
z$_;;>Ar0lx(498;iH137I3pWk2ZQ0y6{ol%?gDA3fQD|g!6+K$q9IW>>~08#Kjy=#
z0;`)JZjgqGXb7PVA%Y>`B{L*-WQL4G$uOpU>@*4v1fT1$iyOw@BMne$&{lV)4Pl}o
z6%8F^L)W@s_&HNkZU{*w4VBOkOdBEvgLxj7#c8=L5}!g@3>`a|8~h!pmz=v+Mne#7
zh!PF+(U2e;UcdssbDLf;N@V$P!I3mnMT3f0=3+#{0yLbG3{CRF+Mu&X!?b*8lY=x=
zLqiuj4zYqEB8C|fcQ6B7(kWc$<~nTsbsmR`&ZNN&4V`I&MKA=sVuqyl%%H3nEGHcu
z9S(8BFIv)29SxmmL!xMSjfQq#4e1-kxB=+s*xH*LTnmu~9U3~)hGfBDUWoY+FXuyT
zSR-}LR%|9W<SI-W+|kg1Hl&D#MQAu_+n_C3_-AeyT|7H+Pjy!hW+<xsC^(0$13#J#
z*5e0w{QwOQvoM2naV)%ka62o#+466{r<&bQt=Coa@b<1@@P>VmfACr`>7Hu#`T^V^
z`28SLc&I77nt!ONcX*$gE;?tYCWD5C*K|?;`oY@o$jsGa=Bjuf(M6Fpu+xGqndyX_
zxou#DKwHuwZPa<DJZUhXp$%PobfRG~)}G_CVJN)&r7d}@3$HzyDw76JG^ltV(N8oi
zLBlcGFdDY-wI!3ra>LD9*@^Aau3lJ!=h1O6Dh#k)`i2?KFJuO(MThNDV{^I&|LeC)
z-F13zgBRR2uk-P8H@N?!b=dRk3no_ErLZGww+_3zyM+%J=GJq7ThGt|eIr7LjC30q
z<~Fczk0FDG4(b)|)??5>XD4STHYDoNm`q+DOkU+f(>AvvLKKMum3S#8?@>8<|Aegw
zZAr@wp1gs*NJC9Dw4jqWOf)P*!x7nV{uDF(e4iVFX+teEsCWP<QZNL(Wrn0SUn|hp
z;mCMg&N#n`8|wBZ<KT;i=5!pQM8i8Yw3ZCpwZ+)5tVKs|m^z3w)J8)y+7Kfcg0NA4
zw4E6;h5|KD&NluypFLqxG;LX@;0V%C7Y$8lgGDr8qyA`{WN2Lzwjw;<2BZzsRT%ux
z(3mzP3I_9X%*n&dpjc{b@*Ez6)|Tvfo|lF37cvg@(a?}KqzHx}>{uRcmEzE*-vNk&
zb5+<BXYE64+5n{n)7J*HL9@|%XbA1Y3XH=cDGp6FumrCy*=`m$d>%)}p%EHXJSeFX
z3_;jNJ=!A0q3y=G@RZB3hhf~{FrG9tMuQ(62S34JUWsuyD954TVHSrv&$!{?MA85g
zekhANw1M4tZ@onqgze;`%~BlN1zv$T6t9&wbu>>R4b9L{n>K`r2CNs4Hpzw%sGGVX
z-f8);i#EWJ1mfUJ8zKdRc@>rgK9HiQn@#H#WMz?mAuo#_3&=RMLqiSPpp8|Qg?Tj^
z;^chju$LJ=z2=7KRivRk8a!x&i(m+N&kRXMX2=-yCG9N#_~ba&U;KH58?tXE4IR+n
zP8)Qh;cqmwk_=DWHZX&35jWi0MH--YgM3hNJH4N1_<)9%lHo7ieOO{kaT~=Aw`oHs
zG*qYKU=$4>(a=IRj2jDvxtFSQgZCja4xQ29MjJvz!zVQOONOVFUcz?(Z#{c)gAZ-!
zf`)3eAxt!UMnm(jhV*gN_W3thK3Jx6LrvNcfQG8HAyPDaK|?diV9x(Hl*QzxPr0Ga
zDY7gA(NKjpL<xpK4H}wCh8<;~USt~W3q29*yR)1p4MAwAOdDcEg993xNQRx7Rd5GG
z3|q`)hU~N<7!8$ZL#$}Xgoehl;U_mRl)F=!8;V{e<IoiiuC&1-8Zx7yk!0AF2Ob#J
zOmF=wH}s?pA!w*b8xjSBc?~m|EX<(nvv#<%{$l<w+;H?V8Hes@C{G(wM8jG%?3WD(
zvoOOnSej({aPK;4fR+T>>hEZS4(3hPV;J)~H0+ZNm)0}Gk7;Atg||sVZ#1~j20ziT
z9u0dXL$l1En8CP>$H9<F8v3B2G;J`7h7D-gBO8h?XNFqN+)(B-Y3PfFQnVpNFa$a>
zLsCO#P>dg*MkPWU6?HmoOgrZbY3PrJ60{*wG-N?T1Ih60`%%z7+$i~m$6=OJ4r<$Y
zAR3C%hA7dH6%F4@hUa-b!JuuOjT>4NBMl}r6r~L@q9Gd^>dS`X&7h6yG-nMrw4x1z
z&`^Xn#EOROXs9O{Qk?38p>U_Pqi?$6WE{fKP?$DYL_-cV_{oOSkHO&ZeK#J5{3S@k
zU^En>4T++`2@Q3>8q&uwyXM2wp_(j*Vdlcx$xj}nAp#9~X@kpVp`F~w45r=8py)4}
z&6~;Ehn*$3p;s-^FdPk9+Mp8+v1r&O8;-zsskY?gcy1`slr+Ey9Qq4q+7KcdHlbms
zY`FE78HS{-1r?n{8b+fb2W^NE4V%$`Tega_Xx<l&N^46#fsqNzhZ)mJ!_R2QP8(uH
z!xl7{r8qR70dG6xd1<N14cBLqhDbDIqYW0p5SWu0lIk!6_7{rdR@rmFG>nfQ7LkTA
zXvjhvk_Cf#E5-rWCzWNfaSO!Z;&NE&Vr8-R4r%xe4Vh^}ifGt|23((18j=TsVMTaa
zPX6+QH2jW+Ote9>MQ9(kqXE|j6$bzAL0~ACn$|{DdqWz=p+Q3%TttHz4Y)3+H2efd
z-}2<R1gk5oEFR==qPDKbGec1odj~p&0iIZ1%nYZ~x2~1PDT=rb>l8|FeEr+Eu5rs+
zU+q8fRIapj&0e(nXSS{{<#!_9Gwk{YW{rwn4nJkqTno&_vgZ6B=`Gp)M;haU5qgi*
zt#bp7@JelqN_5uz%il9(&lq~^s`+>s+`SB*|Lg<Hw%;@ShdwUdQ^1LuDNJB_Q|uGn
z;u#frqj3#%W_gq3o1Qmc-vh;wp?2!lINstl`;IhBM8ikg5F!{NmM}wN`VL)Mi>GgU
zZ9zahd!x488E)uNfiz4)!w1?BCK{HaA$^C=%J3d;7<C;s4%U-d%ioJOOh&`sv>{S3
zn0GLP33o%}-bY*VV%lhAOf@nNQ_%39Hbe=Ah-Dau^c}j4I4qpEnZ@DmBOZs_deSfz
z4ew|}jA&SnhV<RB48x+S?U><3BW}pzLmHyc@Rl~jiU!;zOibUI$}q%CKEVtxPjkbX
zTBKnb8s5+bi)dJhaY)~pvNBwXV1`v?xnUh`n2v_mv>{P2n0I1MqCuIH3*aEWw&eCh
z-0+$<{E3EFv>{nE>_S7VG*j^3P>C5<jOB(O>yc$K0}ZLPAw@LoM#DzgaCsy%{NTwA
zWgC))nP_-P8#G&m5%L~1Y>*Alzhj0_sP(LkdeWRU%tFHp+Q4pbQ>=FGMFZYqp~#08
zj>nmy)qQTTv?C4CXh@+AE}~%{8rDg1Xko;a1jl0B(55?Sn2m<#v_U5r0&_D%QY~h{
znd8?Ll>=EJ4pXOG<%W+vNy8j8JfjVMq9G3&YD$LPO+%O=TiOczbrWfri-xDP!6+KE
zXz-B@F&buwP3Cd9K^x|w;V;?{A{z3d!8_f+$G(R9sar3=3Y)fM_V?W2I*5$Jd^9|v
z4Pl}o9~!(Q!?x!`z>w)VjL=x!bP6L43()YGHbjbs{Alo$4BK`6VD=if;T$&{2qz5-
z(eQ{iM2Ut1XfVizfL&mi_3H+1s4$B(EJDLW+7Kfc%=?+aw3Zo^ZPX9A%6I8FH!O)J
z4KZkVKpSF3g9Qz1WW!1W%gOa4xxslpX;_Sg`?SF#8sgBfS~l#t&J59M<7)p!q+tmf
z?$L%s(Qp6_t7OC3-@%Y=OkEy_zH3RtQZ(G94auV6AR1Q6hIj0;l3RhWhRN#YLE5kk
z4R>fmifA~5h82>bW%kuzIOE@%8_Mn><FFhJw`qe0cKxjT?!bb~kfdh@MW3~2Ybhv;
zk@GKdLj~Hf0u8rlgH|*YLPHJ7uy;80n|Zch*~ASMX~Rl1B+~{L!C*d&WwBf?i&C)q
zooA2dK5hs*OqRteG~A>OI>8WF7~|j}$Kl-@Fz7pf&kYMtlZMr3xIr8IL_-lYxJ!op
zW%j^FwoW=IWmYd9&<5DcgY}2&w1MqJD{`_Z8g#OuWiI$&>1LL+F^qR28HcrKxJDa7
zL_;w&RF@4ipMoKJ?*kr(4`)cjIy79R4Pm08I2zp24PVDF=6)t9i*XUzx#1ISSdWG)
zv>{S31mT?b5zey|C#Bo5laL;74Q6iWdy$L-^zx7omuW+kU<fRMaj2FahX;5O0Gt3!
zVY{V{j&*~%VeJ*tun`THXhV!>D2axu>4vXmv7=-W$cOWXwA|4DF=>cJ!$sN<D;Ug2
zn8CD+85CofmOee8eTXT3j2pht253>CERtx0MKl~m!&2GMDkm5wW;Jj_p_gPFV800r
z7idGGXgG$3C9+|{95A#xahn@<ydw=TqX&bEn;Vlw!*Mh$mJKoWz)*8rD{gSll#^Pg
zg;4<*&e3s55e+BM5F;B-P6I>k301h^W){)_|70+nr45?x%C_2k5)F%FLsBRhGXLD2
z8x9p94Li_qnl|V}Lp&PrvoK}7cykNd$va)MazlZNq+ur-5@>^;U<fS53`td39N0MO
zYx}UX3anS>I<mblHx!}`yU=ioHW)=iX*5)p4YLb?p>wmewV>T@WE^&*A)Ypbhz1ul
zRFVznmVlvDo?1K(vDHb#9yFY!4Pm0;J2bea8@~1zFUrC?ZDx&c+W6sD9ckE$h7+_Q
zQZ$r7L&bDMMn2qtb=q9{9f$BZtg1sAVB`sP^EhpY5)9^3%wSr;42pWusxa)H=RQ~m
zMrdp-SLS=tupbS_XhV!>NI=7U*-!>fgy!B+;}$o3-<UL5&~TJC#EOQ~XqYD(>ceTw
z+|l{Ra>K{wq#+IsM`(jZG$f*7u59Q5>(#l3r&i*I39U%O0W=(@4T+-R3>xOhh7o7L
z(CvCOHx%te8V;i25N${n4QJ6XTQ)3%_3GT7o73vW-?RaC8K7Pqqzx&e;T#&GWy6No
zV5qVZW>2hMnER7)IE;n^v_S*oWa~MO`8*nC$%aD<z))~{VQ$z-8;+nMjy7mT!v!?V
zlnti`gTZNBOKvC?PR8LV8Z5NIMKA=GWrm~*%%JQyU%~oA&QH&7azl$zqya|1kPrK5
zgHAM*LqmDVu*(eV4>@aAg&vvZgU1h~;W!%h(FQ-!P#z8CB*X5xuukjLv6(kF^qoi=
zPM~2gZ7_<43TP-R8<y7rgMZyY+|Z9UoJ7MO+7KcdDx#rGx*?<Q-u4boYn#^G<%a&W
zAs!98X+xN3a7Dv+lHp|!Z#XF(_u0q|b0(2xaS9E)6owqOE-Q%?4VBQ~A{+L@DP@Py
zB}=#=c?M}nK*LUj!NHaxN;FhPLutv7svQA_0<B?m#OlQ@+He{TJ7`0UXsCjQQnI0S
z7@Sf*mp5%}f15TWqQOiXVnst$G?bJLy<zUJ+52HAkAvG>vMkP^VLNTGh=yutC?OeM
zm9EN8Yd0v&4cd96;Vc?dy!x9c7|cn`V4A@U%JJmiaco^Kuo5>MTSOXQ*9qF{t#llc
zMZ-lj{3#iXRek`&hAOZ-!*X)rQqpi94O?hKifFimhUv1QbvH2lktMCq+Omc;TtLHS
z+Mt2ivGw>N&<*pUczQm3onP!`ZMC+f&q5xDL+eOG5*jwq2CZN)U&c60ljATL_L7|Y
z-20Uq*2j{Di)e_Y4KAYL3L2th!#LPWa&B|_1vh-&Mj9@mVIytO35LMxSQf?7%i`;K
zx&3UdSUYvsb8c9>n>1WT!v@;mCmM8UD4K4_$cJ6`*`8XtT->nQLK?21VLfdy3I_94
zEQ_gfS*&t^vhdhAlN%l!BMn#4u#Pr_2!=p+j6)GA4tsuuzB^Cdz+bqb&uP+d0}ZQb
zLzrmrKto~Ku+RvGa`k@WhP_vEYRYEP;Lp}2p_%e_g_h(?^&%?H>_sXJ4i^J!FvI!Y
z=>|nk7ST>!UR=f5UxQaqop-Mq)jYj@+^gxmd-ba3qx15r*0Y<ZyWX?Ak9V(7eO;q_
zZFd9QG~}(*dHPf^deqkIJSrG#)Q10~ukGKw;n0Xa-a12<@*cgK_A@lES0kdISB)NR
zeY|Q6Z#crezrKCAcgI#9hW0~8w(K>;zg_31%_D}i>Dy^o+twZ7Z)w?QWXJk7S`E?n
z3m@n{xMf)Du(lmN;s4)okpJ-VHG0DTx-@Cm&R8AJW8)=6rqCYYeFvFpx-<_B4Xaj<
z-8kgzRIf*m&@i}9taA0r&Q5K*nR<uTbm=}aJalMnT{V7LlHospNfP`K|HLIpy;8}v
zO~$lcNvCa;B4ywblxtXhr^wa!*iTS>^G>bF({{i+(r^n6D`-QEXt<7s$+F=_d0004
zIC3R7WO`2;Zlhs2ZHN^OH_$LiGPEvT5)8Y&Q@CN`N78Ty4a;bQMKs(*!$jK#ZArrv
zZfNL`i`rg*2@?#pl=mgt9R4SYhGaBMkPVeyK$nuQGAw?up;pCAq~RVKme6rX77e%1
zfS)iZhMcXNv5$~mI`vJ<hpeRGJ{lI&h7{3o8x7;-ID`}g!?jm1fMRjDUWhcnrZJR7
z3~kWBMuhcn&wK|B<7C6Iy<j+UvjH~@Ele67qG1tj(29n;Xc#LSe*XZ5?WYTIgLBPX
znn;ZXf3~_cjj8J+G)$)rE=q$wP|plWIhY~ixXP<z2{6=(grQd968w?LghS_BCLH=(
z&&nk??RkuzX|zWtdJO2vE_-6)m?u}0|CZ+odZK8LpXl*KPd0lVhj1&;;Vju%eDcuo
z`3pT$X^&C#c%dh&>{(HT#ph!V*`uXBPth}l_JoKYZ}i}YbjtkUo;QoEJx)Vde5U%7
z`TPt$lW9+w=<z|1qa2^uFDyP!U?B}2O?JY3KFmE)v<D^}(9TSvJ&~fPCVDd4^W5)d
z?a6bE#Ycq)dQ9+4q&-ohrxtoL$)4?fS$vY;%AU(~d|*-to(Z%kM)dfi$HAWG>SSwA
z!A2}TS7^^m^!!14Vnt7F^k`(y?sF_YNoD_Ao>cUVr#%+YQ-^sje6i<Agugx`pNqw^
z_*|vq^9nuVXb=16TlJgzz`E%9EPIZuWbru+BNNecjrP1o&sf@%EPDLV^U0oPcV25x
z`QKQ4uG5}3==q)Yq==q+==msn;`6fjY=iN3MtoFzpjJZt`i=Hzb_wNGA3Y!Jd17l@
zdn!L;@wq|A=N)=}r9E2F^F4b0mOW>FVDVW43z-@5;hu6W$o}FzddAQm7tzxIJ@4&#
z7Jaey7!I)bl&3v^qvsdeqZ2(1(eqCBB;8~2nF~uk8Szo=`GB5C+T$mB8lmT{J<rT4
z)}C5bS$rzc@%f0JpJ|U#^fX4#8`*QM6^qZ*IN4K?_IyImXxbAZdYYi;wLQ<zzgl~m
z_ha!{)`86D&*=Gy_JoO^rs#Pkdv5Jy@flTA_N=5mPz#{_`H}WSik@cZNwwz*-)QYI
zo@en{O?pCLHUyp@Xit>rX^x(kvgbir7N0>4WzP=U<A9z~v?oUN_@n2AJx^a)xXq~V
z9qO?7?4&)g2nz8TNqb^NPYd*<$excUS$x{n_-}bKqh|!|v520Q=y`6>)AG2rCtwwe
z&n`MXj_4UqdlE%YEA%{*JeEub7N4eFWzTNflLb8yv?p2g7}4|8o~O=4YfrBqS$uBN
z9@qqi{88~1XNu@)jh??`PqsxYK0e>co?Emh8+uf{%c<EdjDOmo=ZQT}4YReU|9uu8
z6`t(q8A_LzR`j$*&tuu+oP)*3t%dBlO~(gj{ZL**Xpf8NX@{Oi_B>@rT6-dPvH0Af
zJx=HuOnY>qr#*Te%AR~fS$s<6`EPl0q9=^@_=%nl=y_nzQ)Icd=f`p^K6mN(z~&*8
z*C5(s6g?f$b6@rpzRu#4zn1K|M|+&nW1>AFqNfvj?%DG=pRxA*GKIzGKJCeko`JL{
zO!Ra{&t2J5vN4NK_TK+34`dyb*8tiRDSEn~=Z-y3CK!2U^zUQevG_co<D*4Sf7%lz
zdIHdMTlSRM#NzX5y6kyKdtjCg@##l<Vnk0MdT!bCJZ)#~iS}giQQ^slp1!mvR`dj+
zCt3DX`<=z-cBJfiM8_vTdiu~Fi|7eP&rN%t_)FHFbvIaiRCo%Yr#J0M6g^$hb3^uc
zcV_W903)l6eCD329dl{M!-$>zZ0=t~gcL+iFzrcJdVB*z&~w3-Ck8yf9Y#;Sgu{DF
zBpg04maqGAS2b`&0g3%=x<-e<4h-aVd)k$vbTtU<hOT&9E(^HaZ=kDK!r`MS35QR0
zvFDo&H1@OU8yiv>eg3phvqv#5@(=8ezJs=W$>6)x6n$k9EKQ;lEN%OL%jpJjB%DRi
z*_?K2MQ0Cm9<b+}0wYz(w=xNb?_^3i{BVFhFRK?SoG?3v@@_^uT|{S3bjI0pc36}i
z&rTN-EWvf{d6~019nWIuY)U(IqB9ho7JJUe9n$0Zxj@2^%%c-5w!O@$qn*Xk*@Slb
ziOyc=+;7i02wGGu_aoUKCLGD#CgHGcFLOrF&JyTsOgoLDvo|{T*>iSJkEf+?uLO%J
zF~N?PIfv8ElIUziJ3~ZgA9Uj7<%)eei+5*M-;>U#$Fo#a!jZCnC)n{a=Lp(a3Y`sU
zXPD^hi_Sgv;`#W`^m-ItGr=-)S;7(9UgjK0J4>Up0qu+wo&C`Hf6BY>@TiLKf8a|e
zl(5o8!KH_iu-SA3Ngz}MED$=;bO@v@5K2%XA__>0iV7kcks?TmNC#y>$kH;22*?Le
zBO(ZbMgj2yir;hJn@!BzyPo@b$j^U%&*S<$A|$VznLBgl%-mtGJLhXRUGek}7P%p-
zgk9UKIA`!q6P!JGXO`@o0OuZe&a+W2XZTc+JFuU~)%GgRgS?Yg_cVTX=bhQIGa1g^
z?wrY#AvmA+$ZaBbR5OvQ?Nywg@y-@-hVjlE*_i_8E_cq?Q(Vrc=ZW0-Uq!CAS8*QV
zoh{)E<(+ofnF{Alcg}CD#ZLQ@2w`8kL*#0Ebvj$Y*^PG=$j&r4aV@3RxU`sNI%m75
z<%--XX5q%GI1lsjYz^lVyt7bt+Th&oE}q>7xSTWI61ka`MXt72ajqW0=1Xnh?8-Zf
zWamUUakZpYJb$5#(HYMdQ$=o8caf{@Rh(;hXInVC@J_=gQvNv!PFz2!<-GKy%lZ07
zk-MUy$kp~L&b7SL3(m)Rr%`rJh7(s*YB`hW_amP64NnRCc8kc>_A1UDyt5sgoq4B8
zcBaFLD<rj?zh=AQxx-83?tN9b@hZ-pyt6%=A-vNpJEy>j>rb?ti>RLLjOU)Wh236N
z<Z62r=WgEF0nT9F87e!c!ilRWwVW--yPU_)341}fuxoo2=N{hK5zZjqX_cMR;KX&6
zT29B)F6a5i!d^IA*tNZib06>YhBJ_NM$69WaN<f!E$7<rT>UdQQRE&k5O!^^;yl4S
zec%k>oi^E-0p~_{<9w>a<vc^V=LJuZtL@e4>;$Jj@642)GvLJads^`fo8@wTJ6+^n
zz9@3Fy^1rBkEa<<Ki-)oJD-6QSM+H)>j$}<zfcZx$0TyKy^2%tPG2}Jyfa&NJ`3l1
zckRB?m4`Sg+!BszPl;S@uTG~0PG8=cBRiji^8<HI^U30PI%*vej=C1%#;Z8<`FQ%l
zY37}F**O!=b?%&-zjZlV*o33)IpM~uIDg@t{&05UodvRU7MyF{IfI<_!xqBf9WES}
z&BCGWRh+-_&Hy-lcxR#P%!Cuy>1jPj$Deh@Gq|yEbe-+at2l4+&OkW5d1sOAd>&3*
zsio!2OD}dFsCiNxc&LkTXnS=!Y4o7=W=Gy>_*BY2XT$lvyLNy616Mrz3=@w2cHzdW
zIB)Us42H7<?=;HJ7vNmw&bhhB70-ri#eqkS!lCU|oL5J(>y8jO+w)G7?3@GVd+wb5
zOZw-ylfseOMI6xfD$XByXJ<Iu@lLbsd=buUcg{(!x{V`)VmWh$aA<pVIv<DAi+6^~
z&X?eP*PZj;8CU;&;gWF7A0XU#73Xz6o?YN<%R8;Ib1t0kxN{mx=A)%FhAv+y9NJ#R
zd4qR$g|iLsjFz4A;KbEUTI16E?XGyPjuwvf$Am-MtJC=eoUM7MO?J+Q6W2RwIqNQW
zIk&wd9DAw@hqhO7HXX%2@7>^R#XB=)=gV;73Meh-ijwDj|0Ll!bU`?@y^6CL?+k^r
zCGX6VoeSW^HBnm536wEny?LPH0CB)~mvCr%6{m@JhQZl_cV^4Zg>d33DJ|#yA6)Hz
zZjNw#^OJDn)#>aGXLH_}BRdztiR-4coO4gOoJAdl<MtcEq3u<i&G~rtfYZb~?Xq(*
zoVb!o%Q-vt@9iE$W0T}9?gxsq1@8=p^D*98AUl`9iEFF0oVQmNJC9U3C63g5!rAU>
zuTE!AIGgd#LfM%GC$6@7P-ja%p1t5~$~%i>=PPjHN|gt7w&I<=;e3>L8um;1=c{ny
z+LeF7*$2)?c&AZzz6K|*W_eKO6h5AG>VWe3CcM)mJD0+Vt5Y7-IgNMrgY#kDX_lR@
z!-?xv9@H5X&Cc&sMW=W+=AEIk^9?w0^~i%dpXQwra5mzdR@wO`oVa7*L7lO@vp<{-
zd1tijTm~oZVR%qyJny94C~EfxywfH-m&1v>8XnY{$U6tZS)X@i%Fego#C;AA>Kw~E
zt#H=komsMT1)R9^;X$2AymJtob$MsD?0g$e+zaub&hfl+Fq{wZ&K%jf5>DJ5@u1FR
z-Z=zLBk#1!&UfI%{SpuAOy!-CaMt0S1+w#9IB^HXgF099&Y^I6^3FopnGNTQ?&=Kx
zOP;)rcMgNIHt#Hwo$tXpr#ze=@Xq0I*5aK8yOe*fg7by)aBkq8BjBvbJB_mQeK=>A
zhx0?;ITFqqywfB*SHt;yc{n%m&QWlB@J_SrTmxrjc{q3Q&e3pI=bfRlb1j^+%EP&f
zcaDLx8t=5q&UJ9kEDz^y-WdgFRo)pbJ3oN)x$<!C<(*H#S%r7nWaoM~pDhpPKHm8>
zoRxWJrtI7R=QHKud_0C-$3??giFann&JW?7Q6A3zyfX&Qio7#hc5Z|-qdc4gcqdi=
zXnj<Hcjm~>O>j;x59dJM83(6<ciLs=W;mynhttYC;}z$_fAP)&*|`PIssEBQ0nYop
zvru;Cz&WKnoP+pyCc^nA?<|s?AHkVk9?rqMb1a;H@J_=4DgWFG=j8Hm4&j~S;Jn8>
zjk5D&I46~dGm>{E!FiW=nq=oTI4Ax~PCETa&%2Imbj`AJJDj%ia1Q0;IRVb!`FMuP
z&K+>3m4|Z}?@WgC4)3(e&Yf_kmWOi=?@WR7H{Ka7J9ojEQXbA1d1oq|w|S>ccJ78V
zxjdXN@y;|jZ}HAd*|`VK3ICGQ2Io!QnI${-!a2S?oK0fcJb5CVzw*v(*|`tSr1Ee+
z$~z~)`3vvNk)5BwIj%gMO?l^JIE#3vU3Pv7=h%PANv8^FKKhw=7Rb*1a3+?Avl$=H
zDRBP8I}2r}9nOUEaJJ!{Q{lY9JBwuJ0XXCTCFe9auk%jBK`H+{2xnY*I1~AJPKWbH
z-f5JbpTQYh9?r46GXu_RywfB*55XBz9?m~`=L|Tn@=mktJPc=ac{ne|vGdV0aQ?tM
zLuF?!oKKgBvqL=Vq|<sdeqQ07R@v!*^C@@Emv0uIUph2BTpZr`wQzHeNjbmNk(@M;
z<D+@sMQrqQinEE1`h0X*r`OK!6=y2;kILSAf9X%UYkjzlW;(_2_*^ztnTXYQe5`C`
z4H09GAXZWCVs&$SajfX>b+P|SOW`JFigWIA*7-b~7kOu<>^utR7<bNvU%H%R-2cb%
ze{#;}owMQmmUm{!&SP+nRy*U?D|Z?gX*V2aI~60{bMQ~j9dEJmd;!iv-kB{skHa}i
z!}$j}7eDQCx@m9M*+iw?ck<3TaDKx(b7bcUI7h0TbEYftjG)zu^WDtiyDZ#z73Ydg
zY&>6t^K0H|mz{ZVj!-!dg#D&C?T1{>;&<C+XYpB2#rZbxd<o94cxQp^6mSk#IS<y^
zT4=0uAc}Tx5l=Th*V$RcxsrFzh4TXMER>!3a1K*Dd!8ZZg0@tZ((Am+JLkc9o_7|>
z&H^}xs-3-R!Re>pd1njTKj*`Fj&~Y9lXA<?;fz!}W15lER;!DC=kL7pWjO!CJB_mQ
zB%DLk&QH9^SwClye&?D~Y&;jhd6svYWak%f4puu4zDiEd58LT?uD;AV7sB}^?=;KK
zQ*aJaI~_F6*YQ~68kclD@3(HSPHG*>+0O9JP}zAJPOHlK*~6AXqvy`ZLjCdVYN*ZK
z{k0g*)4bCvJI}y5Q0*Mmo}AO_d+B#R!8@10d5U*N%g!(19H4gY@F!=JU9?)!JAR(x
zomp^x!8>iT^DLbGRn9|`X+EkQb#Iq`=NaDl3Y;f-XQu4@51bJyC#@d}jkQ|EzgFyY
zttI~9-Hn<R+5Y(|oS*Z~EZKPu&L`E*gD;WOb6^Gi&M~}`erkH&3wUR?>^u)=KeaP&
z6gew}2kUn}%{!OEna?|OWakAq`>LHkBo`WM{?IN=zcZS5z7D70op#yz6`XxkPP#9T
zoOz!8^gCmD=NoY5@y-I-`8Axq)lSdB<UCl3R)`pvbUa6Kyz@;sPw>t{+4&8ez0}T@
zcgeZw#tr?><-BtloX2@*k?bslv!~h_vWlE<o~6@ndgJ*P?_3V&G2UsQykf(KN>n+i
zZs=(+M2z_s&TzG}8|BG0Up@JoerL_*?D+W>oJV=5QFdO0vxnL_upc>}KX_EXvlj1M
z0p}6kX_B4a!P#By97Xwj&1pOT((hc^k&Wlua5{LWS$1B6GfeG_|COA{n*#Ma-{qYv
z;mqZop|TUTxYMC(=lC(?Ok8(Tzq3;y8_##(Jj^?-vhy<H*-h=7VkYP4l^*(?zP$5Y
zI1lm8XxVuM&L`B)%*x~(^lCT#&Lg}t8_v&or%iVL0B2XVGpjo}Luc33?>xaf--GiY
z@642)SK;iUcCKhh&cJDX^gC|_vHf!uoCkPkmh8L+=i_SU-dD-lVA%gKZ&nUwo$teG
z=bhQI^G7&4tDVOS$XTV=e*N*R!aG;Pxu19D$j<9<hNztvJPVCAZU@qeM(_Mym3OXz
z^Hbhwmz_7@3|2cYUnJ+X4oCDmTZgdiz820;cxQp^{0Yt=weyaNoaY{)%t3EF_Y7g3
zAHundcbX1M`O?pD2CAHN&lfq5)=bgw{DgOIgmWkFG|SE+I0Mwqx)ySNYM`F4H=g@>
z=O#FJ@Xk=#`3s!>YG>PX<Xr!wQNPp9J2%6*op)Mg=dW=3shyV1<b0>Fw|?hA-nj+N
zZM-vDcHV^3qIPzjP0rU&&(!byjCbb1`7!Ub$<AAF`l_A%?c{vnuvNeFIPd%j&aJ#N
zQ+D2l)2w!;b|Gi%>f8FAdAxHgoFDPdEZO-RoSoFpnKQ^ac&S6bQ}E7@;mqNk*|PHv
zoIYyj`~l?bJ^#LbX94fr2Im&unIk)Yhtpf_T)vQ;K^X=5ouBj0?Qm}9op#yzUpPCe
zo$HU0vuzS(jC#lUFL>t;I5+Xm0@-;N&JJqlp6cXmG%{Vkvr=Sj?(bsR38#+nv#_i)
ze9S#KHO9|F7wpCwwX&RfNRyJYDN;RI*?+A<zIjw(Q9hbyQ>I4mf^RP$$D*>nE@S?H
zPn~ztJx|$2k6&(33sHO5m3@lKgIt+JQa+ll)ac!C=~xFDa?9jJ{$u`xOTA8~dz~_k
z9_OE-V34bZ%cXc~kcXQ6pU&{?fk#I@(^%HyHRe7%>Uulfi)1x=9PURmf?}w}8}`DW
zqgH8>4S&I)uB9L8u!jt5+7ERao*Bx<VIK@S>X2s15M_WtT_-<sztC!|esV+wr{VrM
z*6;}oI%<revY`SD>Kgdb`t!)JuX~!)@bW~~@F@&B>W5a@P!Wcb`u63k2J4mS0he#?
zd&g=u8k>gFj<eDqW~Q?ST7lBuijLY~v}~vZgSvKow7r?)u(sn@PQ#pMS%V!09d$pO
zY^V%_x-NY*pfVZWZc)!^Xg-HE9DqSbO)pb6RDnTVb3VG!M26NM(i%!>i}Nd3!$BBy
z)a$ZjLsb~m_2i=$!>z_@KTXMW8fL9!4WGfFqZXGf8>+#et`);zT$22a(~!v<4#A+K
z&Xyw^s>7hJ10S=~I9cbTB@|($El%(TnyKiy&@p$|WrGI{>bc{1^Q~kU=tHXv#bDUV
zwgr7<GU%v}708AfFsSRd$GaRNgMU4m85Kjqr>uc8Z8GSneHF@vnlPwqv&V;@A;ZJJ
z(-Wr{YCBlN5g2sTwTfgzEf~~w*W=^rlfmN$+F4c%SC6s=+L56+=%`s4C}Mxxlk$qH
z4THL->NH%rLfNunXz&GVI0l1`dX!N%c*3BrmmZ&&MRCY=jB*+p^M>Ov?BjDilWeF1
zgSr+9gK<gjD^5cb-f#j29r>nNHW*<j%{MIu>$|7V>~4MQv5r<_<;tOrorZS2ArFQ<
zd>le$!$UBrYnUf`dD7gy#G`o5ns$-x4+4hWyum6P>cXI|Pv&JWCWGJR8_qba{f^DC
z^I_P?8=}h^{G;l@&|bBM%F8*CX*9OzvA8(L&O1;;<mIL-&&ZKW>{^6Yvh<w3&wFfT
zJzb*e!_!>LlTDtlE*Gyw@;>h)^3H4(e{&rrR~F^|%13i8GBf&fxZdJjnPpw!Q4Qc~
ztmU$kYdFo=v=(V1^1gjZ<XtWj8op!Xqs{++`uj9b!uJaA%PQ-Oh-wI59W5W7NpA5`
zOZZxdyk8E9ygNP*===iCEZ&(dI~&32>CV~7uh=OnRurOIvOBNR4>y0$#`6@MOL%9F
z>}(8YZFkO1-CfSQp+Yp;Al!Hr=N8_18qUSM(=Iz7hO?GCXJ8wbvuS-HTFewe+p9Qp
zc;^{77xB&l+1Uinn(mz20$fhZJ|TkJ2%+s&oFDPdFX3FsI}2s!BXHJm=d|>6IlJE#
zqEEaK+Fr%E_%ho+&%(KYcNWRcN8$8v=gf(8Ifn!bF=CYv+Fr%^I`8}soG<fE17(SS
z%ex|?n!;J#owG4jAy7*c;|hgH?I(n`S8=|<JI}#6pLZH%XEQjfxpTfj8JE*Jd7BU!
z&4e4TPUm?z=kZRH?0gK)s_vXMs=1u=#|W`FR|svd;(U{j=LI<D@=mktG{ITLopVyE
z%lU3)Ay%gfq3u<ildrJP5mh-T-*}04hRV+7a8`Eb{C>U5xuv@h+cpZJ?NyxVyz^@~
zU*w%u+1UclO75Hk9&$PNX9{uXnh@GvoldF}P(0`G&S=@$63&Y5oChLY&iqe>IPE2b
zwpVdZ;p15d=L@{kCOccfS;3vN+ZdPgn?Hp3K2Zp5ui{+r1KU5pg>yFV%#@w2;WW5&
zZhh0`yuDh8d!9mQdllzG-gyzu=XqzA>};brPyOZ2*_tv&jGy^cE{gn`5khEt73U(}
z`5l~@yfa&NwuSS)JLhswm$RWs<UjJVaN|{+i+SfIIA`(B9NFmw=b!GJwfec7ZJrYO
z9gc{6ZLi{7!aKi*b0+V!%g%Oi{^8C!>qVEdOI48{W)u0^Ud7q+D*GJK>W{{y=Xhs<
z>}(I`J$KGu?Jj3TxX2&0S>$Vbbvm!W`7G}&l${;myz9<6+RNpPxi0d@4iov>Ud5Tp
z$MXj`pW&TFva=(c|8?j5Y>CS`slCXbwp8S6dlhFI@4O1<4Bly=3SpW2(;Lp;-8lnY
zd0qbOaUy^2Ns+JZRh-qXvHkNJoEf~+C_8=NyyMQfidM4D@pG9`<S#!f+;|n|&NiOh
z9_Wv7zRf#LWu0D8ofPNkCMC|2+TBpv^Qv6g<Ce2#wWb|wxDLY#-e8suW*8n;8~$vg
z7-E|`4K^RvKovF`Pju9SLS=(545jrTR~&A)tVR1x9>Er;;m9o3@DmKn`8Zf*g9V00
zsyN*C>!%pn7Pm$AJl60t49j>!v~2K$p`ps~+j9$P&+C(~{&2?O#aCEE5e#qg2Agc~
zhoOPWaA)H_tFh|hEq9%UdA#8l7~bFwnX(}OhWcv5S?Ui}<K|F>M|n0oyv4@hR~TOB
z4Oy}w5Qcgx!+$N*7FDWu*y1$!@P?Z(EaeT^vLOhDx@yDZIrMBguHA7OK6smr1NB~d
zHecfnIkF)bhKE#!yC&LqtK8&?c&Fj?N>8pHdmDyS-e50lh=>YN45zM_7<>)Z3oqR|
zBJy?wQa!fm$~67s`IqEOr@FE7(X4C7M*jw<j=FI{S*KT2XT++sZtNPz?#9vifl6Qg
z(b*ZR{g>HT{TGJue5?$#gH~paejKs7rjAu^I>oB?qA>lj3iq$WwJD7T)UT3wr%`rx
zf%B@`d1foUU;pQG_4GS?^3Hp3j^mvs+1VA&AJonZkCOAwG#Ur=<Pz0ry!xq&bH75_
zx6tf+FGbS`Pw^bfJI%852{^B)otKNqc|F;=*V97e|8vfxIDh4xf5Mr_J40n>H#je=
zop*f5d11^h{qelXJMY7pz&ow7GZfD6RZiMRA?JyRm-Rb)&gI%YhB^ebdmQhy$<8o1
zFR7i4Hjr~)mofUCUh`OI1vq1QXQu4z4(E4jXA64Iy3R+wujzNT=baVdjNzSGva<)A
z7uC+-HsoCKC`CZ;^WKqnR)RB{cV^4Za5%qJJNv|wb3x57^gI8col<2?az8G`REG0u
z-kBpid%{_$c8;L;tm`~;Z?%4>fqo{&Sq09gc&A-<_JZ>pwKJ98U#^pIxvqZaIo??n
z&M4klAUk`*`L)`aLGLfu8Fjv|erM}bY&@&MIfi!@%FaG;ex-IU&LwB~;hp-OZFpyO
zI7jo&BH7s&&I@YiQhG1APB;5t{Z235=>g{`-f5s(N}0T_ADrja&ef^p?3B|=zw@ug
z6%6fYgj7CSc}T@ZF*OxuBOT{gO=X-FzKU9>IIp1Qw(#)pmMawv){KUok1vaiZe?w3
zx#Ky_VCda5($pz2DLG+s`lN)Il%&+LlM^OQO^Qo!{$eLzON_rIAlTyV>mL~G?eFg&
z>>U!DnBeUj8xRl^5*rX07aZ5k>f6;fASB2)*kbVuZez7{^*3AESpB-vzx=y~h4=Og
znVQ^v#N@!l^q}BzfsyGcBL^i98fQ()7-s7=aa2mY-?XIZy{sXvEr|gmV@9PW51gK4
z%Lob_^kizx@IEsJB@LY(>z9y`LjQll(3tUkCkzdU9MHYT*w%jW^pB}eWTdr|ua9r-
z8a>idQxoFSlhRT<o1RQauz80iCrwSLT_Y?mF2R=G+0?#M``R@I$E1!;=xmD3NKcsD
zH7GE^KhR7+R8U~BIoLOZzQ|AtfOpu~gjD(i{gdJ*rA<ytO!p2?P`=cp4DW%q^rV!e
z88OOt>EvtnG1soqe~5RFVVz9_GQ#=>j~v%CqGytA!r1;9K7Ii{79U?9`aM4M8!bLT
z_)lN@69i4CZ{Qt~kUBPfTxS#gQlGTR^bIXO>B&=k;*)*ii@%>wip?j*rSOSMOQ~I>
zb`2#lT-K}tHvrc{2OrLNaC4cCV~B`)5*_@Ux`S`qNFDsKcWGIscj8^}80)MJ=P=$G
zDmx?K{Eyms=o&dam(Ze6uX7Raq%9Om42SYgtL*F#=UKJ$G+hYid4JXl{m#X_vksh*
zyfa#M4uJDZwe$N#a{iQ-qTjiMcN*aw!aHrUb0C~&)XsaJ<UBi)jv?r6_f{shf6^8-
zwfkV+nJGK1aGq8<X`_&wNBVBk?`*?6DJ>%BAl{iJI|speO6`2)WpeHcnWf)3fp^w}
z)5<%uW#?cxzfe0n93khrcK<_ykP^gBy!91lBOQmbbILd?d^Pn0#VN2UM-#94N+pAJ
zbXET$7qZVzwKn#eqWoO{-%q@lZ!O+ILFOQ{pI^ZL+liOb1Db=&W#U~CT*2T)*_!gv
z%-9;nG|<~|>}5O7g{UD)$N8f4EthHr>u-r2p8b4>M?Guf>K;{m`HmAG6ddRu6d2;|
z=NA{~?H`z6_709u2=I>cHz)WeCWZvW#m1IqY`(!EL2|}6JZMUCz_dwyd!~m?4C<MZ
zk(@SRia9+aW<Xj@(A2PTJ$enB5oe1VKWd7lySaO6--Hp7<1LdWkFZ#ShJ=rc8=Dl_
zH*xr&AyYG^Qo=Sa!#p5vdPq?38GXXaBVRLH0{jC)sN0x>f`WsCLdvz<_?PBu7UXN_
zHva$6ZG3%oCu{?g*omeg2FCvUz*tbG-%!F9iGlHR^}rZrqk-|&di(Vc;DdQ*BRC^?
zXQAvI3TJ`Z*^6$l@LcFQTEFu$?`#a`lf1J?b`FCxU+o;UnVhpLy`tYaYC;9(^nT34
zaOy}f3@6I0M8l(o!>LY$=mdq`=$V}U3!F{dRhpHB#JuDR%p2G-P2d~J$I)2U*ClEM
zeCo;rot(%vdXA}Ofv>LYQ(W`Ol}SUa^3fV+4XH7Yz@?*NXDaLRj~WS=x>8FgB{Gek
zPk#0@Ts2%S#j}7s=|oXJnx5F0N8y>k$H`pQ;}tauo}bnIZTVTN(KBS{3WGs0v|Pv<
z=!^g*fjV}pLS+MzmaCf;Lus|3OXjl3DJQH(%bjMUoCfP6*3b+F9XnB0*|1)T!_`eH
z!_aoL!)duQo{IBI90u`*$6(O0%M>jeHo&k^ZFo^A2G8M6gLgI?2NMiBc93kc;X@cc
zR2hbCyKgo69x04;8hm&|a~O2&4rR)QjWBFb8;-3d!^g)CI1Q&(v2kbtgN~h_EZMLL
zhV?4Lh}Lu>#ynzT@pEzaL)Op|hIszj%$5zCVfa98h;L7Zhb?EEarlcjP+gFoO&vQ+
zIkI82VmS4aV(8OgP|+3Sh2G}RcO1W`oQMfr?KJe-$i|^H3_5m=?6P4D3^!DUopqxW
zLs6L1@aJyU&;|w_J3<ArAqs}l(+93N?3}qqF}y%~^~(5g;}C0T3xkfiqfjzT#TZqv
zrMN#7FYW@XUwAKuPNR5DX*$Ab_?b6&!JuO&r${nHJ%u>@sBVkZ3+QyxcTa^l4Mn`6
z9Sk~lX$*N~au2Vm7$*x{^Tprdu(F8~hi|F)rnH3)Lwgu>?7$dh1IEb$*L+cGST$vX
zV(=)AgCmda4;^68vAbfD4Hzd2T=T`>40qnL8r$BSOS>FO9Ik)P8al$DW9P&y8!%25
zxaNye!|K7*7HyXK6ps&=PO%1W7<BB4gvy4^N}nun%@=<&TzHlYo~tRxR^qVyHf!*K
zK}Wu6l?+i&<GCn3aZ@rr?D3=LBCpRnry>0}*3b!t5&V1+EgPa?C_PQ%GVBUlM221m
zXh%|sLsW%|Ts~=rK}P}KCL3a4C_O1tV)(clo!UEPea&eIt;iav;y`njj^cc#Y>0)S
z^c0NCu=}yOWEgj8htu#)E!IG*1TyF-yl2UVI2cM#xRe+II+0;;KF!EVTTHLb8vJ0;
zQB=>C4e>CPo?a<2^h_Z`_fLOw8V-fB27efI6wGsELjnw?>zxwA=muoyxIW%#xEaP8
z0$|XwR<+B9L>Nj>os<|ZrqL<RH7#gOt+d7c2-Xk?gN{OXfovEHL+ObUmtoI<on#2v
zvCU~%+MhK9!JwmvT__vI!BBcyq{OiObvng)(%RK&=xJpQ!7vQu$EYINkOV{NNstnQ
zJxMvu+LIQ!N?SA-!5V0WrDt;hZ!n0m`9sur7)nohlo&1#B*S};6}Ls-`K+Nc3_9v&
zM%gd{hSC!pF2mmDUy&j4QnWJ;hnKL1$6?S>6En$%WEe_oBqfFy29cri3j>^nA<I|;
zox!8F&{6L)%Z3yfN>5(64Evf~rPH!0*CU*U@V8k5^<Fac<NHIXY)FNn^i)NOVc0Y>
z_~zVo8W!`0Ct&Ey8?3S+4F>hbH@%sn+@7+%r_+#?&Bmb{41IV*v}~}!P`asI5{HTN
zDGm+apmS=<v)S%F)({FqZ{A>&4HID~-LNh(%=IOMA#<YBU|-7`XjMr4p%-t+lnhh1
zD24*p+F!~iy{4=xp0jN0SVMOhdh&)W$q+ROaVXsoFB6CA9?y((#^K8otf2=C;k+SR
zHcW=0w8mTJBztv_->W+fZBMd>a2R^<h8)?D4nyfic1au#?pM~`-Of1;?Z0FV^aN3V
z=*}DLvSA7grJK|xhTp$a3?9Y#<dE~Mp%)BcyrDogOogFz1KMTyq!q0%s(XB$;EcnZ
zi>#qH457TCP&Q11;iPKq|H<CtilG<H^~(5g>qpkm2ZnCEp-47NhoN-8$rXoBYgbbY
zx3ipv^Xn>cYn&%x=)xOJ`DOEmotG6u>Kr8w>c4r|*fedE(~!G|HPGxvee!YMV3rI~
c7^AMPE3O3<pRl8v`3R*pXt~qrcZ1>o0MPdgi~s-t

literal 0
HcmV?d00001

diff --git a/testing/btest/core/tunnels/gre-aruba.zeek b/testing/btest/core/tunnels/gre-aruba.zeek
new file mode 100644
index 0000000000..5df8396377
--- /dev/null
+++ b/testing/btest/core/tunnels/gre-aruba.zeek
@@ -0,0 +1,4 @@
+# @TEST-EXEC: zeek -C -b -r $TRACES/tunnels/gre-aruba.pcap %INPUT
+# @TEST-EXEC: btest-diff tunnel.log
+
+@load base/frameworks/tunnels

From bce709fc2c48e96aaa489b2a173979e37e6a838a Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Thu, 9 Dec 2021 16:09:32 -0800
Subject: [PATCH 138/210] Bump cmake submodule [nomail] [skip ci]

---
 cmake | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmake b/cmake
index 88cf658d05..12fbc1a3bc 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 88cf658d059772b3df6dcd4a91c1a4c4afc113d9
+Subproject commit 12fbc1a3bc206a57b079505e3df938c3a993ba58

From 9d884c02856f2f0f3227020d639d8ac7a728535f Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 10 Dec 2021 09:27:07 -0800
Subject: [PATCH 139/210] remove unnecessary includes

---
 src/script_opt/CPP/DeclFunc.cc | 4 ----
 src/script_opt/CPP/Emit.cc     | 4 ----
 src/script_opt/CPP/Exprs.cc    | 4 ----
 src/script_opt/CPP/GenFunc.cc  | 4 ----
 src/script_opt/CPP/Inits.cc    | 4 ----
 src/script_opt/CPP/Vars.cc     | 4 ----
 6 files changed, 24 deletions(-)

diff --git a/src/script_opt/CPP/DeclFunc.cc b/src/script_opt/CPP/DeclFunc.cc
index 0d9117d2d8..c96530a16f 100644
--- a/src/script_opt/CPP/DeclFunc.cc
+++ b/src/script_opt/CPP/DeclFunc.cc
@@ -1,9 +1,5 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <errno.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
 #include "zeek/script_opt/CPP/Compile.h"
 
 namespace zeek::detail
diff --git a/src/script_opt/CPP/Emit.cc b/src/script_opt/CPP/Emit.cc
index 84e122f9c0..0357815e54 100644
--- a/src/script_opt/CPP/Emit.cc
+++ b/src/script_opt/CPP/Emit.cc
@@ -1,9 +1,5 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <errno.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
 #include "zeek/script_opt/CPP/Compile.h"
 
 namespace zeek::detail
diff --git a/src/script_opt/CPP/Exprs.cc b/src/script_opt/CPP/Exprs.cc
index dd3baa995c..fcb0d1bd74 100644
--- a/src/script_opt/CPP/Exprs.cc
+++ b/src/script_opt/CPP/Exprs.cc
@@ -1,9 +1,5 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <errno.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
 #include "zeek/RE.h"
 #include "zeek/script_opt/CPP/Compile.h"
 #include "zeek/script_opt/ProfileFunc.h"
diff --git a/src/script_opt/CPP/GenFunc.cc b/src/script_opt/CPP/GenFunc.cc
index 47a9ec33bc..966e4212b2 100644
--- a/src/script_opt/CPP/GenFunc.cc
+++ b/src/script_opt/CPP/GenFunc.cc
@@ -1,9 +1,5 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <errno.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
 #include "zeek/script_opt/CPP/Compile.h"
 
 namespace zeek::detail
diff --git a/src/script_opt/CPP/Inits.cc b/src/script_opt/CPP/Inits.cc
index d462f19a82..f1d7a52338 100644
--- a/src/script_opt/CPP/Inits.cc
+++ b/src/script_opt/CPP/Inits.cc
@@ -1,9 +1,5 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <errno.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
 #include "zeek/module_util.h"
 #include "zeek/script_opt/CPP/Compile.h"
 #include "zeek/script_opt/IDOptInfo.h"
diff --git a/src/script_opt/CPP/Vars.cc b/src/script_opt/CPP/Vars.cc
index c62aae0869..232fb7e4b2 100644
--- a/src/script_opt/CPP/Vars.cc
+++ b/src/script_opt/CPP/Vars.cc
@@ -1,9 +1,5 @@
 // See the file "COPYING" in the main distribution directory for copyright.
 
-#include <errno.h>
-#include <sys/stat.h>
-#include <unistd.h>
-
 #include "zeek/script_opt/CPP/Compile.h"
 #include "zeek/script_opt/ProfileFunc.h"
 

From 474a2edc98c4c1e3b30863c4936e660b9a7d0ff9 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 10 Dec 2021 09:27:21 -0800
Subject: [PATCH 140/210] fix for translating filenames beginning with numbers
 to C++ variable names

---
 src/script_opt/CPP/GenFunc.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/script_opt/CPP/GenFunc.cc b/src/script_opt/CPP/GenFunc.cc
index 966e4212b2..673e6def4a 100644
--- a/src/script_opt/CPP/GenFunc.cc
+++ b/src/script_opt/CPP/GenFunc.cc
@@ -206,6 +206,10 @@ string CPPCompile::BodyName(const FuncInfo& func)
 		string fns = fn;
 		transform(fns.begin(), fns.end(), fns.begin(), canonicalize);
 
+		if ( ! isalpha(fns[0]) )
+			// This can happen for filenames beginning with numbers.
+			fns = "_" + fns;
+
 		fname = fns + "__" + fname;
 		}
 

From 53342fdd29e45f614af432551764745f97a7f878 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 10 Dec 2021 09:27:58 -0800
Subject: [PATCH 141/210] skip type signatures for lambdas

---
 src/script_opt/CPP/DeclFunc.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/script_opt/CPP/DeclFunc.cc b/src/script_opt/CPP/DeclFunc.cc
index c96530a16f..cdc95b5f2f 100644
--- a/src/script_opt/CPP/DeclFunc.cc
+++ b/src/script_opt/CPP/DeclFunc.cc
@@ -69,7 +69,7 @@ void CPPCompile::CreateFunction(const FuncTypePtr& ft, const ProfileFunc* pf, co
 
 	func_index[fname] = cast;
 
-	if ( casting_index.count(cast) == 0 )
+	if ( ! l && casting_index.count(cast) == 0 )
 		{
 		casting_index[cast] = func_casting_glue.size();
 

From 6788be94c984579750cced4b92dbed22128ac555 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 10 Dec 2021 09:28:25 -0800
Subject: [PATCH 142/210] flag globals initialized to opaque values as
 non-compilable

---
 src/script_opt/CPP/InitsInfo.cc | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/script_opt/CPP/InitsInfo.cc b/src/script_opt/CPP/InitsInfo.cc
index c83b78f5ed..2f2ab1ed8c 100644
--- a/src/script_opt/CPP/InitsInfo.cc
+++ b/src/script_opt/CPP/InitsInfo.cc
@@ -323,7 +323,8 @@ GlobalInitInfo::GlobalInitInfo(CPPCompile* c, const ID* g, string _CPP_name)
 	{
 	Zeek_name = g->Name();
 
-	auto gi = c->RegisterType(g->GetType());
+	auto& gt = g->GetType();
+	auto gi = c->RegisterType(gt);
 	init_cohort = max(init_cohort, gi->InitCohort() + 1);
 	type = gi->Offset();
 
@@ -338,7 +339,15 @@ GlobalInitInfo::GlobalInitInfo(CPPCompile* c, const ID* g, string _CPP_name)
 
 	exported = g->IsExport();
 
-	val = ValElem(c, g->GetVal());
+	auto v = g->GetVal();
+	if ( v && gt->Tag() == TYPE_OPAQUE )
+		{
+		reporter->Error("cannot compile to C++ global \"%s\" initialized to opaque value",
+		                g->Name());
+		v = nullptr;
+		}
+
+	val = ValElem(c, v);
 	}
 
 void GlobalInitInfo::InitializerVals(std::vector<std::string>& ivs) const

From ac74943f2687a2c4ad7f0bf1250598b85330f60f Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 10 Dec 2021 09:32:42 -0800
Subject: [PATCH 143/210] fixes for vector operations

---
 src/script_opt/CPP/Exprs.cc     | 18 +++++++++++++++---
 src/script_opt/CPP/RuntimeVec.h |  5 +++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/src/script_opt/CPP/Exprs.cc b/src/script_opt/CPP/Exprs.cc
index fcb0d1bd74..ae7e7a6489 100644
--- a/src/script_opt/CPP/Exprs.cc
+++ b/src/script_opt/CPP/Exprs.cc
@@ -603,7 +603,7 @@ string CPPCompile::GenArithCoerceExpr(const Expr* e, GenType gt)
 		}
 
 	if ( is_vec )
-		return string("vec_coerce_") + cast_name + "__CPP(" + GenExpr(op, GEN_NATIVE) + ", " +
+		return string("vec_coerce_to_") + cast_name + "__CPP(" + GenExpr(op, GEN_NATIVE) + ", " +
 		       GenTypeName(t) + ")";
 
 	return NativeToGT(cast_name + "(" + GenExpr(op, GEN_NATIVE) + ")", t, gt);
@@ -784,7 +784,7 @@ string CPPCompile::GenBinary(const Expr* e, GenType gt, const char* op, const ch
 
 		if ( t->Tag() == TYPE_VECTOR && t->Yield()->Tag() == TYPE_STRING &&
 		     op2->GetType()->Tag() == TYPE_VECTOR )
-			return string("vec_str_op_") + vec_op + "__CPP(" + gen1 + ", " + gen2 + ")";
+			return string("str_vec_op_") + vec_op + "__CPP(" + gen1 + ", " + gen2 + ")";
 
 		return GenVectorOp(e, gen1, gen2, vec_op);
 		}
@@ -1103,9 +1103,21 @@ string CPPCompile::GenVectorOp(const Expr* e, string op, const char* vec_op)
 
 string CPPCompile::GenVectorOp(const Expr* e, string op1, string op2, const char* vec_op)
 	{
+	auto& op1_t = e->GetOp1()->GetType();
+	auto& op2_t = e->GetOp2()->GetType();
+
+	if ( op1_t->Tag() != TYPE_VECTOR || op2_t->Tag() != TYPE_VECTOR )
+		{
+		// This is a deprecated mixed-scalar-and-vector operation.
+		// We don't support these.  Arrange for linking errors.
+		reporter->Error(
+			"C++ generation does not support deprecated scalar-mixed-with-vector operations");
+		return "vec_scalar_mixed_with_vector()";
+		}
+
 	auto invoke = string(vec_op) + "__CPP(" + op1 + ", " + op2 + ")";
 
-	if ( e->GetOp1()->GetType()->Yield()->Tag() == TYPE_STRING )
+	if ( op2_t->Yield()->Tag() == TYPE_STRING )
 		return string("str_vec_op_") + invoke;
 
 	auto gen = string("vec_op_") + invoke;
diff --git a/src/script_opt/CPP/RuntimeVec.h b/src/script_opt/CPP/RuntimeVec.h
index 918bee2c49..96cc1cfc67 100644
--- a/src/script_opt/CPP/RuntimeVec.h
+++ b/src/script_opt/CPP/RuntimeVec.h
@@ -80,4 +80,9 @@ extern VectorValPtr vec_coerce_to_bro_int_t__CPP(const VectorValPtr& v, TypePtr
 extern VectorValPtr vec_coerce_to_bro_uint_t__CPP(const VectorValPtr& v, TypePtr targ);
 extern VectorValPtr vec_coerce_to_double__CPP(const VectorValPtr& v, TypePtr targ);
 
+// A dummy function used during code generation for unsupported operations
+// that mix vector and scalar arguments.  We don't define it in RuntimeVec.cc
+// so that it'll generate a linking error.
+extern VectorValPtr vec_scalar_mixed_with_vector();
+
 	} // namespace zeek::detail

From 881654796486d7ff907d8d92578d9ef273fc95ee Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <timwoj@gmail.com>
Date: Fri, 10 Dec 2021 17:48:19 +0000
Subject: [PATCH 144/210] Fix types for Analyzer::register_for_port(s) to be
 the same

---
 scripts/base/frameworks/analyzer/main.zeek | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/base/frameworks/analyzer/main.zeek b/scripts/base/frameworks/analyzer/main.zeek
index 919a71b0c8..18a8c97c52 100644
--- a/scripts/base/frameworks/analyzer/main.zeek
+++ b/scripts/base/frameworks/analyzer/main.zeek
@@ -53,7 +53,7 @@ export {
 	## ports: The set of well-known ports to associate with the analyzer.
 	##
 	## Returns: True if the ports were successfully registered.
-	global register_for_ports: function(tag: AllAnalyzers::Tag, ports: set[port]) : bool;
+	global register_for_ports: function(tag: Analyzer::Tag, ports: set[port]) : bool;
 
 	## Registers an individual well-known port for an analyzer. If a future
 	## connection on this port is seen, the analyzer will be automatically
@@ -65,7 +65,7 @@ export {
 	## p: The well-known port to associate with the analyzer.
 	##
 	## Returns: True if the port was successfully registered.
-	global register_for_port: function(tag: AllAnalyzers::Tag, p: port) : bool;
+	global register_for_port: function(tag: Analyzer::Tag, p: port) : bool;
 
 	## Returns a set of all well-known ports currently registered for a
 	## specific analyzer.

From 8c59626eb9625a47ff7996869e49f9e25e5cbb56 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 10 Dec 2021 10:19:23 -0800
Subject: [PATCH 145/210] reintroduction of "-O add-C++" option

---
 src/CMakeLists.txt            |   1 -
 src/Options.cc                |   3 +
 src/script_opt/CPP/Compile.h  |  35 +++-----
 src/script_opt/CPP/Driver.cc  |  61 ++++++--------
 src/script_opt/CPP/HashMgr.cc | 148 ----------------------------------
 src/script_opt/CPP/HashMgr.h  | 117 ---------------------------
 src/script_opt/CPP/README.md  |   8 +-
 src/script_opt/CPP/Tracker.cc |  33 +-------
 src/script_opt/CPP/Tracker.h  |  41 ++--------
 src/script_opt/CPP/Vars.cc    |  89 ++------------------
 src/script_opt/ScriptOpt.cc   |  23 +++---
 src/script_opt/ScriptOpt.h    |   3 +
 12 files changed, 74 insertions(+), 488 deletions(-)
 delete mode 100644 src/script_opt/CPP/HashMgr.cc
 delete mode 100644 src/script_opt/CPP/HashMgr.h

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
index 4a3343e2b3..d8a82b92bb 100644
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -390,7 +390,6 @@ set(MAIN_SRCS
     script_opt/CPP/Exprs.cc
     script_opt/CPP/Func.cc
     script_opt/CPP/GenFunc.cc
-    script_opt/CPP/HashMgr.cc
     script_opt/CPP/Inits.cc
     script_opt/CPP/InitsInfo.cc
     script_opt/CPP/RuntimeInits.cc
diff --git a/src/Options.cc b/src/Options.cc
index 0870acade1..2ad4bbe264 100644
--- a/src/Options.cc
+++ b/src/Options.cc
@@ -198,6 +198,7 @@ static void print_analysis_help()
 	fprintf(stderr, "    xform	transform scripts to \"reduced\" form\n");
 
 	fprintf(stderr, "\n--optimize options when generating C++:\n");
+	fprintf(stderr, "    add-C++	add C++ script bodies to existing generated code\n");
 	fprintf(stderr, "    gen-C++	generate C++ script bodies\n");
 	fprintf(stderr, "    gen-standalone-C++	generate \"standalone\" C++ script bodies\n");
 	fprintf(stderr, "    help	print this list\n");
@@ -230,6 +231,8 @@ static void set_analysis_option(const char* opt, Options& opts)
 		a_o.activate = a_o.dump_xform = true;
 	else if ( util::streq(opt, "dump-ZAM") )
 		a_o.activate = a_o.dump_ZAM = true;
+	else if ( util::streq(opt, "add-C++") )
+		a_o.add_CPP = true;
 	else if ( util::streq(opt, "gen-C++") )
 		a_o.gen_CPP = true;
 	else if ( util::streq(opt, "gen-standalone-C++") )
diff --git a/src/script_opt/CPP/Compile.h b/src/script_opt/CPP/Compile.h
index dbac78469b..87ebe786a8 100644
--- a/src/script_opt/CPP/Compile.h
+++ b/src/script_opt/CPP/Compile.h
@@ -4,7 +4,6 @@
 
 #include "zeek/Desc.h"
 #include "zeek/script_opt/CPP/Func.h"
-#include "zeek/script_opt/CPP/HashMgr.h"
 #include "zeek/script_opt/CPP/InitsInfo.h"
 #include "zeek/script_opt/CPP/Tracker.h"
 #include "zeek/script_opt/CPP/Util.h"
@@ -15,10 +14,9 @@
 // functionality into a number of groups (see below), these interact with
 // one another, and in particular with various member variables, enough
 // so that it's not clear there's benefit to further splitting the
-// functionality into multiple classes.  (Some splitting has already been
-// done for more self-contained functionality, resulting in the CPPTracker
-// and CPPHashManager classes, and initialization information in
-// InitsInfo.{h,cc} and RuntimeInits.{h,cc}.)
+// functionality into multiple classes.  (Some splitting has already been done
+// for more self-contained functionality, resulting in the CPPTracker class
+// and initialization information in InitsInfo.{h,cc} and RuntimeInits.{h,cc}.)
 //
 // Most aspects of translating to C++ have a straightforward nature.
 // We can turn many Zeek script statements directly into the C++ that's
@@ -129,8 +127,7 @@ class CPPCompile
 	{
 public:
 	CPPCompile(std::vector<FuncInfo>& _funcs, ProfileFuncs& pfs, const std::string& gen_name,
-	           const std::string& addl_name, CPPHashManager& _hm, bool _standalone,
-	           bool report_uncompilable);
+	           bool add, bool _standalone, bool report_uncompilable);
 	~CPPCompile();
 
 	// Constructing a CPPCompile object does all of the compilation.
@@ -317,10 +314,6 @@ private:
 	// The global profile of all of the functions.
 	ProfileFuncs& pfs;
 
-	// Hash-indexed information about previously compiled code (and used
-	// to update it from this compilation run).
-	CPPHashManager& hm;
-
 	// Script functions that we are able to compile.  We compute
 	// these ahead of time so that when compiling script function A
 	// which makes a call to script function B, we know whether
@@ -369,11 +362,6 @@ private:
 	// See Vars.cc for definitions.
 	//
 
-	// Returns true if the current compilation context has collisions
-	// with previously generated code (globals with conflicting types
-	// or initialization values, or types with differing elements).
-	bool CheckForCollisions();
-
 	// Generate declarations associated with the given global, and, if
 	// it's used as a variable (not just as a function being called),
 	// track it as such.
@@ -385,10 +373,8 @@ private:
 
 	// Register the given global name.  "suffix" distinguishs particular
 	// types of globals, such as the names of bifs, global (non-function)
-	// variables, or compiled Zeek functions.  If "track" is true then
-	// if we're compiling incrementally, and this is a new global not
-	// previously compiled, then we track its hash for future compilations.
-	bool AddGlobal(const std::string& g, const char* suffix, bool track);
+	// variables, or compiled Zeek functions.
+	bool AddGlobal(const std::string& g, const char* suffix);
 
 	// Tracks that the body we're currently compiling refers to the
 	// given event.
@@ -936,7 +922,7 @@ private:
 	const char* IntrusiveVal(const TypePtr& t);
 
 	// Maps types to indices in the global "types__CPP" array.
-	CPPTracker<Type> types = {"types", true, &compiled_items};
+	CPPTracker<Type> types = {"types", true};
 
 	// Used to prevent analysis of mutually-referring types from
 	// leading to infinite recursion.  Maps types to their global
@@ -966,7 +952,7 @@ private:
 	static const char* AttrName(AttrTag t);
 
 	// Similar for attributes, so we can reconstruct record types.
-	CPPTracker<Attributes> attributes = {"attrs", false, &compiled_items};
+	CPPTracker<Attributes> attributes = {"attrs", false};
 
 	// Maps Attributes and Attr's to their global initialization
 	// information.
@@ -1036,7 +1022,7 @@ private:
 	// Expressions for which we need to generate initialization-time
 	// code.  Currently, these are only expressions appearing in
 	// attributes.
-	CPPTracker<Expr> init_exprs = {"gen_init_expr", false, &compiled_items};
+	CPPTracker<Expr> init_exprs = {"gen_init_expr", false};
 
 	//
 	// End of methods related to run-time initialization.
@@ -1127,9 +1113,6 @@ private:
 	// File to which we're generating code.
 	FILE* write_file;
 
-	// Name of file holding potential "additional" code.
-	std::string addl_name;
-
 	// Indentation level.
 	int block_level = 0;
 
diff --git a/src/script_opt/CPP/Driver.cc b/src/script_opt/CPP/Driver.cc
index 5aec30b95a..1f6e245d47 100644
--- a/src/script_opt/CPP/Driver.cc
+++ b/src/script_opt/CPP/Driver.cc
@@ -12,13 +12,11 @@ namespace zeek::detail
 using namespace std;
 
 CPPCompile::CPPCompile(vector<FuncInfo>& _funcs, ProfileFuncs& _pfs, const string& gen_name,
-                       const string& _addl_name, CPPHashManager& _hm, bool _standalone,
-                       bool report_uncompilable)
-	: funcs(_funcs), pfs(_pfs), hm(_hm), standalone(_standalone)
+                       bool add, bool _standalone, bool report_uncompilable)
+	: funcs(_funcs), pfs(_pfs), standalone(_standalone)
 	{
-	addl_name = _addl_name;
 	auto target_name = gen_name.c_str();
-	auto mode = "w";
+	auto mode = add ? "a" : "w";
 
 	write_file = fopen(target_name, mode);
 	if ( ! write_file )
@@ -26,19 +24,33 @@ CPPCompile::CPPCompile(vector<FuncInfo>& _funcs, ProfileFuncs& _pfs, const strin
 		reporter->Error("can't open C++ target file %s", target_name);
 		exit(1);
 		}
-	else
+
+	if ( add )
 		{
-		// Create an empty "additional" file.
-		auto addl_f = fopen(addl_name.c_str(), "w");
-		if ( ! addl_f )
+		// We need a unique number to associate with the name
+		// space for the code we're adding.  A convenient way to
+		// generate this safely is to use the present size of the
+		// file we're appending to.  That guarantees that every
+		// incremental compilation will wind up with a different
+		// number.
+		struct stat st;
+		if ( fstat(fileno(write_file), &st) != 0 )
 			{
-			reporter->Error("can't open C++ additional file %s", addl_name.c_str());
+			char buf[256];
+			util::zeek_strerror_r(errno, buf, sizeof(buf));
+			reporter->Error("fstat failed on %s: %s", target_name, buf);
 			exit(1);
 			}
 
-		fclose(addl_f);
+		// We use a value of "0" to mean "we're not appending,
+		// we're generating from scratch", so make sure we're
+		// distinct from that.
+		addl_tag = st.st_size + 1;
 		}
 
+	else
+		addl_tag = 0;
+
 	Compile(report_uncompilable);
 	}
 
@@ -84,15 +96,6 @@ void CPPCompile::Compile(bool report_uncompilable)
 				        reason);
 			not_fully_compilable.insert(func.Func()->Name());
 			}
-
-		auto h = func.Profile()->HashVal();
-		if ( hm.HasHash(h) )
-			{
-			// Track the previously compiled instance
-			// of this function.
-			auto n = func.Func()->Name();
-			hashed_funcs[n] = hm.FuncBodyName(h);
-			}
 		}
 
 	// Track all of the types we'll be using.
@@ -111,7 +114,7 @@ void CPPCompile::Compile(bool report_uncompilable)
 		CreateGlobal(g);
 
 	for ( const auto& e : pfs.Events() )
-		if ( AddGlobal(e, "gl", false) )
+		if ( AddGlobal(e, "gl") )
 			Emit("EventHandlerPtr %s_ev;", globals[string(e)]);
 
 	for ( const auto& t : pfs.RepTypes() )
@@ -177,9 +180,9 @@ void CPPCompile::GenProlog()
 	if ( addl_tag == 0 )
 		{
 		Emit("#include \"zeek/script_opt/CPP/Runtime.h\"\n");
-		Emit("namespace zeek::detail { //\n");
 		}
 
+	Emit("namespace zeek::detail { //\n");
 	Emit("namespace CPP_%s { // %s\n", Fmt(addl_tag), working_dir);
 
 	// The following might-or-might-not wind up being populated/used.
@@ -273,10 +276,7 @@ void CPPCompile::RegisterCompiledBody(const string& f)
 		// Hash in the location associated with this compilation
 		// pass, to get a final hash that avoids conflicts with
 		// identical-but-in-a-different-context function bodies
-		// when compiling potentially conflicting additional code
-		// (which we want to support to enable quicker test suite
-		// runs by enabling multiple tests to be compiled into the
-		// same binary).
+		// when compiling potentially conflicting additional code.
 		h = merge_p_hashes(h, p_hash(cf_locs[f]));
 
 	auto fi = func_index.find(f);
@@ -418,11 +418,6 @@ void CPPCompile::GenEpilog()
 	GenInitHook();
 
 	Emit("} // %s\n\n", scope_prefix(addl_tag));
-
-	if ( addl_tag > 0 )
-		return;
-
-	Emit("#include \"" + addl_name + "\"\n");
 	Emit("} // zeek::detail");
 	}
 
@@ -439,10 +434,6 @@ bool CPPCompile::IsCompilable(const FuncInfo& func, const char** reason)
 	if ( func.ShouldSkip() )
 		return false;
 
-	if ( hm.HasHash(func.Profile()->HashVal()) )
-		// We've already compiled it.
-		return false;
-
 	return true;
 	}
 
diff --git a/src/script_opt/CPP/HashMgr.cc b/src/script_opt/CPP/HashMgr.cc
deleted file mode 100644
index 402b9dc012..0000000000
--- a/src/script_opt/CPP/HashMgr.cc
+++ /dev/null
@@ -1,148 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-#include "zeek/script_opt/CPP/HashMgr.h"
-
-#include "zeek/script_opt/CPP/Func.h"
-#include "zeek/script_opt/CPP/Util.h"
-
-namespace zeek::detail
-	{
-
-using namespace std;
-
-VarMapper compiled_items;
-
-CPPHashManager::CPPHashManager(const char* hash_name_base)
-	{
-	hash_name = string(hash_name_base) + ".dat";
-
-	hf_w = fopen(hash_name.c_str(), "w");
-	if ( ! hf_w )
-		{
-		reporter->Error("can't open auxiliary C++ hash file %s for writing", hash_name.c_str());
-		exit(1);
-		}
-	}
-
-CPPHashManager::~CPPHashManager()
-	{
-	fclose(hf_w);
-
-	if ( hf_r )
-		{
-		unlock_file(hash_name, hf_r);
-		fclose(hf_r);
-		}
-	}
-
-void CPPHashManager::LoadHashes(FILE* f)
-	{
-	string key;
-
-	// The hash file format is inefficient but simple to scan.
-	// It doesn't appear to pose a bottleneck, so until it does
-	// it makes sense for maintainability to keep it dead simple.
-
-	while ( GetLine(f, key) )
-		{
-		string line;
-
-		RequireLine(f, line);
-
-		p_hash_type hash;
-
-		if ( key == "func" )
-			{
-			auto func = line;
-
-			RequireLine(f, line);
-
-			if ( sscanf(line.c_str(), "%llu", &hash) != 1 || hash == 0 )
-				BadLine(line);
-
-			previously_compiled[hash] = func;
-			}
-
-		else if ( key == "global" )
-			{
-			auto gl = line;
-
-			RequireLine(f, line);
-
-			p_hash_type gl_t_h, gl_v_h;
-			if ( sscanf(line.c_str(), "%llu %llu", &gl_t_h, &gl_v_h) != 2 )
-				BadLine(line);
-
-			gl_type_hashes[gl] = gl_t_h;
-			gl_val_hashes[gl] = gl_v_h;
-
-			// Eat the location info.  It's there just for
-			// maintainers to be able to track down peculiarities
-			// in the hash file.
-			(void)RequireLine(f, line);
-			}
-
-		else if ( key == "global-var" )
-			{
-			auto gl = line;
-
-			RequireLine(f, line);
-
-			int scope;
-			if ( sscanf(line.c_str(), "%d", &scope) != 1 )
-				BadLine(line);
-
-			gv_scopes[gl] = scope;
-			}
-
-		else if ( key == "hash" )
-			{
-			int index;
-			int scope;
-
-			if ( sscanf(line.c_str(), "%llu %d %d", &hash, &index, &scope) != 3 || hash == 0 )
-				BadLine(line);
-
-			compiled_items[hash] = CompiledItemPair{index, scope};
-			}
-
-		else if ( key == "record" )
-			record_type_globals.insert(line);
-		else if ( key == "enum" )
-			enum_type_globals.insert(line);
-
-		else
-			BadLine(line);
-		}
-	}
-
-void CPPHashManager::RequireLine(FILE* f, string& line)
-	{
-	if ( ! GetLine(f, line) )
-		{
-		reporter->Error("missing final %s hash file entry", hash_name.c_str());
-		exit(1);
-		}
-	}
-
-bool CPPHashManager::GetLine(FILE* f, string& line)
-	{
-	char buf[8192];
-	if ( ! fgets(buf, sizeof buf, f) )
-		return false;
-
-	int n = strlen(buf);
-	if ( n > 0 && buf[n - 1] == '\n' )
-		buf[n - 1] = '\0';
-
-	line = buf;
-	return true;
-	}
-
-void CPPHashManager::BadLine(string& line)
-	{
-	reporter->Error("bad %s hash file entry: %s", hash_name.c_str(), line.c_str());
-	exit(1);
-	}
-
-	} // zeek::detail
diff --git a/src/script_opt/CPP/HashMgr.h b/src/script_opt/CPP/HashMgr.h
deleted file mode 100644
index 2ae2e65ace..0000000000
--- a/src/script_opt/CPP/HashMgr.h
+++ /dev/null
@@ -1,117 +0,0 @@
-// See the file "COPYING" in the main distribution directory for copyright.
-
-// C++ compiler support class for managing information about compiled
-// objects across compilations.  The objects are identified via hashes,
-// hence the term "hash manager".  Objects can exist in different scopes.
-// The information mapping hashes to objects and scopes is tracked
-// across multiple compilations using intermediary file(s).
-
-#pragma once
-
-#include <stdio.h>
-
-#include "zeek/script_opt/ProfileFunc.h"
-
-namespace zeek::detail
-	{
-
-class CPPHashManager
-	{
-public:
-	// Create a hash manager that uses the given name for
-	// referring to hash file(s).  It's a "base" rather than
-	// a full name in case the manager winds up managing multiple
-	// distinct files (not currently the case).
-	//
-	// If "append" is true then new hashes will be added to the
-	// end of the file (and the hash file will be locked, to prevent
-	// overlapping updates from concurrent compilation/appends).
-	// Otherwise, the file will be generated afresh.
-	CPPHashManager(const char* hash_name_base);
-	~CPPHashManager();
-
-	// True if the given hash has already been generated.
-	bool HasHash(p_hash_type h) const { return previously_compiled.count(h) > 0; }
-
-	// The internal (C++) name of a previously compiled function,
-	// as identified by its hash.
-	const std::string& FuncBodyName(p_hash_type h) { return previously_compiled[h]; }
-
-	// Whether the given global has already been generated;
-	// and, if so, the hashes of its type and initialization
-	// value (used for consistency checking).  Here the name
-	// is that used at the script level.
-	bool HasGlobal(const std::string& gl) const { return gl_type_hashes.count(gl) > 0; }
-	p_hash_type GlobalTypeHash(const std::string& gl) { return gl_type_hashes[gl]; }
-	p_hash_type GlobalValHash(const std::string& gl) { return gl_val_hashes[gl]; }
-
-	// Whether the given C++ global already exists, and, if so,
-	// in what scope.
-	bool HasGlobalVar(const std::string& gv) const { return gv_scopes.count(gv) > 0; }
-	int GlobalVarScope(const std::string& gv) { return gv_scopes[gv]; }
-
-	// True if the given global corresponds to a record type
-	// or an enum type.  Used to suppress complaints about
-	// definitional inconsistencies for extensible types.
-	bool HasRecordTypeGlobal(const std::string& rt) const
-		{
-		return record_type_globals.count(rt) > 0;
-		}
-	bool HasEnumTypeGlobal(const std::string& et) const { return enum_type_globals.count(et) > 0; }
-
-	// Access to the file we're writing hashes to, so that the
-	// compiler can add new entries to it.
-	FILE* HashFile() const { return hf_w; }
-
-protected:
-	// Parses an existing file with hash information.
-	void LoadHashes(FILE* f);
-
-	// Helper routines to load lines from  hash file.
-	// The first complains if the line isn't present;
-	// the second merely indicates whether it was.
-	void RequireLine(FILE* f, std::string& line);
-	bool GetLine(FILE* f, std::string& line);
-
-	// Generates an error message for a ill-formatted hash file line.
-	void BadLine(std::string& line);
-
-	// Tracks previously compiled bodies based on hashes, mapping them
-	// to fully qualified (in terms of scoping) C++ names.
-	std::unordered_map<p_hash_type, std::string> previously_compiled;
-
-	// Tracks globals that are record or enum types, indexed using
-	// script-level names.
-	std::unordered_set<std::string> record_type_globals;
-	std::unordered_set<std::string> enum_type_globals;
-
-	// Tracks globals seen in previously compiled bodies, mapping
-	// script-level names to hashes of their types and their values.
-	std::unordered_map<std::string, p_hash_type> gl_type_hashes;
-	std::unordered_map<std::string, p_hash_type> gl_val_hashes;
-
-	// Information about globals in terms of their internal variable
-	// names, rather than their script-level names.
-	std::unordered_map<std::string, int> gv_scopes;
-
-	// Base for file names.
-	std::string hash_name;
-
-	// Handles for reading from and writing to the hash file.
-	// We lock on the first
-	FILE* hf_r = nullptr;
-	FILE* hf_w = nullptr;
-	};
-
-// Maps hashes to indices into C++ globals (like "types_N__CPP"), and
-// namespace scopes.
-struct CompiledItemPair
-	{
-	int index;
-	int scope;
-	};
-using VarMapper = std::unordered_map<p_hash_type, CompiledItemPair>;
-
-extern VarMapper compiled_items;
-
-	} // zeek::detail
diff --git a/src/script_opt/CPP/README.md b/src/script_opt/CPP/README.md
index b9153cd9a5..ef3fdf570e 100644
--- a/src/script_opt/CPP/README.md
+++ b/src/script_opt/CPP/README.md
@@ -73,9 +73,7 @@ The following workflow assumes you are in the `build/` subdirectory:
 
 1. `./src/zeek -O gen-C++ target.zeek`  
 The generated code is written to
-`CPP-gen.cc`.  The compiler will also produce
-a file `CPP-hashes.dat`, for use by an advanced feature, and an
-empty `CPP-gen-addl.h` file (same).
+`CPP-gen.cc`.
 2. `ninja` or `make` to recompile Zeek
 3. `./src/zeek -O use-C++ target.zeek`  
 Executes with each function/hook/event
@@ -110,6 +108,10 @@ On the other hand, it's possible (not yet established) that code created
 using `gen-C++` can be made to compile significantly faster than
 standalone code.
 
+Another option, `-O add-C++`, instead _appends_ the generated code to existing C++ in `CPP-gen.cc`.
+You can use this option repeatedly for different scripts and then
+compile the collection _en masse_.
+
 There are additional workflows relating to running the test suite, which
 we document only briefly here as they're likely going to change or go away
 , as it's not clear they're actually needed.
diff --git a/src/script_opt/CPP/Tracker.cc b/src/script_opt/CPP/Tracker.cc
index d4491274bd..de4a2bfdf4 100644
--- a/src/script_opt/CPP/Tracker.cc
+++ b/src/script_opt/CPP/Tracker.cc
@@ -21,19 +21,8 @@ template <class T> void CPPTracker<T>::AddKey(IntrusivePtr<T> key, p_hash_type h
 
 	if ( map2.count(h) == 0 )
 		{
-		int index;
-		if ( mapper && mapper->count(h) > 0 )
-			{
-			const auto& pair = (*mapper)[h];
-			index = pair.index;
-			scope2[h] = Fmt(pair.scope);
-			inherited.insert(h);
-			}
-		else
-			{
-			index = num_non_inherited++;
-			keys.push_back(key);
-			}
+		auto index = keys.size();
+		keys.push_back(key);
 
 		map2[h] = index;
 		reps[h] = key.get();
@@ -57,11 +46,6 @@ template <class T> string CPPTracker<T>::KeyName(const T* key)
 		return gi->second->Name();
 
 	auto index = map2[hash];
-
-	string scope;
-	if ( IsInherited(hash) )
-		scope = scope_prefix(scope2[hash]);
-
 	string ind = Fmt(index);
 	string full_name;
 
@@ -70,18 +54,7 @@ template <class T> string CPPTracker<T>::KeyName(const T* key)
 	else
 		full_name = base_name + "_" + ind + "__CPP";
 
-	return scope + full_name;
-	}
-
-template <class T> void CPPTracker<T>::LogIfNew(IntrusivePtr<T> key, int scope, FILE* log_file)
-	{
-	if ( IsInherited(key) )
-		return;
-
-	auto hash = map[key.get()];
-	auto index = map2[hash];
-
-	fprintf(log_file, "hash\n%llu %d %d\n", hash, index, scope);
+	return full_name;
 	}
 
 template <class T> p_hash_type CPPTracker<T>::Hash(IntrusivePtr<T> key) const
diff --git a/src/script_opt/CPP/Tracker.h b/src/script_opt/CPP/Tracker.h
index 6005247058..d234ba5a73 100644
--- a/src/script_opt/CPP/Tracker.h
+++ b/src/script_opt/CPP/Tracker.h
@@ -4,17 +4,15 @@
 // where the key can have any IntrusivePtr type.  The properties of a
 // tracker are that it (1) supports a notion that two technically distinct
 // keys in fact reflect the same underlying object, (2) provides an
-// instance of such keys to consistently serve as their "representative",
+// instance of such keys to consistently serve as their "representative", and
 // (3) provides names (suitable for use as C++ variables) for representative
-// keys, and (4) has a notion of "inheritance" (the underlying object is
-// already available from a previously generated namespace).
+// keys.
 //
 // Notions of "same" are taken from hash values ala those provided by
 // ProfileFunc.
 
 #pragma once
 
-#include "zeek/script_opt/CPP/HashMgr.h"
 #include "zeek/script_opt/CPP/InitsInfo.h"
 
 namespace zeek::detail
@@ -28,10 +26,8 @@ public:
 	// The base name is used to construct key names.  "single_global",
 	// if true, specifies that the names should be constructed as
 	// indexes into a single global, rather than as distinct globals.
-	// The mapper, if present, maps hash values to information about
-	// the previously generated scope in which the value appears.
-	CPPTracker(const char* _base_name, bool _single_global, VarMapper* _mapper = nullptr)
-		: base_name(_base_name), single_global(_single_global), mapper(_mapper)
+	CPPTracker(const char* _base_name, bool _single_global)
+		: base_name(_base_name), single_global(_single_global)
 		{
 		}
 
@@ -50,8 +46,7 @@ public:
 	std::string KeyName(IntrusivePtr<T> key) { return KeyName(key.get()); }
 
 	// Returns all of the distinct keys entered into the tracker.
-	// A key is "distinct" if it's both (1) a representative and
-	// (2) not inherited.
+	// A key is "distinct" if it's a representative.
 	const std::vector<IntrusivePtr<T>>& DistinctKeys() const { return keys; }
 
 	// For a given key, get its representative.
@@ -62,23 +57,6 @@ public:
 		}
 	const T* GetRep(IntrusivePtr<T> key) { return GetRep(key.get()); }
 
-	// True if the given key is represented by an inherited value.
-	bool IsInherited(const T* key)
-		{
-		ASSERT(HasKey(key));
-		return IsInherited(map[key]);
-		}
-	bool IsInherited(const IntrusivePtr<T>& key)
-		{
-		ASSERT(HasKey(key));
-		return IsInherited(map[key.get()]);
-		}
-	bool IsInherited(p_hash_type h) { return inherited.count(h) > 0; }
-
-	// If the given key is not inherited, logs it and its associated
-	// scope to the given file.
-	void LogIfNew(IntrusivePtr<T> key, int scope, FILE* log_file);
-
 private:
 	// Compute a hash for the given key.
 	p_hash_type Hash(IntrusivePtr<T> key) const;
@@ -88,12 +66,8 @@ private:
 
 	std::unordered_map<const T*, std::shared_ptr<CPP_InitInfo>> gi_s;
 
-	// Maps internal representations to distinct values.  These
-	// may-or-may-not be indices into an "inherited" namespace scope.
+	// Maps internal representations to distinct values.
 	std::unordered_map<p_hash_type, int> map2;
-	std::unordered_map<p_hash_type, std::string> scope2; // only if inherited
-	std::unordered_set<p_hash_type> inherited; // which are inherited
-	int num_non_inherited = 0; // distinct non-inherited map2 entries
 
 	// Tracks the set of distinct keys, to facilitate iterating over them.
 	// Each such key also has an entry in map2.
@@ -108,9 +82,6 @@ private:
 	// Whether to base the names out of a single global, or distinct
 	// globals.
 	bool single_global;
-
-	// If non-nil, the mapper to consult for previous names.
-	VarMapper* mapper;
 	};
 
 	} // zeek::detail
diff --git a/src/script_opt/CPP/Vars.cc b/src/script_opt/CPP/Vars.cc
index c62aae0869..53d2999405 100644
--- a/src/script_opt/CPP/Vars.cc
+++ b/src/script_opt/CPP/Vars.cc
@@ -12,69 +12,6 @@ namespace zeek::detail
 
 using namespace std;
 
-bool CPPCompile::CheckForCollisions()
-	{
-	for ( auto& g : pfs.AllGlobals() )
-		{
-		auto gn = string(g->Name());
-
-		if ( hm.HasGlobal(gn) )
-			{
-			// Make sure the previous compilation used the
-			// same type and initialization value for the global.
-			auto ht_orig = hm.GlobalTypeHash(gn);
-			auto hv_orig = hm.GlobalValHash(gn);
-
-			auto ht = pfs.HashType(g->GetType());
-			p_hash_type hv = 0;
-			if ( g->GetVal() )
-				hv = p_hash(g->GetVal());
-
-			if ( ht != ht_orig || hv != hv_orig )
-				{
-				fprintf(stderr, "%s: hash clash for global %s (%llu/%llu vs. %llu/%llu)\n",
-				        working_dir.c_str(), gn.c_str(), ht, hv, ht_orig, hv_orig);
-				fprintf(stderr, "val: %s\n",
-				        g->GetVal() ? obj_desc(g->GetVal().get()).c_str() : "<none>");
-				return true;
-				}
-			}
-		}
-
-	for ( auto& t : pfs.RepTypes() )
-		{
-		auto tag = t->Tag();
-
-		if ( tag != TYPE_ENUM && tag != TYPE_RECORD )
-			// Other types, if inconsistent, will just not reuse
-			// the previously compiled version of the type.
-			continue;
-
-		// We identify enum's and record's by name.  Make sure that
-		// the name either (1) wasn't previously used, or (2) if it
-		// was, it was likewise for an enum or a record.
-		const auto& tn = t->GetName();
-		if ( tn.empty() || ! hm.HasGlobal(tn) )
-			// No concern of collision since the type name
-			// wasn't previously compiled.
-			continue;
-
-		if ( tag == TYPE_ENUM && hm.HasEnumTypeGlobal(tn) )
-			// No inconsistency.
-			continue;
-
-		if ( tag == TYPE_RECORD && hm.HasRecordTypeGlobal(tn) )
-			// No inconsistency.
-			continue;
-
-		fprintf(stderr, "%s: type \"%s\" collides with compiled global\n", working_dir.c_str(),
-		        tn.c_str());
-		return true;
-		}
-
-	return false;
-	}
-
 void CPPCompile::CreateGlobal(const ID* g)
 	{
 	auto gn = string(g->Name());
@@ -86,7 +23,7 @@ void CPPCompile::CreateGlobal(const ID* g)
 		// then we'll call it directly.
 		if ( compilable_funcs.count(gn) > 0 )
 			{
-			AddGlobal(gn, "zf", true);
+			AddGlobal(gn, "zf");
 			return;
 			}
 
@@ -97,7 +34,7 @@ void CPPCompile::CreateGlobal(const ID* g)
 			}
 		}
 
-	if ( AddGlobal(gn, "gl", true) )
+	if ( AddGlobal(gn, "gl") )
 		{ // We'll be creating this global.
 		Emit("IDPtr %s;", globals[gn]);
 
@@ -146,30 +83,20 @@ void CPPCompile::AddBiF(const ID* b, bool is_var)
 	if ( is_var )
 		n = n + "_"; // make the name distinct
 
-	if ( AddGlobal(n, "bif", true) )
+	if ( AddGlobal(n, "bif") )
 		Emit("Func* %s;", globals[n]);
 
 	ASSERT(BiFs.count(globals[n]) == 0);
 	BiFs[globals[n]] = bn;
 	}
 
-bool CPPCompile::AddGlobal(const string& g, const char* suffix, bool track)
+bool CPPCompile::AddGlobal(const string& g, const char* suffix)
 	{
-	bool new_var = false;
+	if ( globals.count(g) > 0 )
+		return false;
 
-	if ( globals.count(g) == 0 )
-		{
-		auto gn = GlobalName(g, suffix);
-
-		if ( hm.HasGlobalVar(gn) )
-			gn = scope_prefix(hm.GlobalVarScope(gn)) + gn;
-		else
-			new_var = true;
-
-		globals.emplace(g, gn);
-		}
-
-	return new_var;
+	globals.emplace(g, GlobalName(g, suffix));
+	return true;
 	}
 
 void CPPCompile::RegisterEvent(string ev_name)
diff --git a/src/script_opt/ScriptOpt.cc b/src/script_opt/ScriptOpt.cc
index 311f8d8e7b..f875e4588a 100644
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@@ -33,7 +33,7 @@ static std::vector<FuncInfo> funcs;
 static ZAMCompiler* ZAM = nullptr;
 
 static bool generating_CPP = false;
-static std::string hash_dir; // for storing hashes of previous compilations
+static std::string CPP_dir; // where to generate C++ code
 
 static ScriptFuncPtr global_stmts;
 
@@ -203,9 +203,9 @@ static void check_env_opt(const char* opt, bool& opt_flag)
 
 static void init_options()
 	{
-	auto hd = getenv("ZEEK_HASH_DIR");
-	if ( hd )
-		hash_dir = std::string(hd) + "/";
+	auto cppd = getenv("ZEEK_CPP_DIR");
+	if ( cppd )
+		CPP_dir = std::string(cppd) + "/";
 
 	// ZAM-related options.
 	check_env_opt("ZEEK_DUMP_XFORM", analysis_options.dump_xform);
@@ -221,13 +221,14 @@ static void init_options()
 	check_env_opt("ZEEK_PROFILE", analysis_options.profile_ZAM);
 
 	// Compile-to-C++-related options.
+	check_env_opt("ZEEK_ADD_CPP", analysis_options.add_CPP);
 	check_env_opt("ZEEK_GEN_CPP", analysis_options.gen_CPP);
 	check_env_opt("ZEEK_GEN_STANDALONE_CPP", analysis_options.gen_standalone_CPP);
 	check_env_opt("ZEEK_COMPILE_ALL", analysis_options.compile_all);
 	check_env_opt("ZEEK_REPORT_CPP", analysis_options.report_CPP);
 	check_env_opt("ZEEK_USE_CPP", analysis_options.use_CPP);
 
-	if ( analysis_options.gen_standalone_CPP )
+	if ( analysis_options.gen_standalone_CPP || analysis_options.add_CPP )
 		analysis_options.gen_CPP = true;
 
 	if ( analysis_options.gen_CPP )
@@ -378,15 +379,13 @@ static void use_CPP()
 
 static void generate_CPP(std::unique_ptr<ProfileFuncs>& pfs)
 	{
-	const auto hash_name = hash_dir + "CPP-hashes";
+	const auto gen_name = CPP_dir + "CPP-gen.cc";
 
-	auto hm = std::make_unique<CPPHashManager>(hash_name.c_str());
+	const bool add = analysis_options.add_CPP;
+	const bool standalone = analysis_options.gen_standalone_CPP;
+	const bool report = analysis_options.report_uncompilable;
 
-	const auto gen_name = hash_dir + "CPP-gen.cc";
-	const auto addl_name = hash_dir + "CPP-gen-addl.h";
-
-	CPPCompile cpp(funcs, *pfs, gen_name, addl_name, *hm, analysis_options.gen_standalone_CPP,
-	               analysis_options.report_uncompilable);
+	CPPCompile cpp(funcs, *pfs, gen_name, add, standalone, report);
 	}
 
 static void find_when_funcs(std::unique_ptr<ProfileFuncs>& pfs,
diff --git a/src/script_opt/ScriptOpt.h b/src/script_opt/ScriptOpt.h
index 8d15eadb23..9c9fe184e8 100644
--- a/src/script_opt/ScriptOpt.h
+++ b/src/script_opt/ScriptOpt.h
@@ -96,6 +96,9 @@ struct AnalyOpt
 	// of the corresponding script, and not activated by default).
 	bool gen_standalone_CPP = false;
 
+	// Generate C++ that's added to existing generated code.
+	bool add_CPP = false;
+
 	// If true, use C++ bodies if available.
 	bool use_CPP = false;
 

From 6f61463a48dbe846ea8f22091312aab5bf90df76 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <timwoj@gmail.com>
Date: Fri, 10 Dec 2021 17:49:38 +0000
Subject: [PATCH 146/210] Add early bail-outs to same_type()

---
 src/Type.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/Type.h b/src/Type.h
index cc6b6c9106..b9514739bd 100644
--- a/src/Type.h
+++ b/src/Type.h
@@ -828,21 +828,37 @@ extern bool same_type(const Type& t1, const Type& t2, bool is_init = false,
 inline bool same_type(const TypePtr& t1, const TypePtr& t2, bool is_init = false,
                       bool match_record_field_names = true)
 	{
+	// If the pointers are identical, the type should be the same type.
+	if ( t1.get() == t2.get() )
+		return true;
+
 	return same_type(*t1, *t2, is_init, match_record_field_names);
 	}
 inline bool same_type(const Type* t1, const Type* t2, bool is_init = false,
                       bool match_record_field_names = true)
 	{
+	// If the pointers are identical, the type should be the same type.
+	if ( t1 == t2 )
+		return true;
+
 	return same_type(*t1, *t2, is_init, match_record_field_names);
 	}
 inline bool same_type(const TypePtr& t1, const Type* t2, bool is_init = false,
                       bool match_record_field_names = true)
 	{
+	// If the pointers are identical, the type should be the same type.
+	if ( t1.get() == t2 )
+		return true;
+
 	return same_type(*t1, *t2, is_init, match_record_field_names);
 	}
 inline bool same_type(const Type* t1, const TypePtr& t2, bool is_init = false,
                       bool match_record_field_names = true)
 	{
+	// If the pointers are identical, the type should be the same type.
+	if ( t1 == t2.get() )
+		return true;
+
 	return same_type(*t1, *t2, is_init, match_record_field_names);
 	}
 

From 9069e744f9f844b9367b964a3ba43ea3ebae158e Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 10 Dec 2021 12:45:27 -0800
Subject: [PATCH 147/210] replace --optimize-only with --optimize-funcs and
 --optimize-files

---
 src/Options.cc                |  18 ++--
 src/scan.l                    |  11 ++-
 src/script_opt/CPP/Driver.cc  |  42 ++++++---
 src/script_opt/CPP/README.md  |  12 +--
 src/script_opt/Inline.cc      |  21 ++++-
 src/script_opt/ProfileFunc.cc |   2 -
 src/script_opt/ScriptOpt.cc   | 173 +++++++++++++++++-----------------
 src/script_opt/ScriptOpt.h    |  22 ++++-
 8 files changed, 176 insertions(+), 125 deletions(-)

diff --git a/src/Options.cc b/src/Options.cc
index 2ad4bbe264..8f97e5031d 100644
--- a/src/Options.cc
+++ b/src/Options.cc
@@ -122,10 +122,12 @@ void usage(const char* prog, int code)
 	fprintf(stderr, "    -I|--print-id <ID name>         | print out given ID\n");
 	fprintf(stderr, "    -N|--print-plugins              | print available plugins and exit (-NN "
 	                "for verbose)\n");
-	fprintf(stderr, "    -O|--optimize[=<option>]        | enable script optimization (use -O help "
+	fprintf(stderr, "    -O|--optimize <option>          | enable script optimization (use -O help "
 	                "for options)\n");
-	fprintf(stderr, "    -o|--optimize-only=<func>       | enable script optimization only for the "
-	                "given function\n");
+	fprintf(stderr, "    -0|--optimize-files=<pat>       | enable script optimization for all "
+	                "functions in files with names containing the given pattern\n");
+	fprintf(stderr, "    -o|--optimize-funcs=<pat>       | enable script optimization for "
+	                "functions with names fully matching the given pattern\n");
 	fprintf(stderr, "    -P|--prime-dns                  | prime DNS\n");
 	fprintf(stderr,
 	        "    -Q|--time                       | print execution time summary to stderr\n");
@@ -383,7 +385,8 @@ Options parse_cmdline(int argc, char** argv)
 		{"save-seeds", required_argument, nullptr, 'H'},
 		{"print-plugins", no_argument, nullptr, 'N'},
 		{"optimize", required_argument, nullptr, 'O'},
-		{"optimize-only", required_argument, nullptr, 'o'},
+		{"optimize-funcs", required_argument, nullptr, 'o'},
+		{"optimize-files", required_argument, nullptr, '0'},
 		{"prime-dns", no_argument, nullptr, 'P'},
 		{"time", no_argument, nullptr, 'Q'},
 		{"debug-rules", no_argument, nullptr, 'S'},
@@ -406,7 +409,7 @@ Options parse_cmdline(int argc, char** argv)
 	};
 
 	char opts[256];
-	util::safe_strncpy(opts, "B:c:e:f:G:H:I:i:j::n:O:o:p:r:s:T:t:U:w:X:CDFMNPQSWabdhmuv",
+	util::safe_strncpy(opts, "B:c:e:f:G:H:I:i:j::n:O:0:o:p:r:s:T:t:U:w:X:CDFMNPQSWabdhmuv",
 	                   sizeof(opts));
 
 	int op;
@@ -546,7 +549,10 @@ Options parse_cmdline(int argc, char** argv)
 				set_analysis_option(optarg, rval);
 				break;
 			case 'o':
-				rval.analysis_options.only_func = optarg;
+				add_func_analysis_pattern(rval.analysis_options, optarg);
+				break;
+			case '0':
+				add_file_analysis_pattern(rval.analysis_options, optarg);
 				break;
 			case 'P':
 				if ( rval.dns_mode != detail::DNS_DEFAULT )
diff --git a/src/scan.l b/src/scan.l
index 6b1c7bf138..4012d60645 100644
--- a/src/scan.l
+++ b/src/scan.l
@@ -61,8 +61,9 @@ int conditional_epoch = 0;
 // Whether the current file has included conditionals (so far).
 bool current_file_has_conditionals = false;
 
-// The files that include conditionals.  Not currently used, but will be
-// in the future once we add --optimize-files=/pat/.
+// The files that include conditionals.  Used when compiling scripts to C++
+// to flag issues for --optimize-files=/pat/ where one of the files includes
+// conditional code.
 std::unordered_set<std::string> files_with_conditionals;
 
 zeek::detail::int_list if_stack;
@@ -692,6 +693,8 @@ static int load_files(const char* orig_file)
 	// every Obj created when parsing it.
 	yylloc.filename = filename = zeek::util::copy_string(file_path.c_str());
 
+	current_file_has_conditionals = files_with_conditionals.count(filename) > 0;
+
 	entry_cond_depth.push_back(conditional_depth);
 
 	return 1;
@@ -873,7 +876,6 @@ int yywrap()
 		}
 
 	last_filename = ::filename;
-	current_file_has_conditionals = false;
 
 	if ( zeek::reporter->Errors() > 0 )
 		return 1;
@@ -884,8 +886,11 @@ int yywrap()
 		delete file_stack.remove_nth(file_stack.length() - 1);
 
 	if ( YY_CURRENT_BUFFER )
+		{
 		// There's more on the stack to scan.
+		current_file_has_conditionals = files_with_conditionals.count(::filename) > 0;
 		return 0;
+		}
 
 	// Stack is now empty.
 	while ( essential_input_files.length() > 0 || input_files.length() > 0 )
diff --git a/src/script_opt/CPP/Driver.cc b/src/script_opt/CPP/Driver.cc
index 1f6e245d47..fc3490c5c2 100644
--- a/src/script_opt/CPP/Driver.cc
+++ b/src/script_opt/CPP/Driver.cc
@@ -6,6 +6,8 @@
 
 #include "zeek/script_opt/CPP/Compile.h"
 
+extern std::unordered_set<std::string> files_with_conditionals;
+
 namespace zeek::detail
 	{
 
@@ -72,29 +74,48 @@ void CPPCompile::Compile(bool report_uncompilable)
 
 	GenProlog();
 
+	unordered_set<string> filenames_reported_as_skipped;
+
 	// Determine which functions we can call directly, and reuse
 	// previously compiled instances of those if present.
-	for ( const auto& func : funcs )
+	for ( auto& func : funcs )
 		{
+		const auto& f = func.Func();
+
+		auto& ofiles = analysis_options.only_files;
+		string fn = func.Body()->GetLocationInfo()->filename;
+
+		if ( ! func.ShouldSkip() && ! ofiles.empty() && files_with_conditionals.count(fn) > 0 )
+			{
+			if ( filenames_reported_as_skipped.count(fn) == 0 )
+				{
+				reporter->Warning(
+					"skipping compilation of files in %s due to presence of conditional code",
+					fn.c_str());
+				filenames_reported_as_skipped.insert(fn);
+				}
+
+			func.SetSkip(true);
+			}
+
 		if ( func.ShouldSkip() )
 			{
-			not_fully_compilable.insert(func.Func()->Name());
+			not_fully_compilable.insert(f->Name());
 			continue;
 			}
 
-		if ( func.Func()->Flavor() != FUNC_FLAVOR_FUNCTION )
-			// Can't be called directly.
-			continue;
-
 		const char* reason;
 		if ( IsCompilable(func, &reason) )
-			compilable_funcs.insert(BodyName(func));
+			{
+			if ( f->Flavor() == FUNC_FLAVOR_FUNCTION )
+				// Note this as a callable compiled function.
+				compilable_funcs.insert(BodyName(func));
+			}
 		else
 			{
 			if ( reason && report_uncompilable )
-				fprintf(stderr, "%s cannot be compiled to C++ due to %s\n", func.Func()->Name(),
-				        reason);
-			not_fully_compilable.insert(func.Func()->Name());
+				fprintf(stderr, "%s cannot be compiled to C++ due to %s\n", f->Name(), reason);
+			not_fully_compilable.insert(f->Name());
 			}
 		}
 
@@ -105,7 +126,6 @@ void CPPCompile::Compile(bool report_uncompilable)
 		types.AddKey(tp, pfs.HashType(t));
 		}
 
-	// ### This doesn't work for -O add-C++
 	Emit("TypePtr types__CPP[%s];", Fmt(static_cast<int>(types.DistinctKeys().size())));
 
 	NL();
diff --git a/src/script_opt/CPP/README.md b/src/script_opt/CPP/README.md
index ef3fdf570e..1ed3cc6c13 100644
--- a/src/script_opt/CPP/README.md
+++ b/src/script_opt/CPP/README.md
@@ -162,17 +162,7 @@ about associated expressions/statements, making them hard to puzzle out.
 This could be fixed, but would add execution overhead in passing around
 the necessary strings / `Location` objects.
 
-* Subtle bugs can arise when compiling code that uses `@if` conditional
-compilation.  The compiled code will not directly use the wrong instance
-of a script body (one that differs due to the `@if` conditional having a
-different resolution at compile time versus later run-time).  However, if
-compiled code itself calls a function that has conditional code, the
-compiled code will always call the version of the function present during
-compilation, rather than the run-time version.  This problem can be fixed
-at the cost of making all function calls more expensive (perhaps a measure
-that requires an explicit flag to activate); or, when possible, by modifying
-the conditional code to check the condition at run-time rather than at
-compile-time.
+* To avoid subtle bugs, the compiler will refrain from compiling script elements (functions, hooks, event handlers) that include conditional code.  In addition, when using `--optimize-files` it will not compile any functions appearing in a source file that includes conditional code (even if it's not in a function body).
 
 * Code compiled with `-O gen-standalone-C++` will not execute any global
 statements when invoked using the "stand-in" script.  The right fix for
diff --git a/src/script_opt/Inline.cc b/src/script_opt/Inline.cc
index 8d0d60f1ad..15e1c81391 100644
--- a/src/script_opt/Inline.cc
+++ b/src/script_opt/Inline.cc
@@ -107,19 +107,29 @@ void Inliner::Analyze()
 		}
 
 	for ( auto& f : funcs )
+		{
+		const auto& func_ptr = f.FuncPtr();
+		const auto& func = func_ptr.get();
+		const auto& body = f.Body();
+
 		// Candidates are non-event, non-hook, non-recursive,
 		// non-compiled functions ... that don't use lambdas or when's,
 		// since we don't currently compute the closures/frame
 		// sizes for them correctly, and more fundamentally since
 		// we don't compile them and hence inlining them will
 		// make the parent non-compilable.
-		if ( f.Func()->Flavor() == FUNC_FLAVOR_FUNCTION &&
-		     non_recursive_funcs.count(f.Func()) > 0 && f.Profile()->NumLambdas() == 0 &&
-		     f.Profile()->NumWhenStmts() == 0 && f.Body()->Tag() != STMT_CPP )
-			inline_ables.insert(f.Func());
+		if ( should_analyze(func_ptr, body) && func->Flavor() == FUNC_FLAVOR_FUNCTION &&
+		     non_recursive_funcs.count(func) > 0 && f.Profile()->NumLambdas() == 0 &&
+		     f.Profile()->NumWhenStmts() == 0 && body->Tag() != STMT_CPP )
+			inline_ables.insert(func);
+		}
 
 	for ( auto& f : funcs )
 		{
+		const auto& func_ptr = f.FuncPtr();
+		const auto& func = func_ptr.get();
+		const auto& body = f.Body();
+
 		// Processing optimization: only spend time trying to inline f
 		// if we haven't marked it as inlineable.  This trades off a
 		// bunch of compilation load (inlining every single function,
@@ -128,7 +138,8 @@ void Inliner::Analyze()
 		// circumstances in which a Zeek function can be called
 		// not ultimately stemming from an event (such as global
 		// scripting, or expiration functions).
-		if ( inline_ables.count(f.Func()) == 0 )
+
+		if ( should_analyze(func_ptr, body) && inline_ables.count(func) == 0 )
 			InlineFunction(&f);
 		}
 	}
diff --git a/src/script_opt/ProfileFunc.cc b/src/script_opt/ProfileFunc.cc
index b7ccae6f68..0716a885e3 100644
--- a/src/script_opt/ProfileFunc.cc
+++ b/src/script_opt/ProfileFunc.cc
@@ -461,8 +461,6 @@ ProfileFuncs::ProfileFuncs(std::vector<FuncInfo>& funcs, is_compilable_pred pred
 
 		if ( ! pred || (*pred)(pf.get(), nullptr) )
 			MergeInProfile(pf.get());
-		else
-			f.SetSkip(true);
 
 		f.SetProfile(std::move(pf));
 		func_profs[f.Func()] = f.ProfilePtr();
diff --git a/src/script_opt/ScriptOpt.cc b/src/script_opt/ScriptOpt.cc
index f875e4588a..cf688f32d4 100644
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@@ -39,14 +39,14 @@ static ScriptFuncPtr global_stmts;
 
 void analyze_func(ScriptFuncPtr f)
 	{
-	// Even if we're doing --optimize-only, we still track all functions
-	// here because the inliner will need the full list.
+	// Even if we're analyzing only a subset of the scripts, we still
+	// track all functions here because the inliner will need the full list.
 	funcs.emplace_back(f, f->GetScope(), f->CurrentBody(), f->CurrentPriority());
 	}
 
 const FuncInfo* analyze_global_stmts(Stmt* stmts)
 	{
-	// We ignore analysis_options.only_func - if it's in use, later
+	// We ignore analysis_options.only_{files,funcs} - if they're in use, later
 	// logic will keep this function from being compiled, but it's handy
 	// now to enter it into "funcs" so we have a FuncInfo to return.
 
@@ -65,6 +65,55 @@ const FuncInfo* analyze_global_stmts(Stmt* stmts)
 	return &funcs.back();
 	}
 
+void add_func_analysis_pattern(AnalyOpt& opts, const char* pat)
+	{
+	try
+		{
+		std::string full_pat = std::string("^(") + pat + ")$";
+		opts.only_funcs.emplace_back(std::regex(full_pat));
+		}
+	catch ( const std::regex_error& e )
+		{
+		reporter->FatalError("bad file analysis pattern: %s", pat);
+		}
+	}
+
+void add_file_analysis_pattern(AnalyOpt& opts, const char* pat)
+	{
+	try
+		{
+		std::string full_pat = std::string("^.*(") + pat + ").*$";
+		opts.only_files.emplace_back(std::regex(full_pat));
+		}
+	catch ( const std::regex_error& e )
+		{
+		reporter->FatalError("bad file analysis pattern: %s", pat);
+		}
+	}
+
+bool should_analyze(const ScriptFuncPtr& f, const StmtPtr& body)
+	{
+	auto& ofuncs = analysis_options.only_funcs;
+	auto& ofiles = analysis_options.only_files;
+
+	if ( ofiles.empty() && ofuncs.empty() )
+		return true;
+
+	auto fn = f->Name();
+
+	for ( auto& o : ofuncs )
+		if ( std::regex_match(fn, o) )
+			return true;
+
+	fn = body->GetLocationInfo()->filename;
+
+	for ( auto& o : ofiles )
+		if ( std::regex_match(fn, o) )
+			return true;
+
+	return false;
+	}
+
 static bool optimize_AST(ScriptFunc* f, std::shared_ptr<ProfileFunc>& pf,
                          std::shared_ptr<Reducer>& rc, ScopePtr scope, StmtPtr& body)
 	{
@@ -97,7 +146,7 @@ static void optimize_func(ScriptFunc* f, std::shared_ptr<ProfileFunc> pf, ScopeP
 	if ( reporter->Errors() > 0 )
 		return;
 
-	if ( analysis_options.only_func )
+	if ( analysis_options.dump_xform )
 		printf("Original: %s\n", obj_desc(body.get()).c_str());
 
 	if ( body->Tag() == STMT_CPP )
@@ -245,11 +294,11 @@ static void init_options()
 	if ( usage )
 		analysis_options.usage_issues = 1;
 
-	if ( ! analysis_options.only_func )
+	if ( analysis_options.only_funcs.empty() )
 		{
 		auto zo = getenv("ZEEK_ONLY");
 		if ( zo )
-			analysis_options.only_func = zo;
+			add_file_analysis_pattern(analysis_options, zo);
 		}
 
 	if ( analysis_options.gen_ZAM )
@@ -262,14 +311,8 @@ static void init_options()
 	if ( analysis_options.dump_ZAM )
 		analysis_options.gen_ZAM_code = true;
 
-	if ( analysis_options.only_func )
+	if ( ! analysis_options.only_funcs.empty() || ! analysis_options.only_files.empty() )
 		{
-		// Note, this comes after the statement above because for
-		// --optimize-only we don't necessarily want to go all
-		// the way to *generating* ZAM code, though we'll want to
-		// dump it *if* we generate it.
-		analysis_options.dump_xform = analysis_options.dump_ZAM = true;
-
 		if ( analysis_options.gen_ZAM_code || generating_CPP )
 			analysis_options.report_uncompilable = true;
 		}
@@ -278,8 +321,8 @@ static void init_options()
 	     ! generating_CPP )
 		reporter->FatalError("report-uncompilable requires generation of ZAM or C++");
 
-	if ( analysis_options.only_func || analysis_options.optimize_AST ||
-	     analysis_options.gen_ZAM_code || analysis_options.usage_issues > 0 )
+	if ( analysis_options.optimize_AST || analysis_options.gen_ZAM_code ||
+	     analysis_options.usage_issues > 0 )
 		analysis_options.activate = true;
 	}
 
@@ -388,54 +431,6 @@ static void generate_CPP(std::unique_ptr<ProfileFuncs>& pfs)
 	CPPCompile cpp(funcs, *pfs, gen_name, add, standalone, report);
 	}
 
-static void find_when_funcs(std::unique_ptr<ProfileFuncs>& pfs,
-                            std::unordered_set<const ScriptFunc*>& when_funcs)
-	{
-	// Figure out which functions either directly or indirectly
-	// appear in "when" clauses.
-
-	// Which functions we still need to analyze.
-	std::unordered_set<const ScriptFunc*> when_funcs_to_do;
-
-	for ( auto& f : funcs )
-		if ( f.Profile()->WhenCalls().size() > 0 )
-			{
-			when_funcs.insert(f.Func());
-
-			for ( auto& bf : f.Profile()->WhenCalls() )
-				{
-				ASSERT(pfs->FuncProf(bf));
-				when_funcs_to_do.insert(bf);
-				}
-			}
-
-	// Set of new functions to put on to-do list.  Separate from
-	// the to-do list itself so we don't modify it while iterating
-	// over it.
-	std::unordered_set<const ScriptFunc*> new_to_do;
-
-	while ( when_funcs_to_do.size() > 0 )
-		{
-		for ( auto& wf : when_funcs_to_do )
-			{
-			when_funcs.insert(wf);
-
-			for ( auto& wff : pfs->FuncProf(wf)->ScriptCalls() )
-				{
-				if ( when_funcs.count(wff) > 0 )
-					// We've already processed this
-					// function.
-					continue;
-
-				new_to_do.insert(wff);
-				}
-			}
-
-		when_funcs_to_do = new_to_do;
-		new_to_do.clear();
-		}
-	}
-
 static void analyze_scripts_for_ZAM(std::unique_ptr<ProfileFuncs>& pfs)
 	{
 	if ( analysis_options.usage_issues > 0 && analysis_options.optimize_AST )
@@ -455,12 +450,6 @@ static void analyze_scripts_for_ZAM(std::unique_ptr<ProfileFuncs>& pfs)
 
 	pfs = std::make_unique<ProfileFuncs>(funcs, nullptr, true);
 
-	// set of functions involved (directly or indirectly) in "when"
-	// clauses.
-	std::unordered_set<const ScriptFunc*> when_funcs;
-
-	find_when_funcs(pfs, when_funcs);
-
 	bool report_recursive = analysis_options.report_recursive;
 	std::unique_ptr<Inliner> inl;
 	if ( analysis_options.inliner )
@@ -501,13 +490,15 @@ static void analyze_scripts_for_ZAM(std::unique_ptr<ProfileFuncs>& pfs)
 			}
 		}
 
+	bool did_one = false;
+
 	for ( auto& f : funcs )
 		{
 		auto func = f.Func();
 
-		if ( analysis_options.only_func )
+		if ( ! analysis_options.only_funcs.empty() || ! analysis_options.only_files.empty() )
 			{
-			if ( *analysis_options.only_func != func->Name() )
+			if ( ! should_analyze(f.FuncPtr(), f.Body()) )
 				continue;
 			}
 
@@ -519,7 +510,11 @@ static void analyze_scripts_for_ZAM(std::unique_ptr<ProfileFuncs>& pfs)
 		auto new_body = f.Body();
 		optimize_func(func, f.ProfilePtr(), f.Scope(), new_body);
 		f.SetBody(new_body);
+		did_one = true;
 		}
+
+	if ( ! did_one )
+		reporter->FatalError("no matching functions/files for -O ZAM");
 	}
 
 void analyze_scripts()
@@ -532,24 +527,31 @@ void analyze_scripts()
 		did_init = true;
 		}
 
+	auto& ofuncs = analysis_options.only_funcs;
+	auto& ofiles = analysis_options.only_files;
+
 	if ( ! analysis_options.activate && ! analysis_options.inliner && ! generating_CPP &&
 	     ! analysis_options.report_CPP && ! analysis_options.use_CPP )
-		// No work to do, avoid profiling overhead.
-		return;
+		{ // No work to do, avoid profiling overhead.
+		if ( ! ofuncs.empty() )
+			reporter->FatalError("--optimize-funcs used but no optimization specified");
+		if ( ! ofiles.empty() )
+			reporter->FatalError("--optimize-files used but no optimization specified");
 
-	if ( analysis_options.gen_CPP )
-		{
-		if ( analysis_options.only_func )
-			{ // deactivate all functions except the target one
-			for ( auto& func : funcs )
-				{
-				auto fn = func.Func()->Name();
-				if ( *analysis_options.only_func != fn )
-					func.SetSkip(true);
-				}
-			}
+		return;
 		}
 
+	bool have_one_to_do = false;
+
+	for ( auto& func : funcs )
+		if ( should_analyze(func.FuncPtr(), func.Body()) )
+			have_one_to_do = true;
+		else
+			func.SetSkip(true);
+
+	if ( ! have_one_to_do )
+		reporter->FatalError("no matching functions/files for C++ compilation");
+
 	// Now that everything's parsed and BiF's have been initialized,
 	// profile the functions.
 	auto pfs = std::make_unique<ProfileFuncs>(funcs, is_CPP_compilable, false);
@@ -568,6 +570,9 @@ void analyze_scripts()
 
 	if ( generating_CPP )
 		{
+		if ( analysis_options.gen_ZAM )
+			reporter->FatalError("-O ZAM and -O gen-C++ conflict");
+
 		generate_CPP(pfs);
 		exit(0);
 		}
diff --git a/src/script_opt/ScriptOpt.h b/src/script_opt/ScriptOpt.h
index 9c9fe184e8..dba9a41187 100644
--- a/src/script_opt/ScriptOpt.h
+++ b/src/script_opt/ScriptOpt.h
@@ -5,6 +5,7 @@
 #pragma once
 
 #include <optional>
+#include <regex>
 #include <string>
 
 #include "zeek/Expr.h"
@@ -24,9 +25,14 @@ namespace zeek::detail
 struct AnalyOpt
 	{
 
-	// If non-nil, then only analyze the given function/event/hook.
+	// If non-nil, then only analyze function/event/hook(s) whose names
+	// match one of the given regular expressions.
+	//
 	// Applies to both ZAM and C++.
-	std::optional<std::string> only_func;
+	std::vector<std::regex> only_funcs;
+
+	// Same, but for the filenames where the function is found.
+	std::vector<std::regex> only_files;
 
 	// For a given compilation target, report functions that can't
 	// be compiled.
@@ -68,7 +74,7 @@ struct AnalyOpt
 
 	// If true, dump out transformed code: the results of reducing
 	// interpreted scripts, and, if optimize is set, of then optimizing
-	// them.  Always done if only_func is set.
+	// them.
 	bool dump_xform = false;
 
 	// If true, dump out the use-defs for each analyzed function.
@@ -166,6 +172,16 @@ extern void analyze_func(ScriptFuncPtr f);
 // be Invoked, or its body executed directly, to execute the statements.
 extern const FuncInfo* analyze_global_stmts(Stmt* stmts);
 
+// Add a pattern to the "only_funcs" list.
+extern void add_func_analysis_pattern(AnalyOpt& opts, const char* pat);
+
+// Add a pattern to the "only_files" list.
+extern void add_file_analysis_pattern(AnalyOpt& opts, const char* pat);
+
+// True if the given script function & body should be analyzed; otherwise
+// it should be skipped.
+extern bool should_analyze(const ScriptFuncPtr& f, const StmtPtr& body);
+
 // Analyze all of the parsed scripts collectively for optimization.
 extern void analyze_scripts();
 

From 267f5461d8ef36ba45a4069574adcb2fe6062878 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 10 Dec 2021 12:46:07 -0800
Subject: [PATCH 148/210] update btest to no longer use (unsupported) %S
 formatting, no longer needed

---
 testing/btest/opt/pure-inlining.zeek | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/testing/btest/opt/pure-inlining.zeek b/testing/btest/opt/pure-inlining.zeek
index 745864227c..993457bd7c 100644
--- a/testing/btest/opt/pure-inlining.zeek
+++ b/testing/btest/opt/pure-inlining.zeek
@@ -4,8 +4,7 @@
 # Tests pure inlining of scripts (no other optimization/compilation used).
 # The non-recursive functions should be (recursively!) inlined into the
 # body of my_handler, while neither the directly-recursive nor the
-# mutually recursive ones should be.  We print out each function body
-# in its transformed form (format %S) to test this.
+# mutually recursive ones should be.
 
 function non_recursiveA(x: double, y: double): double
 	{
@@ -56,12 +55,12 @@ event my_handler()
 
 event zeek_init()
 	{
-	print fmt("%S", non_recursiveA);
-	print fmt("%S", non_recursiveB);
-	print fmt("%S", recursive);
-	print fmt("%S", mutually_recursiveA);
-	print fmt("%S", mutually_recursiveB);
-	print fmt("%S", my_handler);
+	print fmt("%s", non_recursiveA);
+	print fmt("%s", non_recursiveB);
+	print fmt("%s", recursive);
+	print fmt("%s", mutually_recursiveA);
+	print fmt("%s", mutually_recursiveB);
+	print fmt("%s", my_handler);
 
 	event my_handler();
 	}

From 29b0d32fef9cfa5f622cc37e00668876b1b5004a Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <timwoj@gmail.com>
Date: Fri, 10 Dec 2021 20:44:42 +0000
Subject: [PATCH 149/210] Check for sets before attempting to check for same
 Yield types

---
 src/Type.cc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/Type.cc b/src/Type.cc
index 4fc56f3fb5..308b8b64e5 100644
--- a/src/Type.cc
+++ b/src/Type.cc
@@ -1903,6 +1903,11 @@ bool same_type(const Type& arg_t1, const Type& arg_t2, bool is_init, bool match_
 			if ( (tl1 || tl2) && ! (tl1 && tl2) )
 				return false;
 
+			// If one is a set and one isn't, they shouldn't
+			// be considered the same type.
+			if ( (t1->IsSet() && ! t2->IsSet()) || (t2->IsSet() && ! t1->IsSet()) )
+				return false;
+
 			const auto& y1 = t1->Yield();
 			const auto& y2 = t2->Yield();
 
@@ -2015,6 +2020,12 @@ bool same_type(const Type& arg_t1, const Type& arg_t2, bool is_init, bool match_
 
 			if ( ! same_type(tl1, tl2, is_init, match_record_field_names) )
 				result = false;
+			else if ( t1->IsSet() && t2->IsSet() )
+				// Sets don't have yield types because they don't have values. If
+				// both types are sets, and we already matched on the indices
+				// above consider that a success. We already checked the case
+				// where only one of the two is a set earlier.
+				result = true;
 			else
 				{
 				const auto& y1 = t1->Yield();

From a0e7feda6f965bbe909a44dadb07815aff121c8a Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Fri, 10 Dec 2021 13:02:52 -0800
Subject: [PATCH 150/210] btests for new --optimize-funcs and --optimize-files

---
 testing/btest/Baseline/opt.opt-files/output   |  4 ++++
 testing/btest/Baseline/opt.opt-files2/output  |  8 +++++++
 testing/btest/Baseline/opt.opt-files3/output  |  6 +++++
 testing/btest/Baseline/opt.opt-func/output    |  9 ++++++++
 testing/btest/Baseline/opt.opt-func2/output   |  9 ++++++++
 testing/btest/Baseline/opt.opt-func3/output   |  7 ++++++
 .../btest/Baseline/opt.opt-no-files/.stderr   |  2 ++
 .../btest/Baseline/opt.opt-no-func/.stderr    |  2 ++
 .../btest/Baseline/opt.opt-no-func2/.stderr   |  2 ++
 testing/btest/opt/opt-files.zeek              | 15 ++++++++++++
 testing/btest/opt/opt-files2.zeek             | 16 +++++++++++++
 testing/btest/opt/opt-files3.zeek             | 16 +++++++++++++
 testing/btest/opt/opt-func.zeek               | 22 ++++++++++++++++++
 testing/btest/opt/opt-func2.zeek              | 23 +++++++++++++++++++
 testing/btest/opt/opt-func3.zeek              | 23 +++++++++++++++++++
 testing/btest/opt/opt-no-files.zeek           | 10 ++++++++
 testing/btest/opt/opt-no-func.zeek            | 10 ++++++++
 testing/btest/opt/opt-no-func2.zeek           | 14 +++++++++++
 18 files changed, 198 insertions(+)
 create mode 100644 testing/btest/Baseline/opt.opt-files/output
 create mode 100644 testing/btest/Baseline/opt.opt-files2/output
 create mode 100644 testing/btest/Baseline/opt.opt-files3/output
 create mode 100644 testing/btest/Baseline/opt.opt-func/output
 create mode 100644 testing/btest/Baseline/opt.opt-func2/output
 create mode 100644 testing/btest/Baseline/opt.opt-func3/output
 create mode 100644 testing/btest/Baseline/opt.opt-no-files/.stderr
 create mode 100644 testing/btest/Baseline/opt.opt-no-func/.stderr
 create mode 100644 testing/btest/Baseline/opt.opt-no-func2/.stderr
 create mode 100644 testing/btest/opt/opt-files.zeek
 create mode 100644 testing/btest/opt/opt-files2.zeek
 create mode 100644 testing/btest/opt/opt-files3.zeek
 create mode 100644 testing/btest/opt/opt-func.zeek
 create mode 100644 testing/btest/opt/opt-func2.zeek
 create mode 100644 testing/btest/opt/opt-func3.zeek
 create mode 100644 testing/btest/opt/opt-no-files.zeek
 create mode 100644 testing/btest/opt/opt-no-func.zeek
 create mode 100644 testing/btest/opt/opt-no-func2.zeek

diff --git a/testing/btest/Baseline/opt.opt-files/output b/testing/btest/Baseline/opt.opt-files/output
new file mode 100644
index 0000000000..db1bbc981f
--- /dev/null
+++ b/testing/btest/Baseline/opt.opt-files/output
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+I should be ZAM code!
+my_test
+ZAM-code my_test 
diff --git a/testing/btest/Baseline/opt.opt-files2/output b/testing/btest/Baseline/opt.opt-files2/output
new file mode 100644
index 0000000000..896f5f18fe
--- /dev/null
+++ b/testing/btest/Baseline/opt.opt-files2/output
@@ -0,0 +1,8 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+I shouldn't be ZAM code!
+my_test
+{ 
+print I shouldn't be ZAM code!;
+}
+set_to_regex
+ZAM-code set_to_regex 
diff --git a/testing/btest/Baseline/opt.opt-files3/output b/testing/btest/Baseline/opt.opt-files3/output
new file mode 100644
index 0000000000..4a5533b63e
--- /dev/null
+++ b/testing/btest/Baseline/opt.opt-files3/output
@@ -0,0 +1,6 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+I should be ZAM code!
+my_test
+ZAM-code my_test 
+set_to_regex
+ZAM-code set_to_regex 
diff --git a/testing/btest/Baseline/opt.opt-func/output b/testing/btest/Baseline/opt.opt-func/output
new file mode 100644
index 0000000000..50aa0f4560
--- /dev/null
+++ b/testing/btest/Baseline/opt.opt-func/output
@@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+I should be ZAM code!
+I shouldn't be ZAM code!
+my_test
+ZAM-code my_test 
+another_test
+{ 
+print I shouldn't be ZAM code!;
+}
diff --git a/testing/btest/Baseline/opt.opt-func2/output b/testing/btest/Baseline/opt.opt-func2/output
new file mode 100644
index 0000000000..e60a7f1160
--- /dev/null
+++ b/testing/btest/Baseline/opt.opt-func2/output
@@ -0,0 +1,9 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+I shouldn't be ZAM code!
+I should be ZAM code!
+my_test
+{ 
+print I shouldn't be ZAM code!;
+}
+another_test
+ZAM-code another_test 
diff --git a/testing/btest/Baseline/opt.opt-func3/output b/testing/btest/Baseline/opt.opt-func3/output
new file mode 100644
index 0000000000..011a85e8c4
--- /dev/null
+++ b/testing/btest/Baseline/opt.opt-func3/output
@@ -0,0 +1,7 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+Me and my buds should be ZAM code!
+that includes me!
+my_test
+ZAM-code my_test 
+another_test
+ZAM-code another_test 
diff --git a/testing/btest/Baseline/opt.opt-no-files/.stderr b/testing/btest/Baseline/opt.opt-no-files/.stderr
new file mode 100644
index 0000000000..ba158c1e5e
--- /dev/null
+++ b/testing/btest/Baseline/opt.opt-no-files/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+fatal error: no matching functions/files for C++ compilation
diff --git a/testing/btest/Baseline/opt.opt-no-func/.stderr b/testing/btest/Baseline/opt.opt-no-func/.stderr
new file mode 100644
index 0000000000..ba158c1e5e
--- /dev/null
+++ b/testing/btest/Baseline/opt.opt-no-func/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+fatal error: no matching functions/files for C++ compilation
diff --git a/testing/btest/Baseline/opt.opt-no-func2/.stderr b/testing/btest/Baseline/opt.opt-no-func2/.stderr
new file mode 100644
index 0000000000..ba158c1e5e
--- /dev/null
+++ b/testing/btest/Baseline/opt.opt-no-func2/.stderr
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+fatal error: no matching functions/files for C++ compilation
diff --git a/testing/btest/opt/opt-files.zeek b/testing/btest/opt/opt-files.zeek
new file mode 100644
index 0000000000..c311f6359f
--- /dev/null
+++ b/testing/btest/opt/opt-files.zeek
@@ -0,0 +1,15 @@
+# @TEST-EXEC: zeek -b -O ZAM --optimize-files='opt-files' %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# Tests that we can selectively pick this file.
+
+function my_test()
+	{
+	print "I should be ZAM code!";
+	}
+
+event zeek_init()
+	{
+	my_test();
+	print my_test;
+	}
diff --git a/testing/btest/opt/opt-files2.zeek b/testing/btest/opt/opt-files2.zeek
new file mode 100644
index 0000000000..576680cae9
--- /dev/null
+++ b/testing/btest/opt/opt-files2.zeek
@@ -0,0 +1,16 @@
+# @TEST-EXEC: zeek -b -O ZAM --optimize-files='base/utils' %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# Tests that we can selectively pick a group of files but not this one.
+
+function my_test()
+	{
+	print "I shouldn't be ZAM code!";
+	}
+
+event zeek_init()
+	{
+	my_test();
+	print my_test;
+	print set_to_regex;
+	}
diff --git a/testing/btest/opt/opt-files3.zeek b/testing/btest/opt/opt-files3.zeek
new file mode 100644
index 0000000000..588c633c8d
--- /dev/null
+++ b/testing/btest/opt/opt-files3.zeek
@@ -0,0 +1,16 @@
+# @TEST-EXEC: zeek -b -O ZAM --optimize-files='base/utils' --optimize-files='opt-files3' %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# Tests that we can selectively pick a group of files *and* this one.
+
+function my_test()
+	{
+	print "I should be ZAM code!";
+	}
+
+event zeek_init()
+	{
+	my_test();
+	print my_test;
+	print set_to_regex;
+	}
diff --git a/testing/btest/opt/opt-func.zeek b/testing/btest/opt/opt-func.zeek
new file mode 100644
index 0000000000..6594cffe34
--- /dev/null
+++ b/testing/btest/opt/opt-func.zeek
@@ -0,0 +1,22 @@
+# @TEST-EXEC: zeek -b -O ZAM --optimize-func='my_test' %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# Tests that we can selectively a given function.
+
+function my_test()
+	{
+	print "I should be ZAM code!";
+	}
+
+function another_test()
+	{
+	print "I shouldn't be ZAM code!";
+	}
+
+event zeek_init()
+	{
+	my_test();
+	another_test();
+	print my_test;
+	print another_test;
+	}
diff --git a/testing/btest/opt/opt-func2.zeek b/testing/btest/opt/opt-func2.zeek
new file mode 100644
index 0000000000..c503479905
--- /dev/null
+++ b/testing/btest/opt/opt-func2.zeek
@@ -0,0 +1,23 @@
+# @TEST-EXEC: zeek -b -O ZAM --optimize-func='another_test' %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# Tests that we can selectively a bunch of functions (event handlers),
+# but not every function.
+
+function my_test()
+	{
+	print "I shouldn't be ZAM code!";
+	}
+
+function another_test()
+	{
+	print "I should be ZAM code!";
+	}
+
+event zeek_init()
+	{
+	my_test();
+	another_test();
+	print my_test;
+	print another_test;
+	}
diff --git a/testing/btest/opt/opt-func3.zeek b/testing/btest/opt/opt-func3.zeek
new file mode 100644
index 0000000000..15f49987b1
--- /dev/null
+++ b/testing/btest/opt/opt-func3.zeek
@@ -0,0 +1,23 @@
+# @TEST-EXEC: zeek -b -O ZAM --optimize-func='my_test' --optimize-func='another_test' %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# Tests that we can selectively a bunch of functions (event handlers),
+# and also call out an additional function.
+
+function my_test()
+	{
+	print "Me and my buds should be ZAM code!";
+	}
+
+function another_test()
+	{
+	print "that includes me!";
+	}
+
+event zeek_init()
+	{
+	my_test();
+	another_test();
+	print my_test;
+	print another_test;
+	}
diff --git a/testing/btest/opt/opt-no-files.zeek b/testing/btest/opt/opt-no-files.zeek
new file mode 100644
index 0000000000..36a22c4c5e
--- /dev/null
+++ b/testing/btest/opt/opt-no-files.zeek
@@ -0,0 +1,10 @@
+# @TEST-EXEC-FAIL: zeek -b -O ZAM --optimize-files='Xopt-files' %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+# Make sure that if --optimize-files is specified but there are no matching
+# files, that's caught as an error.
+
+event zeek_init()
+	{
+	print zeek_init;
+	}
diff --git a/testing/btest/opt/opt-no-func.zeek b/testing/btest/opt/opt-no-func.zeek
new file mode 100644
index 0000000000..88b8d6de47
--- /dev/null
+++ b/testing/btest/opt/opt-no-func.zeek
@@ -0,0 +1,10 @@
+# @TEST-EXEC-FAIL: zeek -b -O ZAM --optimize-files='my_func' %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+# Make sure that if --optimize-func is specified but there are no matching
+# functions, that's caught as an error.
+
+event zeek_init()
+	{
+	print zeek_init;
+	}
diff --git a/testing/btest/opt/opt-no-func2.zeek b/testing/btest/opt/opt-no-func2.zeek
new file mode 100644
index 0000000000..84d09b90fe
--- /dev/null
+++ b/testing/btest/opt/opt-no-func2.zeek
@@ -0,0 +1,14 @@
+# @TEST-EXEC-FAIL: zeek -b -O ZAM --optimize-files='my_func' %INPUT
+# @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff .stderr
+
+# Make sure that --optimize-func anchors the regex.
+
+function my_func2()
+	{
+	print "I shouldn't match!";
+	}
+
+event zeek_init()
+	{
+	print zeek_init;
+	}

From 429b42ecb104defb0277e2635b338b4761f74307 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Fri, 10 Dec 2021 09:54:18 -0700
Subject: [PATCH 151/210] Update cmake submodule across all other submodules

---
 auxil/bifcl    | 2 +-
 auxil/binpac   | 2 +-
 auxil/broker   | 2 +-
 auxil/zeek-aux | 2 +-
 auxil/zeekctl  | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/auxil/bifcl b/auxil/bifcl
index 762d55f9c6..5738d319c1 160000
--- a/auxil/bifcl
+++ b/auxil/bifcl
@@ -1 +1 @@
-Subproject commit 762d55f9c6747267acca77f19d4b60b4dc3c3821
+Subproject commit 5738d319c180fbfc9e910b6d52a47e61a0354be5
diff --git a/auxil/binpac b/auxil/binpac
index 8169f16309..8b1322d306 160000
--- a/auxil/binpac
+++ b/auxil/binpac
@@ -1 +1 @@
-Subproject commit 8169f1630993b34189b2c221d0e5ab8ba9777967
+Subproject commit 8b1322d3060a1fecdc586693e6215ad7ef8ab0e9
diff --git a/auxil/broker b/auxil/broker
index 07842d8bcd..36339ad8c9 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 07842d8bcdd4cf90fb7355be53fa3d14146147dd
+Subproject commit 36339ad8c9844f1758f8e9d0da4645047f480c34
diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index 614fb53023..b727e896a7 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit 614fb53023e97f71816beacba401f085d5dbdd6d
+Subproject commit b727e896a78e7bab6a8b02951a72b21450c3b450
diff --git a/auxil/zeekctl b/auxil/zeekctl
index d31885671d..f02f0c452c 160000
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@@ -1 +1 @@
-Subproject commit d31885671d74932d951778c029fa74d44cf3e542
+Subproject commit f02f0c452c3efedc848ad48effbbe400daf1f6f7

From 9b0173172f4289e0e2879739c5a312c0f3ade38f Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Sat, 11 Dec 2021 00:39:42 +0000
Subject: [PATCH 152/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index cb6d494f1d..43ff1249e8 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit cb6d494f1dd1e1bf634930ee4169154ad5eb68ea
+Subproject commit 43ff1249e8f32b4f7031e2480dfd710396817ba8

From bbae2cf36c7ef0f43cd885da225e4fec68c7f5fd Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:31:28 -0800
Subject: [PATCH 153/210] minor efficiency tweak for ZAM record construction

---
 src/script_opt/ZAM/Ops.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/script_opt/ZAM/Ops.in b/src/script_opt/ZAM/Ops.in
index f57ce19947..71f1760694 100644
--- a/src/script_opt/ZAM/Ops.in
+++ b/src/script_opt/ZAM/Ops.in
@@ -1064,7 +1064,7 @@ macro EvalConstructRecord(map_init, map_accessor)
 			const auto& t_ind = rt->GetFieldType(ind);
 			v_i->AsVectorVal()->Concretize(t_ind->Yield());
 			}
-		new_r->Assign(ind, aux->ToVal(frame, i));
+		new_r->Assign(ind, v_i);
 		}
 	auto& r = frame[z.v1].record_val;
 	Unref(r);

From ce7f886077c2aa0d3ad8b0aca3c95f0213c96479 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:32:27 -0800
Subject: [PATCH 154/210] removing vestigial methods

---
 src/script_opt/CPP/Compile.h | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/src/script_opt/CPP/Compile.h b/src/script_opt/CPP/Compile.h
index 87ebe786a8..6e3ccf71e8 100644
--- a/src/script_opt/CPP/Compile.h
+++ b/src/script_opt/CPP/Compile.h
@@ -943,10 +943,6 @@ private:
 	// the set of attributes.
 	void BuildAttrs(const AttributesPtr& attrs, std::string& attr_tags, std::string& attr_vals);
 
-	// Generates code to create the given attributes at run-time.
-	void GenAttrs(const AttributesPtr& attrs);
-	std::string GenAttrExpr(const ExprPtr& e);
-
 	// Returns a string representation of the name associated with
 	// different attribute tags (e.g., "ATTR_DEFAULT").
 	static const char* AttrName(AttrTag t);

From 4ea5785908b86539fe9962e995db084f7ee047b8 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:33:06 -0800
Subject: [PATCH 155/210] fixed for profiling missing some profile elements

---
 src/script_opt/ProfileFunc.cc | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/src/script_opt/ProfileFunc.cc b/src/script_opt/ProfileFunc.cc
index 0716a885e3..c2bf948304 100644
--- a/src/script_opt/ProfileFunc.cc
+++ b/src/script_opt/ProfileFunc.cc
@@ -470,16 +470,22 @@ ProfileFuncs::ProfileFuncs(std::vector<FuncInfo>& funcs, is_compilable_pred pred
 	// functions.  Recursively compute their hashes.
 	ComputeTypeHashes(main_types);
 
-	// Computing the hashes can have marked expressions (seen in
-	// record attributes) for further analysis.  Likewise, when
-	// doing the profile merges above we may have noted lambda
-	// expressions.  Analyze these, and iteratively any further
-	// expressions that that analysis uncovers.
-	DrainPendingExprs();
+	do
+		{
+		// Computing the hashes can have marked expressions (seen in
+		// record attributes) for further analysis.  Likewise, when
+		// doing the profile merges above we may have noted lambda
+		// expressions.  Analyze these, and iteratively any further
+		// expressions that that analysis uncovers.
+		DrainPendingExprs();
 
-	// We now have all the information we need to form definitive,
-	// deterministic hashes.
-	ComputeBodyHashes(funcs);
+		// We now have all the information we need to form definitive,
+		// deterministic hashes.
+		ComputeBodyHashes(funcs);
+
+		// Computing those hashes could have led to traversals that
+		// create more pending expressions to analyze.
+		} while ( ! pending_exprs.empty() );
 	}
 
 void ProfileFuncs::MergeInProfile(ProfileFunc* pf)

From 52ed9351a9c44353f62d4d14f0a4af68f2d468bc Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:33:38 -0800
Subject: [PATCH 156/210] fixes for compiling vector operations to C++

---
 src/script_opt/CPP/Exprs.cc      | 20 ++++-----
 src/script_opt/CPP/RuntimeVec.cc | 77 +++++++++++++-------------------
 src/script_opt/CPP/RuntimeVec.h  | 11 +++--
 3 files changed, 46 insertions(+), 62 deletions(-)

diff --git a/src/script_opt/CPP/Exprs.cc b/src/script_opt/CPP/Exprs.cc
index ad8f49e513..f65be5eb84 100644
--- a/src/script_opt/CPP/Exprs.cc
+++ b/src/script_opt/CPP/Exprs.cc
@@ -580,13 +580,13 @@ string CPPCompile::GenArithCoerceExpr(const Expr* e, GenType gt)
 	if ( same_type(t, op->GetType()) )
 		return GenExpr(op, gt);
 
-	bool is_vec = t->Tag() == TYPE_VECTOR;
-
-	auto coerce_t = is_vec ? t->Yield() : t;
+	if ( t->Tag() == TYPE_VECTOR )
+		return string("vector_coerce_to__CPP(") + GenExpr(op, GEN_NATIVE) + ", " + GenTypeName(t) +
+		       ")";
 
 	string cast_name;
 
-	switch ( coerce_t->InternalType() )
+	switch ( t->InternalType() )
 		{
 		case TYPE_INTERNAL_INT:
 			cast_name = "bro_int_t";
@@ -602,10 +602,6 @@ string CPPCompile::GenArithCoerceExpr(const Expr* e, GenType gt)
 			reporter->InternalError("bad type in arithmetic coercion");
 		}
 
-	if ( is_vec )
-		return string("vec_coerce_to_") + cast_name + "__CPP(" + GenExpr(op, GEN_NATIVE) + ", " +
-		       GenTypeName(t) + ")";
-
 	return NativeToGT(cast_name + "(" + GenExpr(op, GEN_NATIVE) + ")", t, gt);
 	}
 
@@ -1115,10 +1111,12 @@ string CPPCompile::GenListAssign(const ExprPtr& lhs, const ExprPtr& rhs)
 
 string CPPCompile::GenVectorOp(const Expr* e, string op, const char* vec_op)
 	{
-	auto gen = string("vec_op_") + vec_op + "__CPP(" + op + ")";
+	auto t = e->GetType();
+	auto gen_t = GenTypeName(t);
+	auto gen = string("vec_op_") + vec_op + "__CPP(" + op + ", " + gen_t + ")";
 
-	if ( ! IsArithmetic(e->GetType()->Yield()->Tag()) )
-		gen = string("vector_coerce_to__CPP(") + gen + ", " + GenTypeName(e->GetType()) + ")";
+	if ( ! IsArithmetic(t->Yield()->Tag()) )
+		gen = string("vector_coerce_to__CPP(") + gen + ", " + gen_t + ")";
 
 	return gen;
 	}
diff --git a/src/script_opt/CPP/RuntimeVec.cc b/src/script_opt/CPP/RuntimeVec.cc
index c8279e7988..2607a2fb87 100644
--- a/src/script_opt/CPP/RuntimeVec.cc
+++ b/src/script_opt/CPP/RuntimeVec.cc
@@ -47,8 +47,9 @@ static VectorTypePtr base_vector_type__CPP(const VectorTypePtr& vt)
 #define VEC_OP1_KERNEL(accessor, type, op)                                                         \
 	for ( unsigned int i = 0; i < v->Size(); ++i )                                                 \
 		{                                                                                          \
-		auto v_i = v->ValAt(i)->accessor();                                                        \
-		v_result->Assign(i, make_intrusive<type>(op v_i));                                         \
+		auto v_i = v->ValAt(i);                                                                    \
+		if ( v_i )                                                                                 \
+			v_result->Assign(i, make_intrusive<type>(op v_i->accessor()));                         \
 		}
 
 // A macro (since it's beyond my templating skillz to deal with the
@@ -58,9 +59,9 @@ static VectorTypePtr base_vector_type__CPP(const VectorTypePtr& vt)
 // is "double".  It needs to be optional because C++ will (rightfully)
 // complain about applying certain C++ unary operations to doubles.
 #define VEC_OP1(name, op, double_kernel)                                                           \
-	VectorValPtr vec_op_##name##__CPP(const VectorValPtr& v)                                       \
+	VectorValPtr vec_op_##name##__CPP(const VectorValPtr& v, const TypePtr& t)                     \
 		{                                                                                          \
-		auto vt = base_vector_type__CPP(v->GetType<VectorType>());                                 \
+		auto vt = base_vector_type__CPP(cast_intrusive<VectorType>(t));                            \
 		auto v_result = make_intrusive<VectorVal>(vt);                                             \
                                                                                                    \
 		switch ( vt->Yield()->InternalType() )                                                     \
@@ -105,9 +106,10 @@ VEC_OP1(comp, ~, )
 #define VEC_OP2_KERNEL(accessor, type, op)                                                         \
 	for ( unsigned int i = 0; i < v1->Size(); ++i )                                                \
 		{                                                                                          \
-		auto v1_i = v1->ValAt(i)->accessor();                                                      \
-		auto v2_i = v2->ValAt(i)->accessor();                                                      \
-		v_result->Assign(i, make_intrusive<type>(v1_i op v2_i));                                   \
+		auto v1_i = v1->ValAt(i);                                                                  \
+		auto v2_i = v2->ValAt(i);                                                                  \
+		if ( v1_i && v2_i )                                                                        \
+			v_result->Assign(i, make_intrusive<type>(v1_i->accessor() op v2_i->accessor()));       \
 		}
 
 // Analogous to VEC_OP1, instantiates a function for a given binary operation,
@@ -387,27 +389,42 @@ VectorValPtr vector_coerce_to__CPP(const VectorValPtr& v, const TypePtr& targ)
 	for ( unsigned int i = 0; i < n; ++i )
 		{
 		ValPtr v_i = v->ValAt(i);
+		if ( ! v_i )
+			continue;
+
 		ValPtr r_i;
 		switch ( ytag )
 			{
 			case TYPE_BOOL:
-				r_i = val_mgr->Bool(v_i->AsBool());
+				r_i = val_mgr->Bool(v_i->CoerceToInt() != 0);
+				break;
+
+			case TYPE_INT:
+				r_i = val_mgr->Int(v_i->CoerceToInt());
+				break;
+
+			case TYPE_COUNT:
+				r_i = val_mgr->Count(v_i->CoerceToUnsigned());
 				break;
 
 			case TYPE_ENUM:
-				r_i = yt->AsEnumType()->GetEnumVal(v_i->AsInt());
+				r_i = yt->AsEnumType()->GetEnumVal(v_i->CoerceToInt());
 				break;
 
 			case TYPE_PORT:
-				r_i = make_intrusive<PortVal>(v_i->AsCount());
+				r_i = make_intrusive<PortVal>(v_i->CoerceToUnsigned());
+				break;
+
+			case TYPE_DOUBLE:
+				r_i = make_intrusive<DoubleVal>(v_i->CoerceToDouble());
 				break;
 
 			case TYPE_INTERVAL:
-				r_i = make_intrusive<IntervalVal>(v_i->AsDouble());
+				r_i = make_intrusive<IntervalVal>(v_i->CoerceToDouble());
 				break;
 
 			case TYPE_TIME:
-				r_i = make_intrusive<TimeVal>(v_i->AsDouble());
+				r_i = make_intrusive<TimeVal>(v_i->CoerceToDouble());
 				break;
 
 			default:
@@ -420,40 +437,10 @@ VectorValPtr vector_coerce_to__CPP(const VectorValPtr& v, const TypePtr& targ)
 	return v_result;
 	}
 
-VectorValPtr vec_coerce_to_bro_int_t__CPP(const VectorValPtr& v, TypePtr targ)
+VectorValPtr vec_scalar_mixed_with_vector()
 	{
-	auto res_t = cast_intrusive<VectorType>(targ);
-	auto v_result = make_intrusive<VectorVal>(move(res_t));
-	auto n = v->Size();
-
-	for ( unsigned int i = 0; i < n; ++i )
-		v_result->Assign(i, val_mgr->Int(v->IntAt(i)));
-
-	return v_result;
-	}
-
-VectorValPtr vec_coerce_to_bro_uint_t__CPP(const VectorValPtr& v, TypePtr targ)
-	{
-	auto res_t = cast_intrusive<VectorType>(targ);
-	auto v_result = make_intrusive<VectorVal>(move(res_t));
-	auto n = v->Size();
-
-	for ( unsigned int i = 0; i < n; ++i )
-		v_result->Assign(i, val_mgr->Count(v->CountAt(i)));
-
-	return v_result;
-	}
-
-VectorValPtr vec_coerce_to_double__CPP(const VectorValPtr& v, TypePtr targ)
-	{
-	auto res_t = cast_intrusive<VectorType>(targ);
-	auto v_result = make_intrusive<VectorVal>(move(res_t));
-	auto n = v->Size();
-
-	for ( unsigned int i = 0; i < n; ++i )
-		v_result->Assign(i, make_intrusive<DoubleVal>(v->DoubleAt(i)));
-
-	return v_result;
+	reporter->CPPRuntimeError("vector-mixed-with-scalar operations not supported");
+	return nullptr;
 	}
 
 	} // namespace zeek::detail
diff --git a/src/script_opt/CPP/RuntimeVec.h b/src/script_opt/CPP/RuntimeVec.h
index 96cc1cfc67..2dfe1374c3 100644
--- a/src/script_opt/CPP/RuntimeVec.h
+++ b/src/script_opt/CPP/RuntimeVec.h
@@ -22,10 +22,10 @@ inline ValPtr vector_append__CPP(VectorValPtr v1, ValPtr v2)
 	}
 
 // Unary vector operations.
-extern VectorValPtr vec_op_pos__CPP(const VectorValPtr& v);
-extern VectorValPtr vec_op_neg__CPP(const VectorValPtr& v);
-extern VectorValPtr vec_op_not__CPP(const VectorValPtr& v);
-extern VectorValPtr vec_op_comp__CPP(const VectorValPtr& v);
+extern VectorValPtr vec_op_pos__CPP(const VectorValPtr& v, const TypePtr& t);
+extern VectorValPtr vec_op_neg__CPP(const VectorValPtr& v, const TypePtr& t);
+extern VectorValPtr vec_op_not__CPP(const VectorValPtr& v, const TypePtr& t);
+extern VectorValPtr vec_op_comp__CPP(const VectorValPtr& v, const TypePtr& t);
 
 // Binary vector operations.
 extern VectorValPtr vec_op_add__CPP(const VectorValPtr& v1, const VectorValPtr& v2);
@@ -81,8 +81,7 @@ extern VectorValPtr vec_coerce_to_bro_uint_t__CPP(const VectorValPtr& v, TypePtr
 extern VectorValPtr vec_coerce_to_double__CPP(const VectorValPtr& v, TypePtr targ);
 
 // A dummy function used during code generation for unsupported operations
-// that mix vector and scalar arguments.  We don't define it in RuntimeVec.cc
-// so that it'll generate a linking error.
+// that mix vector and scalar arguments.
 extern VectorValPtr vec_scalar_mixed_with_vector();
 
 	} // namespace zeek::detail

From 96ed94457111004b435c8b98ed586b16468d8542 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:34:23 -0800
Subject: [PATCH 157/210] fix for compiling record constructors to C++

---
 src/script_opt/CPP/RuntimeOps.cc | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/script_opt/CPP/RuntimeOps.cc b/src/script_opt/CPP/RuntimeOps.cc
index 2aa55f3f1c..13cb3f5092 100644
--- a/src/script_opt/CPP/RuntimeOps.cc
+++ b/src/script_opt/CPP/RuntimeOps.cc
@@ -215,22 +215,43 @@ TableValPtr table_constructor__CPP(vector<ValPtr> indices, vector<ValPtr> vals,
 
 RecordValPtr record_constructor__CPP(vector<ValPtr> vals, RecordTypePtr t)
 	{
-	auto rv = make_intrusive<RecordVal>(move(t));
+	auto rv = make_intrusive<RecordVal>(t);
 	auto n = vals.size();
 
 	for ( auto i = 0u; i < n; ++i )
-		rv->Assign(i, vals[i]);
+		{
+		auto& v_i = vals[i];
+
+		if ( v_i && v_i->GetType()->Tag() == TYPE_VECTOR && v_i->AsVectorVal()->Size() == 0 )
+			{
+			const auto& t_ind = t->GetFieldType(i);
+			v_i->AsVectorVal()->Concretize(t_ind->Yield());
+			}
+
+		rv->Assign(i, v_i);
+		}
 
 	return rv;
 	}
 
 RecordValPtr record_constructor_map__CPP(vector<ValPtr> vals, vector<int> map, RecordTypePtr t)
 	{
-	auto rv = make_intrusive<RecordVal>(move(t));
+	auto rv = make_intrusive<RecordVal>(t);
 	auto n = vals.size();
 
 	for ( auto i = 0u; i < n; ++i )
-		rv->Assign(map[i], vals[i]);
+		{
+		auto& v_i = vals[i];
+		auto ind = map[i];
+
+		if ( v_i && v_i->GetType()->Tag() == TYPE_VECTOR && v_i->AsVectorVal()->Size() == 0 )
+			{
+			const auto& t_ind = t->GetFieldType(ind);
+			v_i->AsVectorVal()->Concretize(t_ind->Yield());
+			}
+
+		rv->Assign(ind, v_i);
+		}
 
 	return rv;
 	}

From d5e7db1070dc01a287123ab214068609fa3f395f Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:34:50 -0800
Subject: [PATCH 158/210] new ZEEK_FILE_ONLY and ZEEK_FUNC_ONLY environment
 variables for debugging script optimization - replaces ZEEK_ONLY

---
 src/script_opt/ScriptOpt.cc | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/src/script_opt/ScriptOpt.cc b/src/script_opt/ScriptOpt.cc
index cf688f32d4..d35413d281 100644
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@@ -99,16 +99,16 @@ bool should_analyze(const ScriptFuncPtr& f, const StmtPtr& body)
 	if ( ofiles.empty() && ofuncs.empty() )
 		return true;
 
-	auto fn = f->Name();
+	auto fun = f->Name();
 
 	for ( auto& o : ofuncs )
-		if ( std::regex_match(fn, o) )
+		if ( std::regex_match(fun, o) )
 			return true;
 
-	fn = body->GetLocationInfo()->filename;
+	auto fin = util::detail::normalize_path(body->GetLocationInfo()->filename);
 
 	for ( auto& o : ofiles )
-		if ( std::regex_match(fn, o) )
+		if ( std::regex_match(fin, o) )
 			return true;
 
 	return false;
@@ -296,7 +296,14 @@ static void init_options()
 
 	if ( analysis_options.only_funcs.empty() )
 		{
-		auto zo = getenv("ZEEK_ONLY");
+		auto zo = getenv("ZEEK_FUNC_ONLY");
+		if ( zo )
+			add_func_analysis_pattern(analysis_options, zo);
+		}
+
+	if ( analysis_options.only_files.empty() )
+		{
+		auto zo = getenv("ZEEK_FILE_ONLY");
 		if ( zo )
 			add_file_analysis_pattern(analysis_options, zo);
 		}

From 3b3cea799be3374f8be43739de68dba93c45a547 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:36:08 -0800
Subject: [PATCH 159/210] fixes for -O gen-standalone-C++

---
 src/script_opt/CPP/CPP-load.bif |  3 ---
 src/script_opt/CPP/Inits.cc     | 23 ++++++-----------------
 2 files changed, 6 insertions(+), 20 deletions(-)

diff --git a/src/script_opt/CPP/CPP-load.bif b/src/script_opt/CPP/CPP-load.bif
index 4e6105b0bb..87528ce658 100644
--- a/src/script_opt/CPP/CPP-load.bif
+++ b/src/script_opt/CPP/CPP-load.bif
@@ -39,8 +39,5 @@ function load_CPP%(h: count%): bool
 	// compiled scripts.
 	detail::standalone_activations.push_back(cb->second);
 
-	// Proceed with activation.
-	(*detail::CPP_init_hook)();
-
 	return zeek::val_mgr->True();
 	%}
diff --git a/src/script_opt/CPP/Inits.cc b/src/script_opt/CPP/Inits.cc
index f1d7a52338..376fc93ea3 100644
--- a/src/script_opt/CPP/Inits.cc
+++ b/src/script_opt/CPP/Inits.cc
@@ -213,17 +213,11 @@ void CPPCompile::GenStandaloneActivation()
 	{
 	NL();
 
-#if 0
 	Emit("void standalone_activation__CPP()");
 	StartBlock();
-	for ( auto& a : activations )
-		Emit(a);
-	EndBlock();
-#endif
 
+	Emit("finish_init__CPP();");
 	NL();
-	Emit("void standalone_init__CPP()");
-	StartBlock();
 
 	// For events and hooks, we need to add each compiled body *unless*
 	// it's already there (which could be the case if the standalone
@@ -283,10 +277,14 @@ void CPPCompile::GenStandaloneActivation()
 		     GenTypeName(ft), hashes);
 		}
 
+	EndBlock();
+
 	NL();
+	Emit("void standalone_init__CPP()");
+	StartBlock();
+	Emit("init__CPP();");
 	Emit("CPP_activation_funcs.push_back(standalone_activation__CPP);");
 	Emit("CPP_activation_hook = activate__CPPs;");
-
 	EndBlock();
 	}
 
@@ -300,15 +298,6 @@ void CPPCompile::GenLoad()
 
 	Emit("register_scripts__CPP(%s, standalone_init__CPP);", Fmt(total_hash));
 
-	// Spit out the placeholder script, and any associated module
-	// definitions.
-	for ( const auto& m : module_names )
-		if ( m != "GLOBAL" )
-			printf("module %s;\n", m.c_str());
-
-	if ( module_names.size() > 0 )
-		printf("module GLOBAL;\n\n");
-
 	printf("global init_CPP_%llu = load_CPP(%llu);\n", total_hash, total_hash);
 	}
 

From 2f7137999fe7262fa1f8489db29b2172abe6824c Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:36:45 -0800
Subject: [PATCH 160/210] restored support for incremental compilation of
 scripts to C++

---
 src/script_opt/CPP/Compile.h             |  4 ----
 src/script_opt/CPP/DeclFunc.cc           |  3 ---
 src/script_opt/CPP/Driver.cc             | 13 +++----------
 src/script_opt/CPP/Func.h                |  1 +
 src/script_opt/CPP/InitsInfo.cc          |  4 ++--
 src/script_opt/CPP/RuntimeInitSupport.cc | 12 +++++++-----
 src/script_opt/CPP/RuntimeInitSupport.h  |  5 +++--
 src/script_opt/CPP/RuntimeInits.cc       |  3 ++-
 src/script_opt/ProfileFunc.cc            | 16 ++++++++++++++--
 src/script_opt/ProfileFunc.h             | 11 -----------
 src/script_opt/ScriptOpt.cc              | 21 +++++----------------
 11 files changed, 37 insertions(+), 56 deletions(-)

diff --git a/src/script_opt/CPP/Compile.h b/src/script_opt/CPP/Compile.h
index 6e3ccf71e8..3b91c60659 100644
--- a/src/script_opt/CPP/Compile.h
+++ b/src/script_opt/CPP/Compile.h
@@ -585,10 +585,6 @@ private:
 	// function name, and maps to the C++ name.
 	std::unordered_map<std::string, std::string> compiled_simple_funcs;
 
-	// Maps those to their associated files - used to make add-C++ body
-	// hashes distinct.
-	std::unordered_map<std::string, std::string> cf_locs;
-
 	// Maps function bodies to the names we use for them.
 	std::unordered_map<const Stmt*, std::string> body_names;
 
diff --git a/src/script_opt/CPP/DeclFunc.cc b/src/script_opt/CPP/DeclFunc.cc
index cdc95b5f2f..cd884bf62c 100644
--- a/src/script_opt/CPP/DeclFunc.cc
+++ b/src/script_opt/CPP/DeclFunc.cc
@@ -99,9 +99,6 @@ void CPPCompile::CreateFunction(const FuncTypePtr& ft, const ProfileFunc* pf, co
 		// for lambdas that don't take any arguments, but that
 		// seems potentially more confusing than beneficial.
 		compiled_funcs.emplace(fname);
-
-		auto loc_f = script_specific_filename(body);
-		cf_locs[fname] = loc_f;
 		}
 
 	auto h = pf->HashVal();
diff --git a/src/script_opt/CPP/Driver.cc b/src/script_opt/CPP/Driver.cc
index fc3490c5c2..bfc4ef6f8e 100644
--- a/src/script_opt/CPP/Driver.cc
+++ b/src/script_opt/CPP/Driver.cc
@@ -197,10 +197,10 @@ void CPPCompile::Compile(bool report_uncompilable)
 
 void CPPCompile::GenProlog()
 	{
-	if ( addl_tag == 0 )
-		{
+	if ( addl_tag <= 1 )
+		// This is either a compilation via gen-C++, or
+		// one using add-C++ and an empty CPP-gen.cc file.
 		Emit("#include \"zeek/script_opt/CPP/Runtime.h\"\n");
-		}
 
 	Emit("namespace zeek::detail { //\n");
 	Emit("namespace CPP_%s { // %s\n", Fmt(addl_tag), working_dir);
@@ -292,13 +292,6 @@ void CPPCompile::RegisterCompiledBody(const string& f)
 
 	events = string("{") + events + "}";
 
-	if ( addl_tag > 0 )
-		// Hash in the location associated with this compilation
-		// pass, to get a final hash that avoids conflicts with
-		// identical-but-in-a-different-context function bodies
-		// when compiling potentially conflicting additional code.
-		h = merge_p_hashes(h, p_hash(cf_locs[f]));
-
 	auto fi = func_index.find(f);
 	ASSERT(fi != func_index.end());
 	auto type_signature = casting_index[fi->second];
diff --git a/src/script_opt/CPP/Func.h b/src/script_opt/CPP/Func.h
index 0de2edfbc6..28b348d62b 100644
--- a/src/script_opt/CPP/Func.h
+++ b/src/script_opt/CPP/Func.h
@@ -105,6 +105,7 @@ struct CompiledScript
 	CPPStmtPtr body;
 	int priority;
 	std::vector<std::string> events;
+	void (*finish_init_func)();
 	};
 
 // Maps hashes to compiled information.
diff --git a/src/script_opt/CPP/InitsInfo.cc b/src/script_opt/CPP/InitsInfo.cc
index 2f2ab1ed8c..3f3b4f2593 100644
--- a/src/script_opt/CPP/InitsInfo.cc
+++ b/src/script_opt/CPP/InitsInfo.cc
@@ -239,14 +239,14 @@ void FuncConstInfo::InitializerVals(std::vector<std::string>& ivs) const
 	{
 	auto f = fv->AsFunc();
 	const auto& fn = f->Name();
+	const auto& bodies = f->GetBodies();
 
 	ivs.emplace_back(Fmt(type));
 	ivs.emplace_back(Fmt(c->TrackString(fn)));
+	ivs.emplace_back(to_string(bodies.size()));
 
 	if ( ! c->NotFullyCompilable(fn) )
 		{
-		const auto& bodies = f->GetBodies();
-
 		for ( const auto& b : bodies )
 			{
 			auto h = c->BodyHash(b.stmts.get());
diff --git a/src/script_opt/CPP/RuntimeInitSupport.cc b/src/script_opt/CPP/RuntimeInitSupport.cc
index 6a657d0713..eea927d192 100644
--- a/src/script_opt/CPP/RuntimeInitSupport.cc
+++ b/src/script_opt/CPP/RuntimeInitSupport.cc
@@ -62,9 +62,10 @@ void register_type__CPP(TypePtr t, const string& name)
 	id->MakeType();
 	}
 
-void register_body__CPP(CPPStmtPtr body, int priority, p_hash_type hash, vector<string> events)
+void register_body__CPP(CPPStmtPtr body, int priority, p_hash_type hash, vector<string> events,
+                        void (*finish_init)())
 	{
-	compiled_scripts[hash] = {move(body), priority, move(events)};
+	compiled_scripts[hash] = {move(body), priority, move(events), finish_init};
 	}
 
 void register_lambda__CPP(CPPStmtPtr body, p_hash_type hash, const char* name, TypePtr t,
@@ -89,7 +90,7 @@ void register_lambda__CPP(CPPStmtPtr body, p_hash_type hash, const char* name, T
 	if ( ! has_captures )
 		// Note, no support for lambdas that themselves refer
 		// to events.
-		register_body__CPP(body, 0, hash, {});
+		register_body__CPP(body, 0, hash, {}, nullptr);
 	}
 
 void register_scripts__CPP(p_hash_type h, void (*callback)())
@@ -190,11 +191,12 @@ Func* lookup_bif__CPP(const char* bif)
 	return b ? b->GetVal()->AsFunc() : nullptr;
 	}
 
-FuncValPtr lookup_func__CPP(string name, vector<p_hash_type> hashes, const TypePtr& t)
+FuncValPtr lookup_func__CPP(string name, int num_bodies, vector<p_hash_type> hashes,
+                            const TypePtr& t)
 	{
 	auto ft = cast_intrusive<FuncType>(t);
 
-	if ( hashes.empty() )
+	if ( static_cast<int>(hashes.size()) < num_bodies )
 		{
 		// This happens for functions that have at least one
 		// uncompilable body.
diff --git a/src/script_opt/CPP/RuntimeInitSupport.h b/src/script_opt/CPP/RuntimeInitSupport.h
index 284290c95b..6b5ea46014 100644
--- a/src/script_opt/CPP/RuntimeInitSupport.h
+++ b/src/script_opt/CPP/RuntimeInitSupport.h
@@ -37,7 +37,7 @@ extern void register_type__CPP(TypePtr t, const std::string& name);
 // relevant for the function body, which should be registered if the
 // function body is going to be used.
 extern void register_body__CPP(CPPStmtPtr body, int priority, p_hash_type hash,
-                               std::vector<std::string> events);
+                               std::vector<std::string> events, void (*finish_init)());
 
 // Registers a lambda body as associated with the given hash.  Includes
 // the name of the lambda (so it can be made available as a quasi-global
@@ -67,7 +67,8 @@ extern Func* lookup_bif__CPP(const char* bif);
 // returns an associated FuncVal.  It's a fatal error for the hash
 // not to exist, because this function should only be called by compiled
 // code that has ensured its existence.
-extern FuncValPtr lookup_func__CPP(std::string name, std::vector<p_hash_type> h, const TypePtr& t);
+extern FuncValPtr lookup_func__CPP(std::string name, int num_bodies, std::vector<p_hash_type> h,
+                                   const TypePtr& t);
 
 // Returns the record corresponding to the given name, as long as the
 // name is indeed a record type.  Otherwise (or if the name is nil)
diff --git a/src/script_opt/CPP/RuntimeInits.cc b/src/script_opt/CPP/RuntimeInits.cc
index 4f52171ffe..5286540997 100644
--- a/src/script_opt/CPP/RuntimeInits.cc
+++ b/src/script_opt/CPP/RuntimeInits.cc
@@ -147,13 +147,14 @@ void CPP_IndexedInits<T>::Generate(InitsManager* im, std::vector<FuncValPtr>& iv
 	auto iv_end = init_vals.end();
 	auto t = *(iv_it++);
 	auto fn = im->Strings(*(iv_it++));
+	auto num_bodies = *(iv_it++);
 
 	std::vector<p_hash_type> hashes;
 
 	while ( iv_it != iv_end )
 		hashes.push_back(im->Hashes(*(iv_it++)));
 
-	ivec[offset] = lookup_func__CPP(fn, hashes, im->Types(t));
+	ivec[offset] = lookup_func__CPP(fn, num_bodies, hashes, im->Types(t));
 	}
 
 template <class T>
diff --git a/src/script_opt/ProfileFunc.cc b/src/script_opt/ProfileFunc.cc
index c2bf948304..b354930516 100644
--- a/src/script_opt/ProfileFunc.cc
+++ b/src/script_opt/ProfileFunc.cc
@@ -23,7 +23,13 @@ p_hash_type p_hash(const Obj* o)
 	return p_hash(d.Description());
 	}
 
-std::string script_specific_filename(const StmtPtr& body)
+// Returns a filename associated with the given function body.  Used to
+// provide distinctness to identical function bodies seen in separate,
+// potentially conflicting incremental compilations.  An example of this
+// is a function named foo() that calls bar(), for which in two different
+// compilation contexts bar() has differing semantics, even though foo()'s
+// (shallow) semantics are the same.
+static std::string script_specific_filename(const Stmt* body)
 	{
 	// The specific filename is taken from the location filename, making
 	// it absolute if necessary.
@@ -52,12 +58,15 @@ std::string script_specific_filename(const StmtPtr& body)
 	return bl_f;
 	}
 
-p_hash_type script_specific_hash(const StmtPtr& body, p_hash_type generic_hash)
+// Returns a incremental-compilation-specific hash for the given function
+// body, given its non-specific hash is "generic_hash".
+static p_hash_type script_specific_hash(const Stmt* body, p_hash_type generic_hash)
 	{
 	auto bl_f = script_specific_filename(body);
 	return merge_p_hashes(generic_hash, p_hash(bl_f));
 	}
 
+
 ProfileFunc::ProfileFunc(const Func* func, const StmtPtr& body, bool _abs_rec_fields)
 	{
 	profiled_func = func;
@@ -698,6 +707,9 @@ void ProfileFuncs::ComputeProfileHash(std::shared_ptr<ProfileFunc> pf)
 	for ( auto i : pf->AdditionalHashes() )
 		h = merge_p_hashes(h, i);
 
+	if ( ! pf->Stmts().empty() )
+		h = script_specific_hash(pf->Stmts()[0], h);
+
 	pf->SetHashVal(h);
 	}
 
diff --git a/src/script_opt/ProfileFunc.h b/src/script_opt/ProfileFunc.h
index 2ccb47f6d6..36de4ee5ca 100644
--- a/src/script_opt/ProfileFunc.h
+++ b/src/script_opt/ProfileFunc.h
@@ -74,17 +74,6 @@ inline p_hash_type merge_p_hashes(p_hash_type h1, p_hash_type h2)
 	return h1 ^ (h2 + 0x9e3779b9 + (h1 << 6) + (h1 >> 2));
 	}
 
-// Returns a filename associated with the given function body.  Used to
-// provide distinctness to identical function bodies seen in separate,
-// potentially conflicting incremental compilations.  This is only germane
-// for allowing incremental compilation of subsets of the test suite, so
-// if we decide to forgo that capability, we can remove this.
-extern std::string script_specific_filename(const StmtPtr& body);
-
-// Returns a incremental-compilation-specific hash for the given function
-// body, given it's non-specific hash is "generic_hash".
-extern p_hash_type script_specific_hash(const StmtPtr& body, p_hash_type generic_hash);
-
 // Class for profiling the components of a single function (or expression).
 class ProfileFunc : public TraversalCallback
 	{
diff --git a/src/script_opt/ScriptOpt.cc b/src/script_opt/ScriptOpt.cc
index d35413d281..05ef655016 100644
--- a/src/script_opt/ScriptOpt.cc
+++ b/src/script_opt/ScriptOpt.cc
@@ -350,17 +350,8 @@ static void report_CPP()
 		auto name = f.Func()->Name();
 		auto hash = f.Profile()->HashVal();
 		bool have = compiled_scripts.count(hash) > 0;
-		auto specific = "";
 
-		if ( ! have )
-			{
-			hash = script_specific_hash(f.Body(), hash);
-			have = compiled_scripts.count(hash) > 0;
-			if ( have )
-				specific = " - specific";
-			}
-
-		printf("script function %s (hash %llu%s): %s\n", name, hash, specific, have ? "yes" : "no");
+		printf("script function %s (hash %llu): %s\n", name, hash, have ? "yes" : "no");
 
 		if ( have )
 			already_reported.insert(hash);
@@ -387,12 +378,6 @@ static void use_CPP()
 		auto hash = f.Profile()->HashVal();
 		auto s = compiled_scripts.find(hash);
 
-		if ( s == compiled_scripts.end() )
-			{ // Look for script-specific body.
-			hash = script_specific_hash(f.Body(), hash);
-			s = compiled_scripts.find(hash);
-			}
-
 		if ( s != compiled_scripts.end() )
 			{
 			auto b = s->second.body;
@@ -418,6 +403,10 @@ static void use_CPP()
 				auto h = event_registry->Register(e);
 				h->SetUsed();
 				}
+
+			auto finish = s->second.finish_init_func;
+			if ( finish )
+				(*finish)();
 			}
 		}
 

From 86288426fb89493ed7f3860f1ba2edfdbfc3f442 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:41:16 -0800
Subject: [PATCH 161/210] factoring of generating C++ initializations, no
 semantic changes

---
 src/script_opt/CPP/Compile.h |  14 ++++
 src/script_opt/CPP/Driver.cc | 138 +++++++++++++++++++++++------------
 2 files changed, 104 insertions(+), 48 deletions(-)

diff --git a/src/script_opt/CPP/Compile.h b/src/script_opt/CPP/Compile.h
index 3b91c60659..11d8808a75 100644
--- a/src/script_opt/CPP/Compile.h
+++ b/src/script_opt/CPP/Compile.h
@@ -301,6 +301,20 @@ private:
 	// in support of run-time initialization of various dynamic values.
 	void GenEpilog();
 
+	// Generate the main method of the CPPDynStmt class, doing dynamic
+	// dispatch for function invocation.
+	void GenCPPDynStmt();
+
+	// Generate a function to load BiFs.
+	void GenLoadBiFs();
+
+	// Generate the main initialization function, which finalizes
+	// the run-time environment.
+	void GenFinishInit();
+
+	// Generate the function that registers compiled script bodies.
+	void GenRegisterBodies();
+
 	// True if the given function (plus body and profile) is one
 	// that should be compiled.  If non-nil, sets reason to the
 	// the reason why, if there's a fundamental problem.  If however
diff --git a/src/script_opt/CPP/Driver.cc b/src/script_opt/CPP/Driver.cc
index bfc4ef6f8e..f9e97da5b4 100644
--- a/src/script_opt/CPP/Driver.cc
+++ b/src/script_opt/CPP/Driver.cc
@@ -306,9 +306,65 @@ void CPPCompile::GenEpilog()
 		GenInitExpr(ii.second);
 
 	NL();
-	Emit("ValPtr CPPDynStmt::Exec(Frame* f, StmtFlowType& flow)");
+	GenCPPDynStmt();
+
+	NL();
+	for ( auto gi : all_global_info )
+		gi->GenerateInitializers(this);
+
+	NL();
+	InitializeEnumMappings();
+
+	NL();
+	InitializeFieldMappings();
+
+	NL();
+	InitializeBiFs();
+
+	NL();
+	indices_mgr.Generate(this);
+
+	NL();
+	InitializeStrings();
+
+	NL();
+	InitializeHashes();
+
+	NL();
+	InitializeConsts();
+
+	NL();
+	GenLoadBiFs();
+
+	NL();
+	GenFinishInit();
+
+	NL();
+	GenRegisterBodies();
+
+	NL();
+	Emit("void init__CPP()");
 	StartBlock();
+	Emit("register_bodies__CPP();");
+	EndBlock();
+
+	if ( standalone )
+		GenStandaloneActivation();
+
+	GenInitHook();
+
+	Emit("} // %s\n\n", scope_prefix(addl_tag));
+	Emit("} // zeek::detail");
+	}
+
+void CPPCompile::GenCPPDynStmt()
+	{
+	Emit("ValPtr CPPDynStmt::Exec(Frame* f, StmtFlowType& flow)");
+
+	StartBlock();
+
 	Emit("flow = FLOW_RETURN;");
+
 	Emit("switch ( type_signature )");
 	StartBlock();
 	for ( auto i = 0U; i < func_casting_glue.size(); ++i )
@@ -343,41 +399,29 @@ void CPPCompile::GenEpilog()
 
 	EndBlock();
 	EndBlock();
+	}
 
-	NL();
+void CPPCompile::GenLoadBiFs()
+	{
+	Emit("void load_BiFs__CPP()");
+	StartBlock();
+	Emit("for ( auto& b : CPP__BiF_lookups__ )");
+	Emit("\tb.ResolveBiF();");
+	EndBlock();
+	}
 
-	for ( auto gi : all_global_info )
-		gi->GenerateInitializers(this);
-
-	if ( standalone )
-		GenStandaloneActivation();
-
-	NL();
-	InitializeEnumMappings();
-
-	NL();
-	InitializeFieldMappings();
-
-	NL();
-	InitializeBiFs();
-
-	NL();
-	indices_mgr.Generate(this);
-
-	NL();
-	InitializeStrings();
-
-	NL();
-	InitializeHashes();
-
-	NL();
-	InitializeConsts();
-
-	NL();
-	Emit("void init__CPP()");
+void CPPCompile::GenFinishInit()
+	{
+	Emit("void finish_init__CPP()");
 
 	StartBlock();
 
+	Emit("static bool did_init = false;");
+	Emit("if ( did_init )");
+	Emit("\treturn;");
+	Emit("did_init = true;");
+
+	NL();
 	Emit("std::vector<std::vector<int>> InitIndices;");
 	Emit("generate_indices_set(CPP__Indices__init, InitIndices);");
 
@@ -394,13 +438,6 @@ void CPPCompile::GenEpilog()
 	Emit("InitsManager im(CPP__ConstVals, InitConsts, InitIndices, CPP__Strings, CPP__Hashes, "
 	     "CPP__Type__, CPP__Attributes__, CPP__Attr__, CPP__CallExpr__);");
 
-	NL();
-	Emit("for ( auto& b : CPP__bodies_to_register )");
-	StartBlock();
-	Emit("auto f = make_intrusive<CPPDynStmt>(b.func_name.c_str(), b.func, b.type_signature);");
-	Emit("register_body__CPP(f, b.priority, b.h, b.events);");
-	EndBlock();
-
 	NL();
 	int max_cohort = 0;
 	for ( auto gi : all_global_info )
@@ -411,10 +448,6 @@ void CPPCompile::GenEpilog()
 			if ( gi->CohortSize(c) > 0 )
 				Emit("%s.InitializeCohort(&im, %s);", gi->InitializersName(), Fmt(c));
 
-	NL();
-	Emit("for ( auto& b : CPP__BiF_lookups__ )");
-	Emit("\tb.ResolveBiF();");
-
 	// Populate mappings for dynamic offsets.
 	NL();
 	Emit("for ( auto& em : CPP__enum_mappings__ )");
@@ -423,15 +456,24 @@ void CPPCompile::GenEpilog()
 	Emit("for ( auto& fm : CPP__field_mappings__ )");
 	Emit("\tfield_mapping.push_back(fm.ComputeOffset(&im));");
 
-	if ( standalone )
-		Emit("standalone_init__CPP();");
+	NL();
+	Emit("load_BiFs__CPP();");
 
-	EndBlock(true);
+	EndBlock();
+	}
 
-	GenInitHook();
+void CPPCompile::GenRegisterBodies()
+	{
+	Emit("void register_bodies__CPP()");
+	StartBlock();
 
-	Emit("} // %s\n\n", scope_prefix(addl_tag));
-	Emit("} // zeek::detail");
+	Emit("for ( auto& b : CPP__bodies_to_register )");
+	StartBlock();
+	Emit("auto f = make_intrusive<CPPDynStmt>(b.func_name.c_str(), b.func, b.type_signature);");
+	Emit("register_body__CPP(f, b.priority, b.h, b.events, finish_init__CPP);");
+	EndBlock();
+
+	EndBlock();
 	}
 
 bool CPPCompile::IsCompilable(const FuncInfo& func, const char** reason)

From 3fc58bdd9f17e8bb4765a3a1dac9727ce98dd09b Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:42:16 -0800
Subject: [PATCH 162/210] minor note regarding improving performance of
 C++-generated code

---
 src/script_opt/CPP/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/script_opt/CPP/README.md b/src/script_opt/CPP/README.md
index 1ed3cc6c13..0187be4397 100644
--- a/src/script_opt/CPP/README.md
+++ b/src/script_opt/CPP/README.md
@@ -185,7 +185,7 @@ particularly difficult to fix.
 
 * A number of steps could be taken to increase the performance of
 the optimized code.  These include:
-	1. Switching the generated code to use the new ZVal-related interfaces.
+	1. Switching the generated code to use the new ZVal-related interfaces, including for vector operations.
 	2. Directly calling BiFs rather than using the `Invoke()` method to do so.  This relates to the broader question of switching BiFs to be based on a notion of "inlined C++" code in Zeek functions, rather than using the standalone `bifcl` BiF compiler.
 	3. Switching the Event Engine over to queuing events with `ZVal` arguments rather than `ValPtr` arguments.
 	4. Making the compiler aware of certain BiFs that can be directly inlined (e.g., `network_time()`), a technique employed effectively by the ZAM compiler.

From a10fafe398af4cd161aabfc375202291019a9b6d Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sun, 12 Dec 2021 12:43:30 -0800
Subject: [PATCH 163/210] tweak to keep clang-format happy

---
 src/script_opt/ProfileFunc.cc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/script_opt/ProfileFunc.cc b/src/script_opt/ProfileFunc.cc
index b354930516..b29bf068d4 100644
--- a/src/script_opt/ProfileFunc.cc
+++ b/src/script_opt/ProfileFunc.cc
@@ -66,7 +66,6 @@ static p_hash_type script_specific_hash(const Stmt* body, p_hash_type generic_ha
 	return merge_p_hashes(generic_hash, p_hash(bl_f));
 	}
 
-
 ProfileFunc::ProfileFunc(const Func* func, const StmtPtr& body, bool _abs_rec_fields)
 	{
 	profiled_func = func;

From 7de9a7d76fb8d706ff1b1e4342b994d0043dc65e Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Mon, 13 Dec 2021 10:46:14 -0700
Subject: [PATCH 164/210] GH-1860: Add double_to_int() bif

---
 src/zeek.bif                           | 13 +++++++++++++
 testing/btest/Baseline/bifs.to_int/out |  4 ++++
 testing/btest/bifs/to_int.zeek         | 12 ++++++++++++
 3 files changed, 29 insertions(+)

diff --git a/src/zeek.bif b/src/zeek.bif
index 6bc0382882..fffb310412 100644
--- a/src/zeek.bif
+++ b/src/zeek.bif
@@ -2422,6 +2422,19 @@ function int_to_count%(n: int%): count
 ## d: The :zeek:type:`double` to convert.
 ##
 ## Returns: The :zeek:type:`double` *d* as unsigned integer, or 0 if *d* < 0.0.
+##          The value returned follows typical rounding rules, as implemented
+##          by rint().
+function double_to_int%(d: double%): count
+	%{
+	return zeek::val_mgr->Int(bro_int_t(rint(d)));
+	%}
+
+## Converts a :zeek:type:`double` to a :zeek:type:`int`.
+##
+## d: The :zeek:type:`double` to convert.
+##
+## Returns: The :zeek:type:`double` *d* as signed integer. The value returned
+##          follows typical rounding rules, as implemented by rint().
 ##
 ## .. zeek:see:: double_to_time
 function double_to_count%(d: double%): count
diff --git a/testing/btest/Baseline/bifs.to_int/out b/testing/btest/Baseline/bifs.to_int/out
index 9c836ac56c..c0c6d56ef5 100644
--- a/testing/btest/Baseline/bifs.to_int/out
+++ b/testing/btest/Baseline/bifs.to_int/out
@@ -3,3 +3,7 @@
 -1
 4294967296
 0
+3
+4
+-3
+-4
diff --git a/testing/btest/bifs/to_int.zeek b/testing/btest/bifs/to_int.zeek
index 23e74030ba..17e433f975 100644
--- a/testing/btest/bifs/to_int.zeek
+++ b/testing/btest/bifs/to_int.zeek
@@ -8,4 +8,16 @@ event zeek_init()
 	print to_int("-1");
 	print to_int("4294967296");
 	print to_int("not an int");
+
+	local a: double = 3.14;
+	print double_to_int(a);
+
+	local b: double = 3.9;
+	print double_to_int(b);
+
+	local c: double = -3.14;
+	print double_to_int(c);
+
+	local d: double = -3.9;
+	print double_to_int(d);
 	}

From deb518588abc9a6064fb4dbdad49babf34b4dc6c Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Tue, 14 Dec 2021 11:33:21 -0800
Subject: [PATCH 165/210] fix typo in btest filename

---
 .../out                                                           | 0
 .../out                                                           | 0
 .../out                                                           | 0
 .../language/{unused-assignement.zeek => unused-assignment.zeek}  | 0
 4 files changed, 0 insertions(+), 0 deletions(-)
 rename testing/btest/Baseline.opt/{language.unused-assignement => language.unused-assignment}/out (100%)
 rename testing/btest/Baseline.zam/{language.unused-assignement => language.unused-assignment}/out (100%)
 rename testing/btest/Baseline/{language.unused-assignement => language.unused-assignment}/out (100%)
 rename testing/btest/language/{unused-assignement.zeek => unused-assignment.zeek} (100%)

diff --git a/testing/btest/Baseline.opt/language.unused-assignement/out b/testing/btest/Baseline.opt/language.unused-assignment/out
similarity index 100%
rename from testing/btest/Baseline.opt/language.unused-assignement/out
rename to testing/btest/Baseline.opt/language.unused-assignment/out
diff --git a/testing/btest/Baseline.zam/language.unused-assignement/out b/testing/btest/Baseline.zam/language.unused-assignment/out
similarity index 100%
rename from testing/btest/Baseline.zam/language.unused-assignement/out
rename to testing/btest/Baseline.zam/language.unused-assignment/out
diff --git a/testing/btest/Baseline/language.unused-assignement/out b/testing/btest/Baseline/language.unused-assignment/out
similarity index 100%
rename from testing/btest/Baseline/language.unused-assignement/out
rename to testing/btest/Baseline/language.unused-assignment/out
diff --git a/testing/btest/language/unused-assignement.zeek b/testing/btest/language/unused-assignment.zeek
similarity index 100%
rename from testing/btest/language/unused-assignement.zeek
rename to testing/btest/language/unused-assignment.zeek

From 5e71e757fefdfb82a0473bc11a750edb378db258 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Tue, 14 Dec 2021 11:33:42 -0800
Subject: [PATCH 166/210] correct usage info for -u flag; -uu no longer
 supported

---
 src/Options.cc | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/Options.cc b/src/Options.cc
index 8f97e5031d..9ddeed5b0c 100644
--- a/src/Options.cc
+++ b/src/Options.cc
@@ -105,9 +105,7 @@ void usage(const char* prog, int code)
 	                "allowed, pass '-' as the filename to read from stdin)\n");
 	fprintf(stderr, "    -s|--rulefile <rulefile>        | read rules from given file\n");
 	fprintf(stderr, "    -t|--tracefile <tracefile>      | activate execution tracing\n");
-	fprintf(stderr,
-	        "    -u|--usage-issues               | find variable usage issues and exit; use "
-	        "-uu for deeper/more expensive analysis\n");
+	fprintf(stderr, "    -u|--usage-issues               | find variable usage issues and exit\n");
 	fprintf(stderr, "    -v|--version                    | print version and exit\n");
 	fprintf(stderr, "    -w|--writefile <writefile>      | write to given tcpdump file\n");
 #ifdef DEBUG

From 72a59bf828c7624a293342813986337b455a804f Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Tue, 14 Dec 2021 12:49:27 -0800
Subject: [PATCH 167/210] removed unused script variable

---
 scripts/base/frameworks/notice/actions/email_admin.zeek | 1 -
 1 file changed, 1 deletion(-)

diff --git a/scripts/base/frameworks/notice/actions/email_admin.zeek b/scripts/base/frameworks/notice/actions/email_admin.zeek
index 71c26afef4..d9abeea41e 100644
--- a/scripts/base/frameworks/notice/actions/email_admin.zeek
+++ b/scripts/base/frameworks/notice/actions/email_admin.zeek
@@ -23,7 +23,6 @@ hook notice(n: Notice::Info)
 	if ( |Site::local_admins| > 0 &&
 	     ACTION_EMAIL_ADMIN in n$actions )
 		{
-		local email = "";
 		if ( n?$src && |Site::get_emails(n$src)| > 0 )
 			add n$email_dest[Site::get_emails(n$src)];
 		if ( n?$dst && |Site::get_emails(n$dst)| > 0 )

From dff664dc1fdb48dd1264dc16c70c1b3bbc406e35 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Tue, 14 Dec 2021 12:50:17 -0800
Subject: [PATCH 168/210] test suite updates for "xform" and "usage"
 alternatives, plus test name change

---
 .../language.common-mistakes2/err             |    2 +
 .../language.common-mistakes2/out             |    2 +
 .../language.deprecated/no-warnings.out       |    5 +-
 .../language.deprecated/warnings.out          |    5 +-
 .../double_convert_failure1.out               |    2 -
 .../double_convert_failure2.out               |    2 -
 .../first_set.out                             |   16 -
 .../int_convert_failure.out                   |    2 -
 .../language.type-coerce-numerics/vectors.out |   19 -
 .../language.uninitialized-local/out          |    2 +-
 .../btest/Baseline.xform/plugins.hooks/output | 1437 ++++++++++++++++-
 .../Baseline/language.unused-assignment/out   |    2 +-
 12 files changed, 1372 insertions(+), 124 deletions(-)
 create mode 100644 testing/btest/Baseline.usage/language.common-mistakes2/err
 create mode 100644 testing/btest/Baseline.usage/language.common-mistakes2/out
 delete mode 100644 testing/btest/Baseline.usage/language.type-coerce-numerics/double_convert_failure1.out
 delete mode 100644 testing/btest/Baseline.usage/language.type-coerce-numerics/double_convert_failure2.out
 delete mode 100644 testing/btest/Baseline.usage/language.type-coerce-numerics/first_set.out
 delete mode 100644 testing/btest/Baseline.usage/language.type-coerce-numerics/int_convert_failure.out
 delete mode 100644 testing/btest/Baseline.usage/language.type-coerce-numerics/vectors.out

diff --git a/testing/btest/Baseline.usage/language.common-mistakes2/err b/testing/btest/Baseline.usage/language.common-mistakes2/err
new file mode 100644
index 0000000000..c7e1a135b4
--- /dev/null
+++ b/testing/btest/Baseline.usage/language.common-mistakes2/err
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+expression error in <...>/common-mistakes2.zeek, line 16: type-checking failed in vector append (v vec+= ok)
diff --git a/testing/btest/Baseline.usage/language.common-mistakes2/out b/testing/btest/Baseline.usage/language.common-mistakes2/out
new file mode 100644
index 0000000000..8e1dd6eefb
--- /dev/null
+++ b/testing/btest/Baseline.usage/language.common-mistakes2/out
@@ -0,0 +1,2 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+in foo
diff --git a/testing/btest/Baseline.usage/language.deprecated/no-warnings.out b/testing/btest/Baseline.usage/language.deprecated/no-warnings.out
index 089328c3ea..c5c2a012f8 100644
--- a/testing/btest/Baseline.usage/language.deprecated/no-warnings.out
+++ b/testing/btest/Baseline.usage/language.deprecated/no-warnings.out
@@ -7,7 +7,6 @@ warning in ./no-warnings.zeek, line 33: deprecated (blah)
 warning in ./no-warnings.zeek, line 37: deprecated (my_event)
 warning in ./no-warnings.zeek, line 38: deprecated (my_event)
 warning in ./no-warnings.zeek, line 39: deprecated (my_hook)
-warning in ./no-warnings.zeek, line 41: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 42: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 43: deprecated (my_record$b)
 warning in ./no-warnings.zeek, line 45: deprecated (my_record?$b)
@@ -18,8 +17,8 @@ warning in ./no-warnings.zeek, line 57: deprecated (my_hook)
 warning in ./no-warnings.zeek, line 62: deprecated (blah)
 warning in ./no-warnings.zeek, line 71: deprecated (dont_use_me)
 warning in ./no-warnings.zeek, line 76: deprecated (dont_use_me_either)
-warning: mr assignment unused: mr = (coerce <internal>::#1 to record { a:count; b:string; }); ./no-warnings.zeek, line 42
-warning: mr assignment unused: mr = (coerce <internal>::#0 to record { a:count; b:string; }); ./no-warnings.zeek, line 41
+warning: mr assignment unused: mr = (coerce <internal>::#0 to record { a:count &default=1, &optional; b:string &optional, &deprecated; }); ./no-warnings.zeek, line 42
+warning: mr assignment unused: mr = my_record($a=3, $b=yeah); ./no-warnings.zeek, line 41
 warning: l assignment unused: l = testing; ./no-warnings.zeek, line 33
 ZERO
 ONE
diff --git a/testing/btest/Baseline.usage/language.deprecated/warnings.out b/testing/btest/Baseline.usage/language.deprecated/warnings.out
index 6b13586834..3a398ec9bc 100644
--- a/testing/btest/Baseline.usage/language.deprecated/warnings.out
+++ b/testing/btest/Baseline.usage/language.deprecated/warnings.out
@@ -7,7 +7,6 @@ warning in ./warnings.zeek, line 33: deprecated (blah): type warning
 warning in ./warnings.zeek, line 37: deprecated (my_event): event warning
 warning in ./warnings.zeek, line 38: deprecated (my_event): event warning
 warning in ./warnings.zeek, line 39: deprecated (my_hook): hook warning
-warning in ./warnings.zeek, line 41: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 42: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 43: deprecated (my_record$b): record warning
 warning in ./warnings.zeek, line 45: deprecated (my_record?$b): record warning
@@ -18,8 +17,8 @@ warning in ./warnings.zeek, line 57: deprecated (my_hook): hook warning
 warning in ./warnings.zeek, line 62: deprecated (blah): type warning
 warning in ./warnings.zeek, line 71: deprecated (dont_use_me): global function warning
 warning in ./warnings.zeek, line 76: deprecated (dont_use_me_either): function warning
-warning: mr assignment unused: mr = (coerce <internal>::#1 to record { a:count; b:string; }); ./warnings.zeek, line 42
-warning: mr assignment unused: mr = (coerce <internal>::#0 to record { a:count; b:string; }); ./warnings.zeek, line 41
+warning: mr assignment unused: mr = (coerce <internal>::#0 to record { a:count &default=1, &optional; b:string &optional, &deprecated=record warning; }); ./warnings.zeek, line 42
+warning: mr assignment unused: mr = my_record($a=3, $b=yeah); ./warnings.zeek, line 41
 warning: l assignment unused: l = testing; ./warnings.zeek, line 33
 ZERO
 ONE
diff --git a/testing/btest/Baseline.usage/language.type-coerce-numerics/double_convert_failure1.out b/testing/btest/Baseline.usage/language.type-coerce-numerics/double_convert_failure1.out
deleted file mode 100644
index 833eb76999..0000000000
--- a/testing/btest/Baseline.usage/language.type-coerce-numerics/double_convert_failure1.out
+++ /dev/null
@@ -1,2 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in ./double_convert_failure1.zeek, line 7 and double: type clash for field "cc" ((coerce [$cc=5.0] to myrecord) and double)
diff --git a/testing/btest/Baseline.usage/language.type-coerce-numerics/double_convert_failure2.out b/testing/btest/Baseline.usage/language.type-coerce-numerics/double_convert_failure2.out
deleted file mode 100644
index c89e0282e1..0000000000
--- a/testing/btest/Baseline.usage/language.type-coerce-numerics/double_convert_failure2.out
+++ /dev/null
@@ -1,2 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in ./double_convert_failure2.zeek, line 7 and double: type clash for field "cc" ((coerce [$cc=-5.0] to myrecord) and double)
diff --git a/testing/btest/Baseline.usage/language.type-coerce-numerics/first_set.out b/testing/btest/Baseline.usage/language.type-coerce-numerics/first_set.out
deleted file mode 100644
index b01b2153fa..0000000000
--- a/testing/btest/Baseline.usage/language.type-coerce-numerics/first_set.out
+++ /dev/null
@@ -1,16 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-warning: overflow assignment unused: overflow = (coerce <internal>::#0 to record { ii:int; cc:count; dd:double; }); ./first_set.zeek, line 46
-error in int and ./first_set.zeek, line 46: overflow promoting from unsigned/double to signed arithmetic value (int and 9223372036854775808)
-expression error in ./first_set.zeek, line 46: Failed type conversion ((coerce <internal>::#0 to record { ii:int; cc:count; dd:double; }))
-3
-int
-4
-int
-5
-int
-6
-int
-7.0
-double
--5.0
-double
diff --git a/testing/btest/Baseline.usage/language.type-coerce-numerics/int_convert_failure.out b/testing/btest/Baseline.usage/language.type-coerce-numerics/int_convert_failure.out
deleted file mode 100644
index 9bca49e323..0000000000
--- a/testing/btest/Baseline.usage/language.type-coerce-numerics/int_convert_failure.out
+++ /dev/null
@@ -1,2 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-error in ./int_convert_failure.zeek, line 7 and int: type clash for field "cc" ((coerce [$cc=-5] to myrecord) and int)
diff --git a/testing/btest/Baseline.usage/language.type-coerce-numerics/vectors.out b/testing/btest/Baseline.usage/language.type-coerce-numerics/vectors.out
deleted file mode 100644
index da85bd42ed..0000000000
--- a/testing/btest/Baseline.usage/language.type-coerce-numerics/vectors.out
+++ /dev/null
@@ -1,19 +0,0 @@
-### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-vector of count
-vector of count
-vector of count
-[1, 2]
-[3, 4]
-[4, 6]
-vector of int
-vector of int
-vector of int
-[1, 2]
-[3, 4]
-[4, 6]
-vector of double
-vector of double
-vector of double
-[1.0, 2.0]
-[3.0, 4.0]
-[4.0, 6.0]
diff --git a/testing/btest/Baseline.usage/language.uninitialized-local/out b/testing/btest/Baseline.usage/language.uninitialized-local/out
index 5419c70eca..8a6d221434 100644
--- a/testing/btest/Baseline.usage/language.uninitialized-local/out
+++ b/testing/btest/Baseline.usage/language.uninitialized-local/out
@@ -1,4 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 warning: my_count assignment unused: my_count = 10; <...>/uninitialized-local.zeek, line 6
-warning in <...>/uninitialized-local.zeek, line 16: possibly used without definition (my_string)
+warning in <...>/uninitialized-local.zeek, line 16: used without definition (my_string)
 expression error in <...>/uninitialized-local.zeek, line 16: value used but not set (my_string)
diff --git a/testing/btest/Baseline.xform/plugins.hooks/output b/testing/btest/Baseline.xform/plugins.hooks/output
index 10ce520de3..495224507f 100644
--- a/testing/btest/Baseline.xform/plugins.hooks/output
+++ b/testing/btest/Baseline.xform/plugins.hooks/output
@@ -1,7 +1,5 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
@@ -16,9 +14,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <no result>
@@ -62,13 +57,9 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <no result>
@@ -83,9 +74,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp)) -> <no result>
@@ -129,19 +117,14 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp)) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6666<...>/tcp})) -> <no result>
@@ -161,8 +144,6 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSH, {22/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp})) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp})) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec)) -> <no result>
@@ -184,6 +165,7 @@
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-user-cert)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_OCSP_REPLY, application/ocsp-response)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/pkix-cert)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-ca-cert)) -> <no result>
@@ -201,7 +183,7 @@
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ <internal>::#0 = IRC::c$start_time<internal>::#1 = IRC::c$id<internal>::#2 = cat(Analyzer::ANALYZER_IRC_DATA, <internal>::#0, <internal>::#1, IRC::is_orig)return (<internal>::#2)}, describe=lambda_<15770440363500096069>{ return ()}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handlereturn (), describe=KRB::describe_file{ <init> KRB::cid, KRB::c<internal>::#1 = KRB::f$sourceif (<internal>::#1 != KRB_TCP) { <internal>::#0 = KRB::f$sourceif (<internal>::#0 != KRB) return ()}if (KRB::f?$info) { <internal>::#4 = KRB::f$infoif (<internal>::#4?$x509) { <internal>::#2 = KRB::f$info<internal>::#3 = <internal>::#2$x509if (<internal>::#3?$certificate) elsereturn ()}elsereturn ()}elsereturn ()<internal>::#5 = KRB::f$connsfor ([KRB::cid] in <internal>::#5) if (KRB::c?$krb) { <internal>::#6 = KRB::c$id<internal>::#7 = <internal>::#6$resp_h<internal>::#8 = KRB::c$id<internal>::#9 = <internal>::#8$resp_p<internal>::#10 = cat(<internal>::#7, :, <internal>::#9)return (<internal>::#10)}<internal>::#11 = KRB::f$info<internal>::#12 = <internal>::#11$x509<internal>::#13 = <internal>::#12$certificate<internal>::#14 = <internal>::#13$serial<internal>::#15 = KRB::f$info<internal>::#16 = <internal>::#15$x509<internal>::#17 = <internal>::#16$certificate<internal>::#18 = <internal>::#17$subject<internal>::#19 = KRB::f$info<internal>::#20 = <internal>::#19$x509<internal>::#21 = <internal>::#20$certificate<internal>::#22 = <internal>::#21$issuer<internal>::#23 = cat(Serial: , <internal>::#14,  Subject: , <internal>::#18,  Issuer: , <internal>::#22)return (<internal>::#23)}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handlereturn (), describe=KRB::describe_file{ <init> KRB::cid, KRB::c<internal>::#1 = KRB::f$sourceif (<internal>::#1 != KRB_TCP) { <internal>::#0 = KRB::f$sourceif (<internal>::#0 != KRB) return ()}if (KRB::f?$info) { <internal>::#4 = KRB::f$infoif (<internal>::#4?$x509) { <internal>::#2 = KRB::f$info<internal>::#3 = <internal>::#2$x509if (<internal>::#3?$certificate) elsereturn ()}elsereturn ()}elsereturn ()<internal>::#5 = KRB::f$connsfor ([KRB::cid] in <internal>::#5) if (KRB::c?$krb) { <internal>::#6 = KRB::c$id<internal>::#7 = <internal>::#6$resp_h<internal>::#8 = KRB::c$id<internal>::#9 = <internal>::#8$resp_p<internal>::#10 = cat(<internal>::#7, :, <internal>::#9)return (<internal>::#10)}<internal>::#11 = KRB::f$info<internal>::#12 = <internal>::#11$x509<internal>::#13 = <internal>::#12$certificate<internal>::#14 = <internal>::#13$serial<internal>::#15 = KRB::f$info<internal>::#16 = <internal>::#15$x509<internal>::#17 = <internal>::#16$certificate<internal>::#18 = <internal>::#17$subject<internal>::#19 = KRB::f$info<internal>::#20 = <internal>::#19$x509<internal>::#21 = <internal>::#20$certificate<internal>::#22 = <internal>::#21$issuer<internal>::#23 = cat(Serial: , <internal>::#14,  Subject: , <internal>::#18,  Issuer: , <internal>::#22)return (<internal>::#23)}])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ <internal>::#4 = SMB::c$smb_stateif (<internal>::#4?$current_file) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_fileif (<internal>::#3?$name) else{ <internal>::#0 = SMB::c$smb_state<internal>::#1 = <internal>::#0$current_fileif (<internal>::#1?$path) elsereturn ()}}elsereturn ()<internal>::#5 = SMB::c$smb_stateSMB::current_file = <internal>::#5$current_file<internal>::#6 = SMB::current_file?$pathif (<internal>::#6) <internal>::#7 = SMB::current_file$path<internal>::#8 = <internal>::#6 ? <internal>::#7 : SMB::path_name = <internal>::#8<internal>::#9 = SMB::current_file?$nameif (<internal>::#9) <internal>::#10 = SMB::current_file$name<internal>::#11 = <internal>::#9 ? <internal>::#10 : SMB::file_name = <internal>::#11<internal>::#12 = SMB::current_file?$timesif (<internal>::#12) { <internal>::#13 = SMB::current_file$times<internal>::#14 = <internal>::#13$modified}else<internal>::#15 = double_to_time(0.0)<internal>::#16 = <internal>::#12 ? <internal>::#14 : <internal>::#15SMB::last_mod = cat(<internal>::#16)<internal>::#17 = SMB::c$id<internal>::#18 = <internal>::#17$orig_h<internal>::#19 = SMB::c$id<internal>::#20 = <internal>::#19$resp_h<internal>::#21 = cat(Analyzer::ANALYZER_SMB, <internal>::#18, <internal>::#20, SMB::path_name, SMB::file_name, SMB::last_mod)<internal>::#22 = hexdump(<internal>::#21)return (<internal>::#22)}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c<internal>::#0 = SMB::f$sourceif (<internal>::#0 != SMB) return ()<internal>::#1 = SMB::f$connsfor ([SMB::cid] in <internal>::#1) if (SMB::c?$smb_state) { <internal>::#7 = SMB::c$smb_stateif (<internal>::#7?$current_file) { <internal>::#5 = SMB::c$smb_state<internal>::#6 = <internal>::#5$current_fileif (<internal>::#6?$name) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_file<internal>::#4 = <internal>::#3$namereturn (<internal>::#4)}}}return ()}])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ <internal>::#4 = SMB::c$smb_stateif (<internal>::#4?$current_file) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_fileif (<internal>::#3?$name) else{ <internal>::#0 = SMB::c$smb_state<internal>::#1 = <internal>::#0$current_fileif (<internal>::#1?$path) elsereturn ()}}elsereturn ()<internal>::#5 = SMB::c$smb_stateSMB::current_file = <internal>::#5$current_file<internal>::#6 = SMB::current_file?$pathif (<internal>::#6) <internal>::#7 = SMB::current_file$path<internal>::#8 = <internal>::#6 ? <internal>::#7 : SMB::path_name = <internal>::#8<internal>::#9 = SMB::current_file?$nameif (<internal>::#9) <internal>::#10 = SMB::current_file$name<internal>::#11 = <internal>::#9 ? <internal>::#10 : SMB::file_name = <internal>::#11<internal>::#12 = SMB::current_file?$timesif (<internal>::#12) { <internal>::#13 = SMB::current_file$times<internal>::#14 = <internal>::#13$modified_raw}<internal>::#15 = <internal>::#12 ? <internal>::#14 : 0SMB::last_mod = cat(<internal>::#15)<internal>::#16 = SMB::c$id<internal>::#17 = <internal>::#16$orig_h<internal>::#18 = SMB::c$id<internal>::#19 = <internal>::#18$resp_h<internal>::#20 = cat(Analyzer::ANALYZER_SMB, <internal>::#17, <internal>::#19, SMB::path_name, SMB::file_name, SMB::last_mod)<internal>::#21 = hexdump(<internal>::#20)return (<internal>::#21)}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c<internal>::#0 = SMB::f$sourceif (<internal>::#0 != SMB) return ()<internal>::#1 = SMB::f$connsfor ([SMB::cid] in <internal>::#1) if (SMB::c?$smb_state) { <internal>::#7 = SMB::c$smb_stateif (<internal>::#7?$current_file) { <internal>::#5 = SMB::c$smb_state<internal>::#6 = <internal>::#5$current_fileif (<internal>::#6?$name) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_file<internal>::#4 = <internal>::#3$namereturn (<internal>::#4)}}}return ()}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ <internal>::#0 = SMTP::c$start_time<internal>::#1 = SMTP::c$smtp<internal>::#2 = <internal>::#1$trans_depth<internal>::#3 = SMTP::c$smtp_state<internal>::#4 = <internal>::#3$mime_depth<internal>::#5 = cat(Analyzer::ANALYZER_SMTP, <internal>::#0, <internal>::#2, <internal>::#4)return (<internal>::#5)}, describe=SMTP::describe_file{ <init> SMTP::cid, SMTP::c<internal>::#0 = SMTP::f$sourceif (<internal>::#0 != SMTP) return ()<internal>::#1 = SMTP::f$connsfor ([SMTP::cid] in <internal>::#1) { <internal>::#2 = SMTP::c$smtp<internal>::#3 = SMTP::describe(<internal>::#2)return (<internal>::#3)}return ()}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handlereturn (), describe=SSL::describe_file{ <init> SSL::cid, SSL::c<internal>::#3 = SSL::f$sourceif (<internal>::#3 != SSL) return ()elseif (SSL::f?$info) { <internal>::#2 = SSL::f$infoif (<internal>::#2?$x509) { <internal>::#0 = SSL::f$info<internal>::#1 = <internal>::#0$x509if (<internal>::#1?$certificate) elsereturn ()}elsereturn ()}elsereturn ()<internal>::#4 = SSL::f$connsfor ([SSL::cid] in <internal>::#4) if (SSL::c?$ssl) { <internal>::#5 = SSL::c$id<internal>::#6 = <internal>::#5$resp_h<internal>::#7 = SSL::c$id<internal>::#8 = <internal>::#7$resp_p<internal>::#9 = cat(<internal>::#6, :, <internal>::#8)return (<internal>::#9)}<internal>::#10 = SSL::f$info<internal>::#11 = <internal>::#10$x509<internal>::#12 = <internal>::#11$certificate<internal>::#13 = <internal>::#12$serial<internal>::#14 = SSL::f$info<internal>::#15 = <internal>::#14$x509<internal>::#16 = <internal>::#15$certificate<internal>::#17 = <internal>::#16$subject<internal>::#18 = SSL::f$info<internal>::#19 = <internal>::#18$x509<internal>::#20 = <internal>::#19$certificate<internal>::#21 = <internal>::#20$issuer<internal>::#22 = cat(Serial: , <internal>::#13,  Subject: , <internal>::#17,  Issuer: , <internal>::#21)return (<internal>::#22)}])) -> <no result>
 0.000000   MetaHookPost  CallFunction(FilteredTraceDetection::should_detect, <null>, ()) -> <no result>
@@ -228,6 +210,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (OCSP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ocsp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, path=openflow, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, path=pe, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
@@ -243,6 +226,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssh, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude={issuer,client_subject,subject,client_issuer}, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, path=signatures, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, path=software, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__add_filter, <frame>, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, path=syslog, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
@@ -260,7 +244,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policyif ((F == X509::log_x509_in_files_log)) { <internal>::#0 = X509::rec$analyzersif ((X509 in <internal>::#0)) break }])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) -> <no result>
@@ -273,6 +257,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])) -> <no result>
@@ -319,6 +304,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (NetControl::SHUNT)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Notice::ALARM_LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (Notice::LOG)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (OCSP::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (OpenFlow::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (PE::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, <frame>, (PacketFilter::LOG)) -> <no result>
@@ -364,6 +350,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (OCSP::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
@@ -379,6 +366,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude={issuer,client_subject,subject,client_issuer}, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_filter, <frame>, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])) -> <no result>
@@ -409,6 +397,7 @@
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (OCSP::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default)) -> <no result>
@@ -441,7 +430,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])) -> <no result>
-0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policyif ((F == X509::log_x509_in_files_log)) { <internal>::#0 = X509::rec$analyzersif ((X509 in <internal>::#0)) break }])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])) -> <no result>
@@ -454,6 +443,7 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])) -> <no result>
@@ -476,6 +466,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::get_filter, <frame>, (SSL::LOG, default)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T])) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::check_plugins, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(NetControl::init, <null>, ()) -> <no result>
@@ -568,11 +560,29 @@
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::caching_required_encounters_interval, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_max_entries, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_minimum_eviction_interval, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::hash_function, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::known_log_certs_maximum_size, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::log_x509_in_files_log, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (X509::relog_known_certificates_after, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (default_file_bof_buffer_size, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (default_file_timeout_interval, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets{ if (ignore_checksums_nets == PacketAnalyzer::IP::ID) PacketAnalyzer::__set_ignore_checksums_nets(PacketAnalyzer::IP::new_value)return (PacketAnalyzer::IP::new_value)}, 5)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
 0.000000   MetaHookPost  CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -583,6 +593,10 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -618,6 +632,12 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)) -> <no result>
@@ -628,6 +648,9 @@
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)) -> <no result>
+0.000000   MetaHookPost  CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, )) -> <no result>
 0.000000   MetaHookPost  CallFunction(PacketFilter::install, <frame>, ()) -> <no result>
@@ -648,6 +671,8 @@
 0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, <frame>, (SumStats::UNIQUE, lambda_<14393221830775341876>{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || sizeofSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = sizeofSumStats::rv$unique_vals})) -> <no result>
 0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugin, <frame>, (SumStats::VARIANCE, lambda_<6557258612059469785>{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})) -> <no result>
 0.000000   MetaHookPost  CallFunction(SumStats::register_observe_plugins, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(Supervisor::__is_supervisor, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(Supervisor::is_supervisor, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(__init_primary_bifs, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(__init_secondary_bifs, <null>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(current_time, <frame>, ()) -> <no result>
@@ -656,6 +681,12 @@
 0.000000   MetaHookPost  CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS)) -> <no result>
 0.000000   MetaHookPost  CallFunction(global_ids, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (2123/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (2152/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (3544/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (4789/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (5072/udp)) -> <no result>
+0.000000   MetaHookPost  CallFunction(port_to_count, <frame>, (6081/udp)) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_live_traffic, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(reading_traces, <frame>, ()) -> <no result>
 0.000000   MetaHookPost  CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$)) -> <no result>
@@ -695,6 +726,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> -1
@@ -776,12 +808,12 @@
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> -1
-0.000000   MetaHookPost  LoadFile(0, ./Zeek_SteppingStone.events.bif.zeek, <...>/Zeek_SteppingStone.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> -1
@@ -799,6 +831,7 @@
 0.000000   MetaHookPost  LoadFile(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./broker, <...>/broker.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./comm.bif.zeek, <...>/comm.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./const-dos-error, <...>/const-dos-error.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./const-nt-status, <...>/const-nt-status.zeek) -> -1
@@ -825,9 +858,11 @@
 0.000000   MetaHookPost  LoadFile(0, ./input.bif.zeek, <...>/input.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./last, <...>/last.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./log, <...>/log.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./log-ocsp, <...>/log-ocsp.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./magic, <...>/magic) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./main, <...>/main.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, ./main.zeek, <...>/main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./max, <...>/max.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, ./min, <...>/min.zeek) -> -1
@@ -894,13 +929,16 @@
 0.000000   MetaHookPost  LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base/packet-protocols, <...>/packet-protocols) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/active-http, <...>/active-http.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/addrs, <...>/addrs.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer, <...>/analyzer) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/api, <...>/api.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/ayiya, <...>/ayiya) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/backtrace, <...>/backtrace.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/broker, <...>/broker) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/cluster, <...>/cluster) -> -1
@@ -930,8 +968,10 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/ftp, <...>/ftp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/geneve, <...>/geneve) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/gre, <...>/gre) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/gtpv1, <...>/gtpv1) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/hash, <...>/hash) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/http, <...>/http) -> -1
@@ -950,6 +990,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging, <...>/logging) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/main, <...>/main.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/main.zeek, <...>/main.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/modbus, <...>/modbus) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/mpls, <...>/mpls) -> -1
@@ -1001,6 +1042,7 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/syslog, <...>/syslog) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/tcp, <...>/tcp) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/teredo, <...>/teredo) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/time, <...>/time.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/tunnels, <...>/tunnels) -> -1
@@ -1011,10 +1053,14 @@
 0.000000   MetaHookPost  LoadFile(0, base<...>/version, <...>/version.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/vlan, <...>/vlan) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/vntag, <...>/vntag) -> -1
+0.000000   MetaHookPost  LoadFile(0, base<...>/vxlan, <...>/vxlan) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/weird, <...>/weird.zeek) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/x509, <...>/x509) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/xmpp, <...>/xmpp) -> -1
 0.000000   MetaHookPost  LoadFile(0, base<...>/zeek.bif, <...>/zeek.bif.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek) -> -1
+0.000000   MetaHookPost  LoadFile(0, s1.sig, ./s1.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./archive, <...>/archive.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./audio, <...>/audio.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./dpd.sig, <...>/dpd.sig) -> -1
@@ -1027,14 +1073,390 @@
 0.000000   MetaHookPost  LoadFile(1, ./office, <...>/office.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./programming, <...>/programming.sig) -> -1
 0.000000   MetaHookPost  LoadFile(1, ./video, <...>/video.sig) -> -1
+0.000000   MetaHookPost  LoadFile(1, s2, ./s2.sig) -> -1
+0.000000   MetaHookPost  LoadFileExtended(0, ../main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ../plugin, <...>/plugin.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_AsciiReader.ascii.bif.zeek, <...>/Zeek_AsciiReader.ascii.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_AsciiWriter.ascii.bif.zeek, <...>/Zeek_AsciiWriter.ascii.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_BenchmarkReader.benchmark.bif.zeek, <...>/Zeek_BenchmarkReader.benchmark.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_BinaryReader.binary.bif.zeek, <...>/Zeek_BinaryReader.binary.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_BitTorrent.events.bif.zeek, <...>/Zeek_BitTorrent.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ConfigReader.config.bif.zeek, <...>/Zeek_ConfigReader.config.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ConnSize.events.bif.zeek, <...>/Zeek_ConnSize.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ConnSize.functions.bif.zeek, <...>/Zeek_ConnSize.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DCE_RPC.consts.bif.zeek, <...>/Zeek_DCE_RPC.consts.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DCE_RPC.events.bif.zeek, <...>/Zeek_DCE_RPC.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DCE_RPC.types.bif.zeek, <...>/Zeek_DCE_RPC.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DHCP.events.bif.zeek, <...>/Zeek_DHCP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DHCP.types.bif.zeek, <...>/Zeek_DHCP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DNP3.events.bif.zeek, <...>/Zeek_DNP3.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_DNS.events.bif.zeek, <...>/Zeek_DNS.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FTP.events.bif.zeek, <...>/Zeek_FTP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FTP.functions.bif.zeek, <...>/Zeek_FTP.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_File.events.bif.zeek, <...>/Zeek_File.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileEntropy.events.bif.zeek, <...>/Zeek_FileEntropy.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_ICMP.events.bif.zeek, <...>/Zeek_ICMP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_IMAP.events.bif.zeek, <...>/Zeek_IMAP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_IRC.events.bif.zeek, <...>/Zeek_IRC.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Ident.events.bif.zeek, <...>/Zeek_Ident.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_KRB.events.bif.zeek, <...>/Zeek_KRB.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Modbus.events.bif.zeek, <...>/Zeek_Modbus.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_MySQL.events.bif.zeek, <...>/Zeek_MySQL.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NCP.consts.bif.zeek, <...>/Zeek_NCP.consts.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NCP.events.bif.zeek, <...>/Zeek_NCP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NTLM.events.bif.zeek, <...>/Zeek_NTLM.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NTLM.types.bif.zeek, <...>/Zeek_NTLM.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NTP.events.bif.zeek, <...>/Zeek_NTP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NTP.types.bif.zeek, <...>/Zeek_NTP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NetBIOS.events.bif.zeek, <...>/Zeek_NetBIOS.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RFB.events.bif.zeek, <...>/Zeek_RFB.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RPC.events.bif.zeek, <...>/Zeek_RPC.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_RawReader.raw.bif.zeek, <...>/Zeek_RawReader.raw.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SIP.events.bif.zeek, <...>/Zeek_SIP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.consts.bif.zeek, <...>/Zeek_SMB.consts.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.events.bif.zeek, <...>/Zeek_SMB.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_check_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_close.bif.zeek, <...>/Zeek_SMB.smb1_com_close.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_create_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_echo.bif.zeek, <...>/Zeek_SMB.smb1_com_echo.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_query_information.bif.zeek, <...>/Zeek_SMB.smb1_com_query_information.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_read_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_com_write_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb1_events.bif.zeek, <...>/Zeek_SMB.smb1_events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_close.bif.zeek, <...>/Zeek_SMB.smb2_com_close.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_create.bif.zeek, <...>/Zeek_SMB.smb2_com_create.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_read.bif.zeek, <...>/Zeek_SMB.smb2_com_read.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_session_setup.bif.zeek, <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_set_info.bif.zeek, <...>/Zeek_SMB.smb2_com_set_info.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_transform_header.bif.zeek, <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_connect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SNMP.types.bif.zeek, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SOCKS.events.bif.zeek, <...>/Zeek_SOCKS.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SQLiteReader.sqlite.bif.zeek, <...>/Zeek_SQLiteReader.sqlite.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SQLiteWriter.sqlite.bif.zeek, <...>/Zeek_SQLiteWriter.sqlite.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSH.events.bif.zeek, <...>/Zeek_SSH.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSH.types.bif.zeek, <...>/Zeek_SSH.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.consts.bif.zeek, <...>/Zeek_SSL.consts.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_VXLAN.events.bif.zeek, <...>/Zeek_VXLAN.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_X509.events.bif.zeek, <...>/Zeek_X509.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_X509.functions.bif.zeek, <...>/Zeek_X509.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_X509.ocsp_events.bif.zeek, <...>/Zeek_X509.ocsp_events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_X509.types.bif.zeek, <...>/Zeek_X509.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./Zeek_XMPP.events.bif.zeek, <...>/Zeek_XMPP.events.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./acld, <...>/acld.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./addrs, <...>/addrs.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./analyzer.bif.zeek, <...>/analyzer.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./api, <...>/api.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./average, <...>/average.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./broker, <...>/broker.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./comm.bif.zeek, <...>/comm.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./const-dos-error, <...>/const-dos-error.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./const-nt-status, <...>/const-nt-status.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./const.bif.zeek, <...>/const.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./consts, <...>/consts.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./contents, <...>/contents.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./control, <...>/control.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./ct-list, <...>/ct-list.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./data.bif.zeek, <...>/data.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./dcc-send, <...>/dcc-send.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./debug, <...>/debug.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./drop, <...>/drop.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./entities, <...>/entities.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./event.bif.zeek, <...>/event.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./exec, <...>/exec.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./file_analysis.bif.zeek, <...>/file_analysis.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./files, <...>/files.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./gridftp, <...>/gridftp.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./hll_unique, <...>/hll_unique.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./hooks.bif.zeek, <...>/hooks.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./inactivity, <...>/inactivity.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./info, <...>/info.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./input, <...>/input.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./input.bif.zeek, <...>/input.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./last, <...>/last.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./log, <...>/log.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./log-ocsp, <...>/log-ocsp.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./magic, <...>/magic) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./main.zeek, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./max, <...>/max.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./min, <...>/min.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./mozilla-ca-list, <...>/mozilla-ca-list.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./netstats, <...>/netstats.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./non-cluster, <...>/non-cluster.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./openflow, <...>/openflow.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./option.bif.zeek, <...>/option.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./packet_analysis.bif.zeek, <...>/packet_analysis.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./packetfilter, <...>/packetfilter.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./patterns, <...>/patterns.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./pcap.bif.zeek, <...>/pcap.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./plugin, <...>/plugin.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./plugins, <...>/plugins) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./polling, <...>/polling.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./pools, <...>/pools.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./postprocessors, <...>/postprocessors) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./removal-hooks, <...>/removal-hooks.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./reporter.bif.zeek, <...>/reporter.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./ryu, <...>/ryu.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./sample, <...>/sample.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./scp, <...>/scp.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./sftp, <...>/sftp.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./shunt, <...>/shunt.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./site, <...>/site.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./store, <...>/store.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./store.bif.zeek, <...>/store.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./strings.bif.zeek, <...>/strings.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./sum, <...>/sum.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./supervisor.bif.zeek, <...>/supervisor.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./telemetry.bif.zeek, <...>/telemetry.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./thresholds, <...>/thresholds.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./top-k.bif.zeek, <...>/top-k.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./topk, <...>/topk.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./types, <...>/types.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./types.bif.zeek, <...>/types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./unique, <...>/unique.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./utils, <...>/utils.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./utils-commands, <...>/utils-commands.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./variance, <...>/variance.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./weird, <...>/weird.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./zeek.bif.zeek, <...>/zeek.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, ./zeekygen.bif.zeek, <...>/zeekygen.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/add-geodata, <...>/add-geodata.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/ascii, <...>/ascii.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/benchmark, <...>/benchmark.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/binary, <...>/binary.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/config, <...>/config.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/email_admin, <...>/email_admin.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/none, <...>/none.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/page, <...>/page.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/pp-alarms, <...>/pp-alarms.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/raw, <...>/raw.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, .<...>/sqlite, <...>/sqlite.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, <...>/__load__.zeek, <...>/__load__.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, <...>/__preload__.zeek, <...>/__preload__.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, <...>/hooks.zeek, <...>/hooks.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base/bif, <...>/bif) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base/init-default, <...>/init-default.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer, <...>/analyzer) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/api, <...>/api.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ayiya, <...>/ayiya) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/broker, <...>/broker) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/cluster, <...>/cluster) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/comm.bif, <...>/comm.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/config, <...>/config) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/conn, <...>/conn) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/conn-ids, <...>/conn-ids.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/const.bif, <...>/const.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/control, <...>/control) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/data.bif, <...>/data.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dce-rpc, <...>/dce-rpc) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dhcp, <...>/dhcp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dir, <...>/dir.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/directions-and-hosts, <...>/directions-and-hosts.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dnp3, <...>/dnp3) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dns, <...>/dns) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/dpd, <...>/dpd) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/email, <...>/email.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ethernet, <...>/ethernet) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/event.bif, <...>/event.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/exec, <...>/exec.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/extract, <...>/extract) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/fddi, <...>/fddi) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/file_analysis.bif, <...>/file_analysis.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/files, <...>/files) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/files, <...>/files.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ftp, <...>/ftp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geneve, <...>/geneve) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/gre, <...>/gre) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/gtpv1, <...>/gtpv1) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/hash, <...>/hash) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/http, <...>/http) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/icmp, <...>/icmp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ieee802_11, <...>/ieee802_11) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/imap, <...>/imap) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/input, <...>/input) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/input.bif, <...>/input.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/intel, <...>/intel) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ip, <...>/ip) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/iptunnel, <...>/iptunnel) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/irc, <...>/irc) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/krb, <...>/krb) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging, <...>/logging) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/main.zeek, <...>/main.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/modbus, <...>/modbus) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/mpls, <...>/mpls) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/mqtt, <...>/mqtt) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/mysql, <...>/mysql) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/nflog, <...>/nflog) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/notice, <...>/notice) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntlm, <...>/ntlm) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ntp, <...>/ntp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/null, <...>/null) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/numbers, <...>/numbers.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/openflow, <...>/openflow) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/option.bif, <...>/option.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/packet-filter, <...>/packet-filter) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/paths, <...>/paths.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/patterns, <...>/patterns.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pe, <...>/pe) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/plugins, <...>/plugins) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pop3, <...>/pop3) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/pppoe, <...>/pppoe) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/queue, <...>/queue.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/radius, <...>/radius) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/rdp, <...>/rdp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/removal-hooks, <...>/removal-hooks.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/reporter, <...>/reporter) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/reporter.bif, <...>/reporter.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/rfb, <...>/rfb) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/root, <...>/root) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/signatures, <...>/signatures) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/sip, <...>/sip) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/site, <...>/site.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/skip, <...>/skip) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smb, <...>/smb) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/smtp, <...>/smtp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/snmp, <...>/snmp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/socks, <...>/socks) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/software, <...>/software) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ssh, <...>/ssh) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/ssl, <...>/ssl) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/stats.bif, <...>/stats.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/store.bif, <...>/store.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/strings, <...>/strings.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/strings.bif, <...>/strings.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/sumstats, <...>/sumstats) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/supervisor, <...>/supervisor) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/syslog, <...>/syslog) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/tcp, <...>/tcp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/teredo, <...>/teredo) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/time, <...>/time.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/tunnels, <...>/tunnels) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/types.bif, <...>/types.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/udp, <...>/udp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/urls, <...>/urls.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/utils, <...>/utils.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/version, <...>/version.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vlan, <...>/vlan) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vntag, <...>/vntag) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/vxlan, <...>/vxlan) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/weird, <...>/weird.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/x509, <...>/x509) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/xmpp, <...>/xmpp) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, base<...>/zeek.bif, <...>/zeek.bif.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(0, s1.sig, ./s1.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./archive, <...>/archive.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./audio, <...>/audio.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./dpd.sig, <...>/dpd.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./executable, <...>/executable.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./font, <...>/font.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./general, <...>/general.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./image, <...>/image.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./java, <...>/java.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./libmagic, <...>/libmagic.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./office, <...>/office.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./programming, <...>/programming.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, ./video, <...>/video.sig) -> (-1, <no content>)
+0.000000   MetaHookPost  LoadFileExtended(1, s2, ./s2.sig) -> (-1, <no content>)
 0.000000   MetaHookPost  LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}) -> <void>
 0.000000   MetaHookPost  LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>) -> true
 0.000000   MetaHookPost  QueueEvent(NetControl::init()) -> false
 0.000000   MetaHookPost  QueueEvent(filter_change_tracking()) -> false
 0.000000   MetaHookPost  QueueEvent(zeek_init()) -> false
-0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
 0.000000   MetaHookPre   CallFunction(Analyzer::__disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
@@ -1049,9 +1471,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp))
@@ -1095,13 +1514,9 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_STEPPINGSTONE))
 0.000000   MetaHookPre   CallFunction(Analyzer::disable_analyzer, <frame>, (Analyzer::ANALYZER_TCPSTATS))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DCE_RPC, 135/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 4011/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DHCP, 67/udp))
@@ -1116,9 +1531,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_DTLS, 443/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 21/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_FTP, 2811/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GENEVE, 6081/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2123/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_GTPV1, 2152/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 1080/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 3128/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_HTTP, 631/tcp))
@@ -1162,19 +1574,14 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 993/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SSL, 995/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_SYSLOG, 514/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_TEREDO, 3544/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_VXLAN, 4789/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5222/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, <frame>, (Analyzer::ANALYZER_XMPP, 5269/tcp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DCE_RPC, {135/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DNS, {5353<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_DTLS, {443/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GENEVE, {6081/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_HTTP, {80<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IMAP, {143/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_IRC, {6666<...>/tcp}))
@@ -1194,8 +1601,6 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSH, {22/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SSL, {563<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_SYSLOG, {514/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_TEREDO, {3544/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_VXLAN, {4789/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, <frame>, (Analyzer::ANALYZER_XMPP, {5222<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_endpoint_name, <frame>, ())
 0.000000   MetaHookPre   CallFunction(Broker::__set_metrics_export_interval, <frame>, (1.0 sec))
@@ -1217,6 +1622,7 @@
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/pkix-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-ca-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_MD5, application/x-x509-user-cert))
+0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_OCSP_REPLY, application/ocsp-response))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_PE, application/x-dosexec))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/pkix-cert))
 0.000000   MetaHookPre   CallFunction(Files::register_for_mime_type, <frame>, (Files::ANALYZER_SHA1, application/x-x509-ca-cert))
@@ -1234,7 +1640,7 @@
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ <internal>::#0 = IRC::c$start_time<internal>::#1 = IRC::c$id<internal>::#2 = cat(Analyzer::ANALYZER_IRC_DATA, <internal>::#0, <internal>::#1, IRC::is_orig)return (<internal>::#2)}, describe=lambda_<15770440363500096069>{ return ()}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handlereturn (), describe=KRB::describe_file{ <init> KRB::cid, KRB::c<internal>::#1 = KRB::f$sourceif (<internal>::#1 != KRB_TCP) { <internal>::#0 = KRB::f$sourceif (<internal>::#0 != KRB) return ()}if (KRB::f?$info) { <internal>::#4 = KRB::f$infoif (<internal>::#4?$x509) { <internal>::#2 = KRB::f$info<internal>::#3 = <internal>::#2$x509if (<internal>::#3?$certificate) elsereturn ()}elsereturn ()}elsereturn ()<internal>::#5 = KRB::f$connsfor ([KRB::cid] in <internal>::#5) if (KRB::c?$krb) { <internal>::#6 = KRB::c$id<internal>::#7 = <internal>::#6$resp_h<internal>::#8 = KRB::c$id<internal>::#9 = <internal>::#8$resp_p<internal>::#10 = cat(<internal>::#7, :, <internal>::#9)return (<internal>::#10)}<internal>::#11 = KRB::f$info<internal>::#12 = <internal>::#11$x509<internal>::#13 = <internal>::#12$certificate<internal>::#14 = <internal>::#13$serial<internal>::#15 = KRB::f$info<internal>::#16 = <internal>::#15$x509<internal>::#17 = <internal>::#16$certificate<internal>::#18 = <internal>::#17$subject<internal>::#19 = KRB::f$info<internal>::#20 = <internal>::#19$x509<internal>::#21 = <internal>::#20$certificate<internal>::#22 = <internal>::#21$issuer<internal>::#23 = cat(Serial: , <internal>::#14,  Subject: , <internal>::#18,  Issuer: , <internal>::#22)return (<internal>::#23)}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handlereturn (), describe=KRB::describe_file{ <init> KRB::cid, KRB::c<internal>::#1 = KRB::f$sourceif (<internal>::#1 != KRB_TCP) { <internal>::#0 = KRB::f$sourceif (<internal>::#0 != KRB) return ()}if (KRB::f?$info) { <internal>::#4 = KRB::f$infoif (<internal>::#4?$x509) { <internal>::#2 = KRB::f$info<internal>::#3 = <internal>::#2$x509if (<internal>::#3?$certificate) elsereturn ()}elsereturn ()}elsereturn ()<internal>::#5 = KRB::f$connsfor ([KRB::cid] in <internal>::#5) if (KRB::c?$krb) { <internal>::#6 = KRB::c$id<internal>::#7 = <internal>::#6$resp_h<internal>::#8 = KRB::c$id<internal>::#9 = <internal>::#8$resp_p<internal>::#10 = cat(<internal>::#7, :, <internal>::#9)return (<internal>::#10)}<internal>::#11 = KRB::f$info<internal>::#12 = <internal>::#11$x509<internal>::#13 = <internal>::#12$certificate<internal>::#14 = <internal>::#13$serial<internal>::#15 = KRB::f$info<internal>::#16 = <internal>::#15$x509<internal>::#17 = <internal>::#16$certificate<internal>::#18 = <internal>::#17$subject<internal>::#19 = KRB::f$info<internal>::#20 = <internal>::#19$x509<internal>::#21 = <internal>::#20$certificate<internal>::#22 = <internal>::#21$issuer<internal>::#23 = cat(Serial: , <internal>::#14,  Subject: , <internal>::#18,  Issuer: , <internal>::#22)return (<internal>::#23)}]))
-0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ <internal>::#4 = SMB::c$smb_stateif (<internal>::#4?$current_file) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_fileif (<internal>::#3?$name) else{ <internal>::#0 = SMB::c$smb_state<internal>::#1 = <internal>::#0$current_fileif (<internal>::#1?$path) elsereturn ()}}elsereturn ()<internal>::#5 = SMB::c$smb_stateSMB::current_file = <internal>::#5$current_file<internal>::#6 = SMB::current_file?$pathif (<internal>::#6) <internal>::#7 = SMB::current_file$path<internal>::#8 = <internal>::#6 ? <internal>::#7 : SMB::path_name = <internal>::#8<internal>::#9 = SMB::current_file?$nameif (<internal>::#9) <internal>::#10 = SMB::current_file$name<internal>::#11 = <internal>::#9 ? <internal>::#10 : SMB::file_name = <internal>::#11<internal>::#12 = SMB::current_file?$timesif (<internal>::#12) { <internal>::#13 = SMB::current_file$times<internal>::#14 = <internal>::#13$modified}else<internal>::#15 = double_to_time(0.0)<internal>::#16 = <internal>::#12 ? <internal>::#14 : <internal>::#15SMB::last_mod = cat(<internal>::#16)<internal>::#17 = SMB::c$id<internal>::#18 = <internal>::#17$orig_h<internal>::#19 = SMB::c$id<internal>::#20 = <internal>::#19$resp_h<internal>::#21 = cat(Analyzer::ANALYZER_SMB, <internal>::#18, <internal>::#20, SMB::path_name, SMB::file_name, SMB::last_mod)<internal>::#22 = hexdump(<internal>::#21)return (<internal>::#22)}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c<internal>::#0 = SMB::f$sourceif (<internal>::#0 != SMB) return ()<internal>::#1 = SMB::f$connsfor ([SMB::cid] in <internal>::#1) if (SMB::c?$smb_state) { <internal>::#7 = SMB::c$smb_stateif (<internal>::#7?$current_file) { <internal>::#5 = SMB::c$smb_state<internal>::#6 = <internal>::#5$current_fileif (<internal>::#6?$name) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_file<internal>::#4 = <internal>::#3$namereturn (<internal>::#4)}}}return ()}]))
+0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ <internal>::#4 = SMB::c$smb_stateif (<internal>::#4?$current_file) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_fileif (<internal>::#3?$name) else{ <internal>::#0 = SMB::c$smb_state<internal>::#1 = <internal>::#0$current_fileif (<internal>::#1?$path) elsereturn ()}}elsereturn ()<internal>::#5 = SMB::c$smb_stateSMB::current_file = <internal>::#5$current_file<internal>::#6 = SMB::current_file?$pathif (<internal>::#6) <internal>::#7 = SMB::current_file$path<internal>::#8 = <internal>::#6 ? <internal>::#7 : SMB::path_name = <internal>::#8<internal>::#9 = SMB::current_file?$nameif (<internal>::#9) <internal>::#10 = SMB::current_file$name<internal>::#11 = <internal>::#9 ? <internal>::#10 : SMB::file_name = <internal>::#11<internal>::#12 = SMB::current_file?$timesif (<internal>::#12) { <internal>::#13 = SMB::current_file$times<internal>::#14 = <internal>::#13$modified_raw}<internal>::#15 = <internal>::#12 ? <internal>::#14 : 0SMB::last_mod = cat(<internal>::#15)<internal>::#16 = SMB::c$id<internal>::#17 = <internal>::#16$orig_h<internal>::#18 = SMB::c$id<internal>::#19 = <internal>::#18$resp_h<internal>::#20 = cat(Analyzer::ANALYZER_SMB, <internal>::#17, <internal>::#19, SMB::path_name, SMB::file_name, SMB::last_mod)<internal>::#21 = hexdump(<internal>::#20)return (<internal>::#21)}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c<internal>::#0 = SMB::f$sourceif (<internal>::#0 != SMB) return ()<internal>::#1 = SMB::f$connsfor ([SMB::cid] in <internal>::#1) if (SMB::c?$smb_state) { <internal>::#7 = SMB::c$smb_stateif (<internal>::#7?$current_file) { <internal>::#5 = SMB::c$smb_state<internal>::#6 = <internal>::#5$current_fileif (<internal>::#6?$name) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_file<internal>::#4 = <internal>::#3$namereturn (<internal>::#4)}}}return ()}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ <internal>::#0 = SMTP::c$start_time<internal>::#1 = SMTP::c$smtp<internal>::#2 = <internal>::#1$trans_depth<internal>::#3 = SMTP::c$smtp_state<internal>::#4 = <internal>::#3$mime_depth<internal>::#5 = cat(Analyzer::ANALYZER_SMTP, <internal>::#0, <internal>::#2, <internal>::#4)return (<internal>::#5)}, describe=SMTP::describe_file{ <init> SMTP::cid, SMTP::c<internal>::#0 = SMTP::f$sourceif (<internal>::#0 != SMTP) return ()<internal>::#1 = SMTP::f$connsfor ([SMTP::cid] in <internal>::#1) { <internal>::#2 = SMTP::c$smtp<internal>::#3 = SMTP::describe(<internal>::#2)return (<internal>::#3)}return ()}]))
 0.000000   MetaHookPre   CallFunction(Files::register_protocol, <frame>, (Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handlereturn (), describe=SSL::describe_file{ <init> SSL::cid, SSL::c<internal>::#3 = SSL::f$sourceif (<internal>::#3 != SSL) return ()elseif (SSL::f?$info) { <internal>::#2 = SSL::f$infoif (<internal>::#2?$x509) { <internal>::#0 = SSL::f$info<internal>::#1 = <internal>::#0$x509if (<internal>::#1?$certificate) elsereturn ()}elsereturn ()}elsereturn ()<internal>::#4 = SSL::f$connsfor ([SSL::cid] in <internal>::#4) if (SSL::c?$ssl) { <internal>::#5 = SSL::c$id<internal>::#6 = <internal>::#5$resp_h<internal>::#7 = SSL::c$id<internal>::#8 = <internal>::#7$resp_p<internal>::#9 = cat(<internal>::#6, :, <internal>::#8)return (<internal>::#9)}<internal>::#10 = SSL::f$info<internal>::#11 = <internal>::#10$x509<internal>::#12 = <internal>::#11$certificate<internal>::#13 = <internal>::#12$serial<internal>::#14 = SSL::f$info<internal>::#15 = <internal>::#14$x509<internal>::#16 = <internal>::#15$certificate<internal>::#17 = <internal>::#16$subject<internal>::#18 = SSL::f$info<internal>::#19 = <internal>::#18$x509<internal>::#20 = <internal>::#19$certificate<internal>::#21 = <internal>::#20$issuer<internal>::#22 = cat(Serial: , <internal>::#13,  Subject: , <internal>::#17,  Issuer: , <internal>::#21)return (<internal>::#22)}]))
 0.000000   MetaHookPre   CallFunction(FilteredTraceDetection::should_detect, <null>, ())
@@ -1261,6 +1667,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (OCSP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ocsp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, path=openflow, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, path=pe, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
@@ -1276,6 +1683,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssh, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude={issuer,client_subject,subject,client_issuer}, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, path=signatures, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, path=software, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::__add_filter, <frame>, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, path=syslog, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
@@ -1293,7 +1701,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policyif ((F == X509::log_x509_in_files_log)) { <internal>::#0 = X509::rec$analyzersif ((X509 in <internal>::#0)) break }]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy]))
@@ -1306,6 +1714,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy]))
+0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy]))
@@ -1352,6 +1761,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (NetControl::SHUNT))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Notice::ALARM_LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (Notice::LOG))
+0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (OCSP::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (OpenFlow::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (PE::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, <frame>, (PacketFilter::LOG))
@@ -1397,6 +1807,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (OCSP::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (PE::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
@@ -1412,6 +1823,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SSH::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
+0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude={issuer,client_subject,subject,client_issuer}, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Software::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
 0.000000   MetaHookPre   CallFunction(Log::add_filter, <frame>, (Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>]))
@@ -1442,6 +1854,7 @@
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (NetControl::SHUNT, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Notice::ALARM_LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (Notice::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (OCSP::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (OpenFlow::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (PE::LOG, default))
 0.000000   MetaHookPre   CallFunction(Log::add_stream_filters, <frame>, (PacketFilter::LOG, default))
@@ -1474,7 +1887,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy]))
-0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policyif ((F == X509::log_x509_in_files_log)) { <internal>::#0 = X509::rec$analyzersif ((X509 in <internal>::#0)) break }]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy]))
@@ -1487,6 +1900,7 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy]))
+0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy]))
@@ -1509,6 +1923,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, <frame>, (mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy]))
+0.000000   MetaHookPre   CallFunction(Log::get_filter, <frame>, (SSL::LOG, default))
+0.000000   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG))
 0.000000   MetaHookPre   CallFunction(Log::write, <frame>, (PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(NetControl::check_plugins, <frame>, ())
 0.000000   MetaHookPre   CallFunction(NetControl::init, <null>, ())
@@ -1601,11 +2017,29 @@
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::caching_required_encounters_interval, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_max_entries, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::certificate_cache_minimum_eviction_interval, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::hash_function, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::known_log_certs_maximum_size, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::log_x509_in_files_log, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (X509::relog_known_certificates_after, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (default_file_bof_buffer_size, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (default_file_timeout_interval, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets{ if (ignore_checksums_nets == PacketAnalyzer::IP::ID) PacketAnalyzer::__set_ignore_checksums_nets(PacketAnalyzer::IP::new_value)return (PacketAnalyzer::IP::new_value)}, 5))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_delivery_ports_use_resp, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
 0.000000   MetaHookPre   CallFunction(Option::set_change_handler, <frame>, (udp_content_ports, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_port, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_for_ports, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp}))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -1616,6 +2050,10 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -1651,6 +2089,12 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP))
@@ -1661,6 +2105,9 @@
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN))
 0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_packet_analyzer, <frame>, (PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1))
+0.000000   MetaHookPre   CallFunction(PacketAnalyzer::register_protocol_detection, <frame>, (PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO))
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, <frame>, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, <frame>, (ip or not ip, and, ))
 0.000000   MetaHookPre   CallFunction(PacketFilter::install, <frame>, ())
@@ -1681,6 +2128,8 @@
 0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, <frame>, (SumStats::UNIQUE, lambda_<14393221830775341876>{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || sizeofSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = sizeofSumStats::rv$unique_vals}))
 0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugin, <frame>, (SumStats::VARIANCE, lambda_<6557258612059469785>{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average}))
 0.000000   MetaHookPre   CallFunction(SumStats::register_observe_plugins, <frame>, ())
+0.000000   MetaHookPre   CallFunction(Supervisor::__is_supervisor, <frame>, ())
+0.000000   MetaHookPre   CallFunction(Supervisor::is_supervisor, <frame>, ())
 0.000000   MetaHookPre   CallFunction(__init_primary_bifs, <null>, ())
 0.000000   MetaHookPre   CallFunction(__init_secondary_bifs, <null>, ())
 0.000000   MetaHookPre   CallFunction(current_time, <frame>, ())
@@ -1689,6 +2138,12 @@
 0.000000   MetaHookPre   CallFunction(getenv, <null>, (ZEEK_DEFAULT_LISTEN_ADDRESS))
 0.000000   MetaHookPre   CallFunction(global_ids, <frame>, ())
 0.000000   MetaHookPre   CallFunction(network_time, <frame>, ())
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (2123/udp))
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (2152/udp))
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (3544/udp))
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (4789/udp))
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (5072/udp))
+0.000000   MetaHookPre   CallFunction(port_to_count, <frame>, (6081/udp))
 0.000000   MetaHookPre   CallFunction(reading_live_traffic, <frame>, ())
 0.000000   MetaHookPre   CallFunction(reading_traces, <frame>, ())
 0.000000   MetaHookPre   CallFunction(set_to_regex, <frame>, ({}, (^\.?|\.)(~~)$))
@@ -1728,6 +2183,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek)
@@ -1809,12 +2265,12 @@
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
-0.000000   MetaHookPre   LoadFile(0, ./Zeek_SteppingStone.events.bif.zeek, <...>/Zeek_SteppingStone.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek)
@@ -1832,6 +2288,7 @@
 0.000000   MetaHookPre   LoadFile(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./broker, <...>/broker.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./comm.bif.zeek, <...>/comm.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./const-dos-error, <...>/const-dos-error.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./const-nt-status, <...>/const-nt-status.zeek)
@@ -1858,9 +2315,11 @@
 0.000000   MetaHookPre   LoadFile(0, ./input.bif.zeek, <...>/input.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./last, <...>/last.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./log, <...>/log.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./log-ocsp, <...>/log-ocsp.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./magic, <...>/magic)
 0.000000   MetaHookPre   LoadFile(0, ./main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFile(0, ./main.zeek, <...>/main.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./max, <...>/max.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, ./min, <...>/min.zeek)
@@ -1927,13 +2386,16 @@
 0.000000   MetaHookPre   LoadFile(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
 0.000000   MetaHookPre   LoadFile(0, base/packet-protocols, <...>/packet-protocols)
 0.000000   MetaHookPre   LoadFile(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/active-http, <...>/active-http.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/addrs, <...>/addrs.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer, <...>/analyzer)
 0.000000   MetaHookPre   LoadFile(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/api, <...>/api.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/ayiya, <...>/ayiya)
 0.000000   MetaHookPre   LoadFile(0, base<...>/backtrace, <...>/backtrace.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/broker, <...>/broker)
 0.000000   MetaHookPre   LoadFile(0, base<...>/cluster, <...>/cluster)
@@ -1963,8 +2425,10 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/ftp, <...>/ftp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/geneve, <...>/geneve)
 0.000000   MetaHookPre   LoadFile(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/gre, <...>/gre)
+0.000000   MetaHookPre   LoadFile(0, base<...>/gtpv1, <...>/gtpv1)
 0.000000   MetaHookPre   LoadFile(0, base<...>/hash, <...>/hash)
 0.000000   MetaHookPre   LoadFile(0, base<...>/hash_hrw, <...>/hash_hrw.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/http, <...>/http)
@@ -1983,6 +2447,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging, <...>/logging)
 0.000000   MetaHookPre   LoadFile(0, base<...>/logging.bif, <...>/logging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFile(0, base<...>/main.zeek, <...>/main.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/messaging.bif, <...>/messaging.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/modbus, <...>/modbus)
 0.000000   MetaHookPre   LoadFile(0, base<...>/mpls, <...>/mpls)
@@ -2034,6 +2499,7 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/syslog, <...>/syslog)
 0.000000   MetaHookPre   LoadFile(0, base<...>/tcp, <...>/tcp)
+0.000000   MetaHookPre   LoadFile(0, base<...>/teredo, <...>/teredo)
 0.000000   MetaHookPre   LoadFile(0, base<...>/thresholds, <...>/thresholds.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/time, <...>/time.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/tunnels, <...>/tunnels)
@@ -2044,10 +2510,14 @@
 0.000000   MetaHookPre   LoadFile(0, base<...>/version, <...>/version.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/vlan, <...>/vlan)
 0.000000   MetaHookPre   LoadFile(0, base<...>/vntag, <...>/vntag)
+0.000000   MetaHookPre   LoadFile(0, base<...>/vxlan, <...>/vxlan)
 0.000000   MetaHookPre   LoadFile(0, base<...>/weird, <...>/weird.zeek)
 0.000000   MetaHookPre   LoadFile(0, base<...>/x509, <...>/x509)
 0.000000   MetaHookPre   LoadFile(0, base<...>/xmpp, <...>/xmpp)
 0.000000   MetaHookPre   LoadFile(0, base<...>/zeek.bif, <...>/zeek.bif.zeek)
+0.000000   MetaHookPre   LoadFile(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek)
+0.000000   MetaHookPre   LoadFile(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek)
+0.000000   MetaHookPre   LoadFile(0, s1.sig, ./s1.sig)
 0.000000   MetaHookPre   LoadFile(1, ./archive, <...>/archive.sig)
 0.000000   MetaHookPre   LoadFile(1, ./audio, <...>/audio.sig)
 0.000000   MetaHookPre   LoadFile(1, ./dpd.sig, <...>/dpd.sig)
@@ -2060,14 +2530,390 @@
 0.000000   MetaHookPre   LoadFile(1, ./office, <...>/office.sig)
 0.000000   MetaHookPre   LoadFile(1, ./programming, <...>/programming.sig)
 0.000000   MetaHookPre   LoadFile(1, ./video, <...>/video.sig)
+0.000000   MetaHookPre   LoadFile(1, s2, ./s2.sig)
+0.000000   MetaHookPre   LoadFileExtended(0, ../main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ../plugin, <...>/plugin.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./CPP-load.bif.zeek, <...>/CPP-load.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ARP.events.bif.zeek, <...>/Zeek_ARP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_AsciiReader.ascii.bif.zeek, <...>/Zeek_AsciiReader.ascii.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_AsciiWriter.ascii.bif.zeek, <...>/Zeek_AsciiWriter.ascii.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_BenchmarkReader.benchmark.bif.zeek, <...>/Zeek_BenchmarkReader.benchmark.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_BinaryReader.binary.bif.zeek, <...>/Zeek_BinaryReader.binary.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_BitTorrent.events.bif.zeek, <...>/Zeek_BitTorrent.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ConfigReader.config.bif.zeek, <...>/Zeek_ConfigReader.config.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ConnSize.events.bif.zeek, <...>/Zeek_ConnSize.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ConnSize.functions.bif.zeek, <...>/Zeek_ConnSize.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DCE_RPC.consts.bif.zeek, <...>/Zeek_DCE_RPC.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DCE_RPC.events.bif.zeek, <...>/Zeek_DCE_RPC.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DCE_RPC.types.bif.zeek, <...>/Zeek_DCE_RPC.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DHCP.events.bif.zeek, <...>/Zeek_DHCP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DHCP.types.bif.zeek, <...>/Zeek_DHCP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DNP3.events.bif.zeek, <...>/Zeek_DNP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_DNS.events.bif.zeek, <...>/Zeek_DNS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FTP.events.bif.zeek, <...>/Zeek_FTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FTP.functions.bif.zeek, <...>/Zeek_FTP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_File.events.bif.zeek, <...>/Zeek_File.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileEntropy.events.bif.zeek, <...>/Zeek_FileEntropy.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileExtract.events.bif.zeek, <...>/Zeek_FileExtract.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileExtract.functions.bif.zeek, <...>/Zeek_FileExtract.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_FileHash.events.bif.zeek, <...>/Zeek_FileHash.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Finger.events.bif.zeek, <...>/Zeek_Finger.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GSSAPI.events.bif.zeek, <...>/Zeek_GSSAPI.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GTPv1.events.bif.zeek, <...>/Zeek_GTPv1.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_GTPv1.functions.bif.zeek, <...>/Zeek_GTPv1.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Geneve.events.bif.zeek, <...>/Zeek_Geneve.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Gnutella.events.bif.zeek, <...>/Zeek_Gnutella.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_HTTP.events.bif.zeek, <...>/Zeek_HTTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_HTTP.functions.bif.zeek, <...>/Zeek_HTTP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_ICMP.events.bif.zeek, <...>/Zeek_ICMP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_IMAP.events.bif.zeek, <...>/Zeek_IMAP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_IRC.events.bif.zeek, <...>/Zeek_IRC.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Ident.events.bif.zeek, <...>/Zeek_Ident.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_KRB.events.bif.zeek, <...>/Zeek_KRB.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_KRB.types.bif.zeek, <...>/Zeek_KRB.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Login.events.bif.zeek, <...>/Zeek_Login.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Login.functions.bif.zeek, <...>/Zeek_Login.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MIME.events.bif.zeek, <...>/Zeek_MIME.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MQTT.events.bif.zeek, <...>/Zeek_MQTT.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MQTT.types.bif.zeek, <...>/Zeek_MQTT.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Modbus.events.bif.zeek, <...>/Zeek_Modbus.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_MySQL.events.bif.zeek, <...>/Zeek_MySQL.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NCP.consts.bif.zeek, <...>/Zeek_NCP.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NCP.events.bif.zeek, <...>/Zeek_NCP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NTLM.events.bif.zeek, <...>/Zeek_NTLM.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NTLM.types.bif.zeek, <...>/Zeek_NTLM.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NTP.events.bif.zeek, <...>/Zeek_NTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NTP.types.bif.zeek, <...>/Zeek_NTP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NetBIOS.events.bif.zeek, <...>/Zeek_NetBIOS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NetBIOS.functions.bif.zeek, <...>/Zeek_NetBIOS.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_NoneWriter.none.bif.zeek, <...>/Zeek_NoneWriter.none.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_PE.events.bif.zeek, <...>/Zeek_PE.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_POP3.events.bif.zeek, <...>/Zeek_POP3.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RADIUS.events.bif.zeek, <...>/Zeek_RADIUS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.events.bif.zeek, <...>/Zeek_RDP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RDP.types.bif.zeek, <...>/Zeek_RDP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RFB.events.bif.zeek, <...>/Zeek_RFB.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RPC.events.bif.zeek, <...>/Zeek_RPC.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_RawReader.raw.bif.zeek, <...>/Zeek_RawReader.raw.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SIP.events.bif.zeek, <...>/Zeek_SIP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.consts.bif.zeek, <...>/Zeek_SMB.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.events.bif.zeek, <...>/Zeek_SMB.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_check_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_close.bif.zeek, <...>/Zeek_SMB.smb1_com_close.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_create_directory.bif.zeek, <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_echo.bif.zeek, <...>/Zeek_SMB.smb1_com_echo.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_query_information.bif.zeek, <...>/Zeek_SMB.smb1_com_query_information.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_read_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek, <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_com_write_andx.bif.zeek, <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb1_events.bif.zeek, <...>/Zeek_SMB.smb1_events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_close.bif.zeek, <...>/Zeek_SMB.smb2_com_close.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_create.bif.zeek, <...>/Zeek_SMB.smb2_com_create.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_negotiate.bif.zeek, <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_read.bif.zeek, <...>/Zeek_SMB.smb2_com_read.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_session_setup.bif.zeek, <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_set_info.bif.zeek, <...>/Zeek_SMB.smb2_com_set_info.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_transform_header.bif.zeek, <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_connect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek, <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_com_write.bif.zeek, <...>/Zeek_SMB.smb2_com_write.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.smb2_events.bif.zeek, <...>/Zeek_SMB.smb2_events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMB.types.bif.zeek, <...>/Zeek_SMB.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMTP.events.bif.zeek, <...>/Zeek_SMTP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SMTP.functions.bif.zeek, <...>/Zeek_SMTP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SNMP.events.bif.zeek, <...>/Zeek_SNMP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SNMP.types.bif.zeek, <...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SOCKS.events.bif.zeek, <...>/Zeek_SOCKS.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SQLiteReader.sqlite.bif.zeek, <...>/Zeek_SQLiteReader.sqlite.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SQLiteWriter.sqlite.bif.zeek, <...>/Zeek_SQLiteWriter.sqlite.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSH.events.bif.zeek, <...>/Zeek_SSH.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSH.types.bif.zeek, <...>/Zeek_SSH.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.consts.bif.zeek, <...>/Zeek_SSL.consts.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.events.bif.zeek, <...>/Zeek_SSL.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.functions.bif.zeek, <...>/Zeek_SSL.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_SSL.types.bif.zeek, <...>/Zeek_SSL.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Syslog.events.bif.zeek, <...>/Zeek_Syslog.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.events.bif.zeek, <...>/Zeek_TCP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.functions.bif.zeek, <...>/Zeek_TCP.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_TCP.types.bif.zeek, <...>/Zeek_TCP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Teredo.events.bif.zeek, <...>/Zeek_Teredo.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Teredo.functions.bif.zeek, <...>/Zeek_Teredo.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_UDP.events.bif.zeek, <...>/Zeek_UDP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Unified2.events.bif.zeek, <...>/Zeek_Unified2.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_Unified2.types.bif.zeek, <...>/Zeek_Unified2.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_VXLAN.events.bif.zeek, <...>/Zeek_VXLAN.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_X509.events.bif.zeek, <...>/Zeek_X509.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_X509.functions.bif.zeek, <...>/Zeek_X509.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_X509.ocsp_events.bif.zeek, <...>/Zeek_X509.ocsp_events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_X509.types.bif.zeek, <...>/Zeek_X509.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./Zeek_XMPP.events.bif.zeek, <...>/Zeek_XMPP.events.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./acld, <...>/acld.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./addrs, <...>/addrs.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./analyzer.bif.zeek, <...>/analyzer.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./api, <...>/api.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./average, <...>/average.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./bloom-filter.bif.zeek, <...>/bloom-filter.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./broker, <...>/broker.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./cardinality-counter.bif.zeek, <...>/cardinality-counter.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./certificate-event-cache, <...>/certificate-event-cache.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./comm.bif.zeek, <...>/comm.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./const-dos-error, <...>/const-dos-error.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./const-nt-status, <...>/const-nt-status.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./const.bif.zeek, <...>/const.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./consts, <...>/consts.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./contents, <...>/contents.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./control, <...>/control.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./ct-list, <...>/ct-list.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./data.bif.zeek, <...>/data.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./dcc-send, <...>/dcc-send.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./debug, <...>/debug.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./drop, <...>/drop.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./entities, <...>/entities.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./event.bif.zeek, <...>/event.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./exec, <...>/exec.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./file_analysis.bif.zeek, <...>/file_analysis.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./files, <...>/files.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./gridftp, <...>/gridftp.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./hll_unique, <...>/hll_unique.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./hooks.bif.zeek, <...>/hooks.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./inactivity, <...>/inactivity.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./info, <...>/info.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./input, <...>/input.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./input.bif.zeek, <...>/input.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./last, <...>/last.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./log, <...>/log.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./log-ocsp, <...>/log-ocsp.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./logging.bif.zeek, <...>/logging.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./magic, <...>/magic)
+0.000000   MetaHookPre   LoadFileExtended(0, ./main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./main.zeek, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./max, <...>/max.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./messaging.bif.zeek, <...>/messaging.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./min, <...>/min.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./mozilla-ca-list, <...>/mozilla-ca-list.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./netstats, <...>/netstats.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./non-cluster, <...>/non-cluster.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./openflow, <...>/openflow.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./option.bif.zeek, <...>/option.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./packet_analysis.bif.zeek, <...>/packet_analysis.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./packetfilter, <...>/packetfilter.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./patterns, <...>/patterns.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./pcap.bif.zeek, <...>/pcap.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./plugin, <...>/plugin.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./plugins, <...>/plugins)
+0.000000   MetaHookPre   LoadFileExtended(0, ./polling, <...>/polling.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./pools, <...>/pools.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./postprocessors, <...>/postprocessors)
+0.000000   MetaHookPre   LoadFileExtended(0, ./removal-hooks, <...>/removal-hooks.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./reporter.bif.zeek, <...>/reporter.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./ryu, <...>/ryu.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./sample, <...>/sample.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./scp, <...>/scp.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./sftp, <...>/sftp.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./shunt, <...>/shunt.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./site, <...>/site.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./smb1-main, <...>/smb1-main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./smb2-main, <...>/smb2-main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./stats.bif.zeek, <...>/stats.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./std-dev, <...>/std-dev.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./store, <...>/store.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./store.bif.zeek, <...>/store.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./strings.bif.zeek, <...>/strings.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./sum, <...>/sum.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./supervisor.bif.zeek, <...>/supervisor.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./telemetry.bif.zeek, <...>/telemetry.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./thresholds, <...>/thresholds.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./top-k.bif.zeek, <...>/top-k.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./topk, <...>/topk.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./types, <...>/types.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./types.bif.zeek, <...>/types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./unique, <...>/unique.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./utils, <...>/utils.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./utils-commands, <...>/utils-commands.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./variance, <...>/variance.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./weird, <...>/weird.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./zeek.bif.zeek, <...>/zeek.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, ./zeekygen.bif.zeek, <...>/zeekygen.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/add-geodata, <...>/add-geodata.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/ascii, <...>/ascii.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/benchmark, <...>/benchmark.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/binary, <...>/binary.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/config, <...>/config.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/email_admin, <...>/email_admin.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/none, <...>/none.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/page, <...>/page.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/pp-alarms, <...>/pp-alarms.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/raw, <...>/raw.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, .<...>/sqlite, <...>/sqlite.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, <...>/__load__.zeek, <...>/__load__.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, <...>/__preload__.zeek, <...>/__preload__.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, <...>/hooks.zeek, <...>/hooks.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base/bif, <...>/bif)
+0.000000   MetaHookPre   LoadFileExtended(0, base/init-default, <...>/init-default.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base/init-frameworks-and-bifs.zeek, <...>/init-frameworks-and-bifs.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base/packet-protocols, <...>/packet-protocols)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/CPP-load.bif, <...>/CPP-load.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_GTPv1.functions.bif, <...>/Zeek_GTPv1.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_KRB.types.bif, <...>/Zeek_KRB.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_SNMP.types.bif, <...>/Zeek_SNMP.types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/Zeek_Teredo.functions.bif, <...>/Zeek_Teredo.functions.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/active-http, <...>/active-http.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/addrs, <...>/addrs.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer, <...>/analyzer)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/analyzer.bif, <...>/analyzer.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/api, <...>/api.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ayiya, <...>/ayiya)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/backtrace, <...>/backtrace.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/broker, <...>/broker)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/cluster, <...>/cluster)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/comm.bif, <...>/comm.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/config, <...>/config)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/conn, <...>/conn)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/conn-ids, <...>/conn-ids.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/const.bif, <...>/const.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/control, <...>/control)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/data.bif, <...>/data.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dce-rpc, <...>/dce-rpc)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dhcp, <...>/dhcp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dir, <...>/dir.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/directions-and-hosts, <...>/directions-and-hosts.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dnp3, <...>/dnp3)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dns, <...>/dns)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/dpd, <...>/dpd)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/email, <...>/email.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ethernet, <...>/ethernet)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/event.bif, <...>/event.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/exec, <...>/exec.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/extract, <...>/extract)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/fddi, <...>/fddi)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/file_analysis.bif, <...>/file_analysis.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/files, <...>/files)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/files, <...>/files.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-checksum-offloading, <...>/find-checksum-offloading.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/find-filtered-trace, <...>/find-filtered-trace.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ftp, <...>/ftp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geneve, <...>/geneve)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/geoip-distance, <...>/geoip-distance.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/gre, <...>/gre)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/gtpv1, <...>/gtpv1)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/hash, <...>/hash)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/hash_hrw, <...>/hash_hrw.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/http, <...>/http)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/icmp, <...>/icmp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ieee802_11, <...>/ieee802_11)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ieee802_11_radio, <...>/ieee802_11_radio)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/imap, <...>/imap)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/input, <...>/input)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/input.bif, <...>/input.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/intel, <...>/intel)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ip, <...>/ip)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/iptunnel, <...>/iptunnel)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/irc, <...>/irc)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/krb, <...>/krb)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/linux_sll, <...>/linux_sll)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging, <...>/logging)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/logging.bif, <...>/logging.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/main.zeek, <...>/main.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/messaging.bif, <...>/messaging.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/modbus, <...>/modbus)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/mpls, <...>/mpls)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/mqtt, <...>/mqtt)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/mysql, <...>/mysql)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/netcontrol, <...>/netcontrol)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/nflog, <...>/nflog)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/notice, <...>/notice)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntlm, <...>/ntlm)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ntp, <...>/ntp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/null, <...>/null)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/numbers, <...>/numbers.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/openflow, <...>/openflow)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/option.bif, <...>/option.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/packet-filter, <...>/packet-filter)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/packet_analysis.bif, <...>/packet_analysis.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/paths, <...>/paths.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/patterns, <...>/patterns.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pe, <...>/pe)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/plugins, <...>/plugins)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pop3, <...>/pop3)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ppp_serial, <...>/ppp_serial)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/pppoe, <...>/pppoe)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/queue, <...>/queue.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/radius, <...>/radius)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/rdp, <...>/rdp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/removal-hooks, <...>/removal-hooks.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/reporter, <...>/reporter)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/reporter.bif, <...>/reporter.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/rfb, <...>/rfb)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/root, <...>/root)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/signatures, <...>/signatures)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/sip, <...>/sip)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/site, <...>/site.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/skip, <...>/skip)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smb, <...>/smb)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/smtp, <...>/smtp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/snmp, <...>/snmp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/socks, <...>/socks)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/software, <...>/software)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ssh, <...>/ssh)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/ssl, <...>/ssl)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/stats.bif, <...>/stats.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/store.bif, <...>/store.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/strings, <...>/strings.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/strings.bif, <...>/strings.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/sumstats, <...>/sumstats)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/supervisor, <...>/supervisor)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/supervisor.bif, <...>/supervisor.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/syslog, <...>/syslog)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/tcp, <...>/tcp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/teredo, <...>/teredo)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/thresholds, <...>/thresholds.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/time, <...>/time.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/tunnels, <...>/tunnels)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/types.bif, <...>/types.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/udp, <...>/udp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/urls, <...>/urls.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/utils, <...>/utils.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/version, <...>/version.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vlan, <...>/vlan)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vntag, <...>/vntag)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/vxlan, <...>/vxlan)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/weird, <...>/weird.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/x509, <...>/x509)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/xmpp, <...>/xmpp)
+0.000000   MetaHookPre   LoadFileExtended(0, base<...>/zeek.bif, <...>/zeek.bif.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, builtin-plugins/__load__.zeek, <...>/__load__.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, builtin-plugins/__preload__.zeek, <...>/__preload__.zeek)
+0.000000   MetaHookPre   LoadFileExtended(0, s1.sig, ./s1.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./archive, <...>/archive.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./audio, <...>/audio.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./dpd.sig, <...>/dpd.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./executable, <...>/executable.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./font, <...>/font.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./general, <...>/general.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./image, <...>/image.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./java, <...>/java.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./libmagic, <...>/libmagic.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./office, <...>/office.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./programming, <...>/programming.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, ./video, <...>/video.sig)
+0.000000   MetaHookPre   LoadFileExtended(1, s2, ./s2.sig)
 0.000000   MetaHookPre   LogInit(Log::WRITER_ASCII, default, true, true, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)})
 0.000000   MetaHookPre   LogWrite(Log::WRITER_ASCII, default, packet_filter(0.0,0.0,0.0), 5, {ts (time), node (string), filter (string), init (bool), success (bool)}, <void ptr>)
 0.000000   MetaHookPre   QueueEvent(NetControl::init())
 0.000000   MetaHookPre   QueueEvent(filter_change_tracking())
 0.000000   MetaHookPre   QueueEvent(zeek_init())
-0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
 0.000000 | HookCallFunction Analyzer::__disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
@@ -2082,9 +2928,6 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GENEVE, 6081/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
@@ -2128,13 +2971,9 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
-0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_STEPPINGSTONE)
 0.000000 | HookCallFunction Analyzer::disable_analyzer(Analyzer::ANALYZER_TCPSTATS)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DCE_RPC, 135/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 4011/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
@@ -2149,9 +2988,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DTLS, 443/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 21/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_FTP, 2811/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GENEVE, 6081/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2123/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_GTPV1, 2152/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 1080/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 3128/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_HTTP, 631/tcp)
@@ -2195,19 +3031,14 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 993/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SSL, 995/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_SYSLOG, 514/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_VXLAN, 4789/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5222/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_XMPP, 5269/tcp)
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DCE_RPC, {135/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5353<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DTLS, {443/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GENEVE, {6081/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_HTTP, {80<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IMAP, {143/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_IRC, {6666<...>/tcp})
@@ -2227,8 +3058,6 @@
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSH, {22/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SSL, {563<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_SYSLOG, {514/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_TEREDO, {3544/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_VXLAN, {4789/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_XMPP, {5222<...>/tcp})
 0.000000 | HookCallFunction Broker::__set_metrics_export_endpoint_name()
 0.000000 | HookCallFunction Broker::__set_metrics_export_interval(1.0 sec)
@@ -2249,6 +3078,7 @@
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/pkix-cert)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-ca-cert)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_MD5, application/x-x509-user-cert)
+0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_OCSP_REPLY, application/ocsp-response)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_PE, application/x-dosexec)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/pkix-cert)
 0.000000 | HookCallFunction Files::register_for_mime_type(Files::ANALYZER_SHA1, application/x-x509-ca-cert)
@@ -2266,7 +3096,7 @@
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_IRC_DATA, [get_file_handle=IRC::get_file_handle{ <internal>::#0 = IRC::c$start_time<internal>::#1 = IRC::c$id<internal>::#2 = cat(Analyzer::ANALYZER_IRC_DATA, <internal>::#0, <internal>::#1, IRC::is_orig)return (<internal>::#2)}, describe=lambda_<15770440363500096069>{ return ()}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB, [get_file_handle=KRB::get_file_handlereturn (), describe=KRB::describe_file{ <init> KRB::cid, KRB::c<internal>::#1 = KRB::f$sourceif (<internal>::#1 != KRB_TCP) { <internal>::#0 = KRB::f$sourceif (<internal>::#0 != KRB) return ()}if (KRB::f?$info) { <internal>::#4 = KRB::f$infoif (<internal>::#4?$x509) { <internal>::#2 = KRB::f$info<internal>::#3 = <internal>::#2$x509if (<internal>::#3?$certificate) elsereturn ()}elsereturn ()}elsereturn ()<internal>::#5 = KRB::f$connsfor ([KRB::cid] in <internal>::#5) if (KRB::c?$krb) { <internal>::#6 = KRB::c$id<internal>::#7 = <internal>::#6$resp_h<internal>::#8 = KRB::c$id<internal>::#9 = <internal>::#8$resp_p<internal>::#10 = cat(<internal>::#7, :, <internal>::#9)return (<internal>::#10)}<internal>::#11 = KRB::f$info<internal>::#12 = <internal>::#11$x509<internal>::#13 = <internal>::#12$certificate<internal>::#14 = <internal>::#13$serial<internal>::#15 = KRB::f$info<internal>::#16 = <internal>::#15$x509<internal>::#17 = <internal>::#16$certificate<internal>::#18 = <internal>::#17$subject<internal>::#19 = KRB::f$info<internal>::#20 = <internal>::#19$x509<internal>::#21 = <internal>::#20$certificate<internal>::#22 = <internal>::#21$issuer<internal>::#23 = cat(Serial: , <internal>::#14,  Subject: , <internal>::#18,  Issuer: , <internal>::#22)return (<internal>::#23)}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_KRB_TCP, [get_file_handle=KRB::get_file_handlereturn (), describe=KRB::describe_file{ <init> KRB::cid, KRB::c<internal>::#1 = KRB::f$sourceif (<internal>::#1 != KRB_TCP) { <internal>::#0 = KRB::f$sourceif (<internal>::#0 != KRB) return ()}if (KRB::f?$info) { <internal>::#4 = KRB::f$infoif (<internal>::#4?$x509) { <internal>::#2 = KRB::f$info<internal>::#3 = <internal>::#2$x509if (<internal>::#3?$certificate) elsereturn ()}elsereturn ()}elsereturn ()<internal>::#5 = KRB::f$connsfor ([KRB::cid] in <internal>::#5) if (KRB::c?$krb) { <internal>::#6 = KRB::c$id<internal>::#7 = <internal>::#6$resp_h<internal>::#8 = KRB::c$id<internal>::#9 = <internal>::#8$resp_p<internal>::#10 = cat(<internal>::#7, :, <internal>::#9)return (<internal>::#10)}<internal>::#11 = KRB::f$info<internal>::#12 = <internal>::#11$x509<internal>::#13 = <internal>::#12$certificate<internal>::#14 = <internal>::#13$serial<internal>::#15 = KRB::f$info<internal>::#16 = <internal>::#15$x509<internal>::#17 = <internal>::#16$certificate<internal>::#18 = <internal>::#17$subject<internal>::#19 = KRB::f$info<internal>::#20 = <internal>::#19$x509<internal>::#21 = <internal>::#20$certificate<internal>::#22 = <internal>::#21$issuer<internal>::#23 = cat(Serial: , <internal>::#14,  Subject: , <internal>::#18,  Issuer: , <internal>::#22)return (<internal>::#23)}])
-0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ <internal>::#4 = SMB::c$smb_stateif (<internal>::#4?$current_file) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_fileif (<internal>::#3?$name) else{ <internal>::#0 = SMB::c$smb_state<internal>::#1 = <internal>::#0$current_fileif (<internal>::#1?$path) elsereturn ()}}elsereturn ()<internal>::#5 = SMB::c$smb_stateSMB::current_file = <internal>::#5$current_file<internal>::#6 = SMB::current_file?$pathif (<internal>::#6) <internal>::#7 = SMB::current_file$path<internal>::#8 = <internal>::#6 ? <internal>::#7 : SMB::path_name = <internal>::#8<internal>::#9 = SMB::current_file?$nameif (<internal>::#9) <internal>::#10 = SMB::current_file$name<internal>::#11 = <internal>::#9 ? <internal>::#10 : SMB::file_name = <internal>::#11<internal>::#12 = SMB::current_file?$timesif (<internal>::#12) { <internal>::#13 = SMB::current_file$times<internal>::#14 = <internal>::#13$modified}else<internal>::#15 = double_to_time(0.0)<internal>::#16 = <internal>::#12 ? <internal>::#14 : <internal>::#15SMB::last_mod = cat(<internal>::#16)<internal>::#17 = SMB::c$id<internal>::#18 = <internal>::#17$orig_h<internal>::#19 = SMB::c$id<internal>::#20 = <internal>::#19$resp_h<internal>::#21 = cat(Analyzer::ANALYZER_SMB, <internal>::#18, <internal>::#20, SMB::path_name, SMB::file_name, SMB::last_mod)<internal>::#22 = hexdump(<internal>::#21)return (<internal>::#22)}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c<internal>::#0 = SMB::f$sourceif (<internal>::#0 != SMB) return ()<internal>::#1 = SMB::f$connsfor ([SMB::cid] in <internal>::#1) if (SMB::c?$smb_state) { <internal>::#7 = SMB::c$smb_stateif (<internal>::#7?$current_file) { <internal>::#5 = SMB::c$smb_state<internal>::#6 = <internal>::#5$current_fileif (<internal>::#6?$name) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_file<internal>::#4 = <internal>::#3$namereturn (<internal>::#4)}}}return ()}])
+0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMB, [get_file_handle=SMB::get_file_handle{ <internal>::#4 = SMB::c$smb_stateif (<internal>::#4?$current_file) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_fileif (<internal>::#3?$name) else{ <internal>::#0 = SMB::c$smb_state<internal>::#1 = <internal>::#0$current_fileif (<internal>::#1?$path) elsereturn ()}}elsereturn ()<internal>::#5 = SMB::c$smb_stateSMB::current_file = <internal>::#5$current_file<internal>::#6 = SMB::current_file?$pathif (<internal>::#6) <internal>::#7 = SMB::current_file$path<internal>::#8 = <internal>::#6 ? <internal>::#7 : SMB::path_name = <internal>::#8<internal>::#9 = SMB::current_file?$nameif (<internal>::#9) <internal>::#10 = SMB::current_file$name<internal>::#11 = <internal>::#9 ? <internal>::#10 : SMB::file_name = <internal>::#11<internal>::#12 = SMB::current_file?$timesif (<internal>::#12) { <internal>::#13 = SMB::current_file$times<internal>::#14 = <internal>::#13$modified_raw}<internal>::#15 = <internal>::#12 ? <internal>::#14 : 0SMB::last_mod = cat(<internal>::#15)<internal>::#16 = SMB::c$id<internal>::#17 = <internal>::#16$orig_h<internal>::#18 = SMB::c$id<internal>::#19 = <internal>::#18$resp_h<internal>::#20 = cat(Analyzer::ANALYZER_SMB, <internal>::#17, <internal>::#19, SMB::path_name, SMB::file_name, SMB::last_mod)<internal>::#21 = hexdump(<internal>::#20)return (<internal>::#21)}, describe=SMB::describe_file{ <init> SMB::cid, SMB::c<internal>::#0 = SMB::f$sourceif (<internal>::#0 != SMB) return ()<internal>::#1 = SMB::f$connsfor ([SMB::cid] in <internal>::#1) if (SMB::c?$smb_state) { <internal>::#7 = SMB::c$smb_stateif (<internal>::#7?$current_file) { <internal>::#5 = SMB::c$smb_state<internal>::#6 = <internal>::#5$current_fileif (<internal>::#6?$name) { <internal>::#2 = SMB::c$smb_state<internal>::#3 = <internal>::#2$current_file<internal>::#4 = <internal>::#3$namereturn (<internal>::#4)}}}return ()}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SMTP, [get_file_handle=SMTP::get_file_handle{ <internal>::#0 = SMTP::c$start_time<internal>::#1 = SMTP::c$smtp<internal>::#2 = <internal>::#1$trans_depth<internal>::#3 = SMTP::c$smtp_state<internal>::#4 = <internal>::#3$mime_depth<internal>::#5 = cat(Analyzer::ANALYZER_SMTP, <internal>::#0, <internal>::#2, <internal>::#4)return (<internal>::#5)}, describe=SMTP::describe_file{ <init> SMTP::cid, SMTP::c<internal>::#0 = SMTP::f$sourceif (<internal>::#0 != SMTP) return ()<internal>::#1 = SMTP::f$connsfor ([SMTP::cid] in <internal>::#1) { <internal>::#2 = SMTP::c$smtp<internal>::#3 = SMTP::describe(<internal>::#2)return (<internal>::#3)}return ()}])
 0.000000 | HookCallFunction Files::register_protocol(Analyzer::ANALYZER_SSL, [get_file_handle=SSL::get_file_handlereturn (), describe=SSL::describe_file{ <init> SSL::cid, SSL::c<internal>::#3 = SSL::f$sourceif (<internal>::#3 != SSL) return ()elseif (SSL::f?$info) { <internal>::#2 = SSL::f$infoif (<internal>::#2?$x509) { <internal>::#0 = SSL::f$info<internal>::#1 = <internal>::#0$x509if (<internal>::#1?$certificate) elsereturn ()}elsereturn ()}elsereturn ()<internal>::#4 = SSL::f$connsfor ([SSL::cid] in <internal>::#4) if (SSL::c?$ssl) { <internal>::#5 = SSL::c$id<internal>::#6 = <internal>::#5$resp_h<internal>::#7 = SSL::c$id<internal>::#8 = <internal>::#7$resp_p<internal>::#9 = cat(<internal>::#6, :, <internal>::#8)return (<internal>::#9)}<internal>::#10 = SSL::f$info<internal>::#11 = <internal>::#10$x509<internal>::#12 = <internal>::#11$certificate<internal>::#13 = <internal>::#12$serial<internal>::#14 = SSL::f$info<internal>::#15 = <internal>::#14$x509<internal>::#16 = <internal>::#15$certificate<internal>::#17 = <internal>::#16$subject<internal>::#18 = SSL::f$info<internal>::#19 = <internal>::#18$x509<internal>::#20 = <internal>::#19$certificate<internal>::#21 = <internal>::#20$issuer<internal>::#22 = cat(Serial: , <internal>::#13,  Subject: , <internal>::#17,  Issuer: , <internal>::#21)return (<internal>::#22)}])
 0.000000 | HookCallFunction FilteredTraceDetection::should_detect()
@@ -2293,6 +3123,7 @@
 0.000000 | HookCallFunction Log::__add_filter(NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, path=netcontrol_shunt, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=notice_alarm, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=notice, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
+0.000000 | HookCallFunction Log::__add_filter(OCSP::LOG, [name=default, writer=Log::WRITER_ASCII, path=ocsp, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, path=openflow, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(PE::LOG, [name=default, writer=Log::WRITER_ASCII, path=pe, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=packet_filter, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
@@ -2308,6 +3139,7 @@
 0.000000 | HookCallFunction Log::__add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, path=socks, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssh, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
+0.000000 | HookCallFunction Log::__add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude={issuer,client_subject,subject,client_issuer}, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, path=signatures, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, path=software, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::__add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, path=syslog, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
@@ -2325,7 +3157,7 @@
 0.000000 | HookCallFunction Log::__create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])
 0.000000 | HookCallFunction Log::__create_stream(DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])
 0.000000 | HookCallFunction Log::__create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])
-0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy])
+0.000000 | HookCallFunction Log::__create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policyif ((F == X509::log_x509_in_files_log)) { <internal>::#0 = X509::rec$analyzersif ((X509 in <internal>::#0)) break }])
 0.000000 | HookCallFunction Log::__create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])
 0.000000 | HookCallFunction Log::__create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])
 0.000000 | HookCallFunction Log::__create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])
@@ -2338,6 +3170,7 @@
 0.000000 | HookCallFunction Log::__create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])
 0.000000 | HookCallFunction Log::__create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])
 0.000000 | HookCallFunction Log::__create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])
+0.000000 | HookCallFunction Log::__create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])
 0.000000 | HookCallFunction Log::__create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])
 0.000000 | HookCallFunction Log::__create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])
 0.000000 | HookCallFunction Log::__create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])
@@ -2384,6 +3217,7 @@
 0.000000 | HookCallFunction Log::add_default_filter(NetControl::SHUNT)
 0.000000 | HookCallFunction Log::add_default_filter(Notice::ALARM_LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Notice::LOG)
+0.000000 | HookCallFunction Log::add_default_filter(OCSP::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(OpenFlow::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(PE::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(PacketFilter::LOG)
@@ -2429,6 +3263,7 @@
 0.000000 | HookCallFunction Log::add_filter(NetControl::SHUNT, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(Notice::ALARM_LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(Notice::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
+0.000000 | HookCallFunction Log::add_filter(OCSP::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(OpenFlow::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(PE::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(PacketFilter::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
@@ -2444,6 +3279,7 @@
 0.000000 | HookCallFunction Log::add_filter(SOCKS::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(SSH::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
+0.000000 | HookCallFunction Log::add_filter(SSL::LOG, [name=default, writer=Log::WRITER_ASCII, path=ssl, path_func=<uninitialized>, include=<uninitialized>, exclude={issuer,client_subject,subject,client_issuer}, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(Signatures::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(Software::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
 0.000000 | HookCallFunction Log::add_filter(Syslog::LOG, [name=default, writer=Log::WRITER_ASCII, path=<uninitialized>, path_func=<uninitialized>, include=<uninitialized>, exclude=<uninitialized>, log_local=T, log_remote=T, field_name_map={}, scope_sep=., ext_prefix=_, ext_func=lambda_<2528247166937952945>, interv=0 secs, postprocessor=<uninitialized>, config={}, policy=<uninitialized>])
@@ -2474,6 +3310,7 @@
 0.000000 | HookCallFunction Log::add_stream_filters(NetControl::SHUNT, default)
 0.000000 | HookCallFunction Log::add_stream_filters(Notice::ALARM_LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(Notice::LOG, default)
+0.000000 | HookCallFunction Log::add_stream_filters(OCSP::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(OpenFlow::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(PE::LOG, default)
 0.000000 | HookCallFunction Log::add_stream_filters(PacketFilter::LOG, default)
@@ -2506,7 +3343,7 @@
 0.000000 | HookCallFunction Log::create_stream(DNS::LOG, [columns=DNS::Info, ev=DNS::log_dns, path=dns, policy=DNS::log_policy])
 0.000000 | HookCallFunction Log::create_stream(DPD::LOG, [columns=DPD::Info, ev=<uninitialized>, path=dpd, policy=DPD::log_policy])
 0.000000 | HookCallFunction Log::create_stream(FTP::LOG, [columns=FTP::Info, ev=FTP::log_ftp, path=ftp, policy=FTP::log_policy])
-0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policy])
+0.000000 | HookCallFunction Log::create_stream(Files::LOG, [columns=Files::Info, ev=Files::log_files, path=files, policy=Files::log_policyif ((F == X509::log_x509_in_files_log)) { <internal>::#0 = X509::rec$analyzersif ((X509 in <internal>::#0)) break }])
 0.000000 | HookCallFunction Log::create_stream(HTTP::LOG, [columns=HTTP::Info, ev=HTTP::log_http, path=http, policy=HTTP::log_policy])
 0.000000 | HookCallFunction Log::create_stream(IRC::LOG, [columns=IRC::Info, ev=IRC::irc_log, path=irc, policy=IRC::log_policy])
 0.000000 | HookCallFunction Log::create_stream(Intel::LOG, [columns=Intel::Info, ev=Intel::log_intel, path=intel, policy=Intel::log_policy])
@@ -2519,6 +3356,7 @@
 0.000000 | HookCallFunction Log::create_stream(NetControl::SHUNT, [columns=NetControl::ShuntInfo, ev=NetControl::log_netcontrol_shunt, path=netcontrol_shunt, policy=NetControl::log_policy_shunt])
 0.000000 | HookCallFunction Log::create_stream(Notice::ALARM_LOG, [columns=Notice::Info, ev=<uninitialized>, path=notice_alarm, policy=Notice::log_policy_alarm])
 0.000000 | HookCallFunction Log::create_stream(Notice::LOG, [columns=Notice::Info, ev=Notice::log_notice, path=notice, policy=Notice::log_policy])
+0.000000 | HookCallFunction Log::create_stream(OCSP::LOG, [columns=OCSP::Info, ev=OCSP::log_ocsp, path=ocsp, policy=OCSP::log_policy])
 0.000000 | HookCallFunction Log::create_stream(OpenFlow::LOG, [columns=OpenFlow::Info, ev=OpenFlow::log_openflow, path=openflow, policy=OpenFlow::log_policy])
 0.000000 | HookCallFunction Log::create_stream(PE::LOG, [columns=PE::Info, ev=PE::log_pe, path=pe, policy=PE::log_policy])
 0.000000 | HookCallFunction Log::create_stream(PacketFilter::LOG, [columns=PacketFilter::Info, ev=<uninitialized>, path=packet_filter, policy=PacketFilter::log_policy])
@@ -2541,6 +3379,8 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=Weird::Info, ev=Weird::log_weird, path=weird, policy=Weird::log_policy])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=X509::Info, ev=X509::log_x509, path=x509, policy=X509::log_policy])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=MySQL::Info, ev=MySQL::log_mysql, path=mysql, policy=MySQL::log_policy])
+0.000000 | HookCallFunction Log::get_filter(SSL::LOG, default)
+0.000000 | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T], PacketFilter::LOG)
 0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction NetControl::check_plugins()
 0.000000 | HookCallFunction NetControl::init()
@@ -2633,11 +3473,29 @@
 0.000000 | HookCallFunction Option::set_change_handler(X509::caching_required_encounters_interval, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(X509::certificate_cache_max_entries, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(X509::certificate_cache_minimum_eviction_interval, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(X509::hash_function, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(X509::known_log_certs_maximum_size, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(X509::log_x509_in_files_log, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(X509::relog_known_certificates_after, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(default_file_bof_buffer_size, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(default_file_timeout_interval, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(ignore_checksums_nets, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction Option::set_change_handler(ignore_checksums_nets, PacketAnalyzer::IP::analyzer_option_change_ignore_checksums_nets{ if (ignore_checksums_nets == PacketAnalyzer::IP::ID) PacketAnalyzer::__set_ignore_checksums_nets(PacketAnalyzer::IP::new_value)return (PacketAnalyzer::IP::new_value)}, 5)
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_delivery_ports_use_resp, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
 0.000000 | HookCallFunction Option::set_change_handler(udp_content_ports, Config::config_option_changed{ <internal>::#0 = network_time()<internal>::#1 = lookup_ID(Config::ID)<internal>::#2 = Config::format_value(<internal>::#1)<internal>::#3 = Config::format_value(Config::new_value)Config::log = Config::Info($ts=<internal>::#0, $id=Config::ID, $old_value=<internal>::#2, $new_value=<internal>::#3)if ( != Config::location) Config::log$location $= Config::location<internal>::#4 = to_any_coerceConfig::logLog::write(Config::LOG, <internal>::#4)return (Config::new_value)}, -100)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, 5072/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, 6081/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2123/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, 2152/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, 3544/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_port(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, 4789/udp)
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA, {5072/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GENEVE, {6081/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1, {2152<...>/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO, {3544/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_for_ports(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_VXLAN, {4789/udp})
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 4, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_AYIYA, 41, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -2648,6 +3506,10 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 35110, PacketAnalyzer::ANALYZER_VNTAG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ETHERNET, 37120, PacketAnalyzer::ANALYZER_VLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2048, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2054, PacketAnalyzer::ANALYZER_ARP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 2269, PacketAnalyzer::ANALYZER_IP)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_GENEVE, 25944, PacketAnalyzer::ANALYZER_ETHERNET)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_IEEE802_11, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -2683,6 +3545,12 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 127, PacketAnalyzer::ANALYZER_IEEE802_11_RADIO)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 239, PacketAnalyzer::ANALYZER_NFLOG)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_ROOT, 50, PacketAnalyzer::ANALYZER_PPPSERIAL)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2123, PacketAnalyzer::ANALYZER_GTPV1)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 2152, PacketAnalyzer::ANALYZER_GTPV1)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 3544, PacketAnalyzer::ANALYZER_TEREDO)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 4789, PacketAnalyzer::ANALYZER_VXLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 5072, PacketAnalyzer::ANALYZER_AYIYA)
+0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_UDP, 6081, PacketAnalyzer::ANALYZER_GENEVE)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2048, PacketAnalyzer::ANALYZER_IP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 2054, PacketAnalyzer::ANALYZER_ARP)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VLAN, 32821, PacketAnalyzer::ANALYZER_ARP)
@@ -2693,6 +3561,9 @@
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 33024, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 34984, PacketAnalyzer::ANALYZER_VLAN)
 0.000000 | HookCallFunction PacketAnalyzer::register_packet_analyzer(PacketAnalyzer::ANALYZER_VNTAG, 37120, PacketAnalyzer::ANALYZER_VLAN)
+0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_AYIYA)
+0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_GTPV1)
+0.000000 | HookCallFunction PacketAnalyzer::register_protocol_detection(PacketAnalyzer::ANALYZER_UDP, PacketAnalyzer::ANALYZER_TEREDO)
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )
 0.000000 | HookCallFunction PacketFilter::install()
@@ -2713,6 +3584,8 @@
 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::UNIQUE, lambda_<14393221830775341876>{ if (!SumStats::rv?$unique_vals) SumStats::rv$unique_vals = (coerce set() to set[SumStats::Observation])if (SumStats::r?$unique_max) SumStats::rv$unique_max = SumStats::r$unique_maxif (!SumStats::r?$unique_max || sizeofSumStats::rv$unique_vals <= SumStats::r$unique_max) add SumStats::rv$unique_vals[SumStats::obs]SumStats::rv$unique = sizeofSumStats::rv$unique_vals})
 0.000000 | HookCallFunction SumStats::register_observe_plugin(SumStats::VARIANCE, lambda_<6557258612059469785>{ if (1 < SumStats::rv$num) SumStats::rv$var_s += ((SumStats::val - SumStats::rv$prev_avg) * (SumStats::val - SumStats::rv$average))SumStats::calc_variance(SumStats::rv)SumStats::rv$prev_avg = SumStats::rv$average})
 0.000000 | HookCallFunction SumStats::register_observe_plugins()
+0.000000 | HookCallFunction Supervisor::__is_supervisor()
+0.000000 | HookCallFunction Supervisor::is_supervisor()
 0.000000 | HookCallFunction __init_primary_bifs()
 0.000000 | HookCallFunction __init_secondary_bifs()
 0.000000 | HookCallFunction current_time()
@@ -2721,6 +3594,12 @@
 0.000000 | HookCallFunction getenv(ZEEK_DEFAULT_LISTEN_ADDRESS)
 0.000000 | HookCallFunction global_ids()
 0.000000 | HookCallFunction network_time()
+0.000000 | HookCallFunction port_to_count(2123/udp)
+0.000000 | HookCallFunction port_to_count(2152/udp)
+0.000000 | HookCallFunction port_to_count(3544/udp)
+0.000000 | HookCallFunction port_to_count(4789/udp)
+0.000000 | HookCallFunction port_to_count(5072/udp)
+0.000000 | HookCallFunction port_to_count(6081/udp)
 0.000000 | HookCallFunction reading_live_traffic()
 0.000000 | HookCallFunction reading_traces()
 0.000000 | HookCallFunction set_to_regex({}, (^\.?|\.)(~~)$)
@@ -2760,6 +3639,7 @@
 0.000000 | HookLoadFile  ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek
@@ -2841,12 +3721,12 @@
 0.000000 | HookLoadFile  ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
-0.000000 | HookLoadFile  ./Zeek_SteppingStone.events.bif.zeek <...>/Zeek_SteppingStone.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek
+0.000000 | HookLoadFile  ./Zeek_Teredo.functions.bif.zeek <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek
 0.000000 | HookLoadFile  ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek
@@ -2866,6 +3746,7 @@
 0.000000 | HookLoadFile  ./bloom-filter.bif.zeek <...>/bloom-filter.bif.zeek
 0.000000 | HookLoadFile  ./broker <...>/broker.zeek
 0.000000 | HookLoadFile  ./cardinality-counter.bif.zeek <...>/cardinality-counter.bif.zeek
+0.000000 | HookLoadFile  ./certificate-event-cache <...>/certificate-event-cache.zeek
 0.000000 | HookLoadFile  ./comm.bif.zeek <...>/comm.bif.zeek
 0.000000 | HookLoadFile  ./const-dos-error <...>/const-dos-error.zeek
 0.000000 | HookLoadFile  ./const-nt-status <...>/const-nt-status.zeek
@@ -2899,9 +3780,11 @@
 0.000000 | HookLoadFile  ./last <...>/last.zeek
 0.000000 | HookLoadFile  ./libmagic <...>/libmagic.sig
 0.000000 | HookLoadFile  ./log <...>/log.zeek
+0.000000 | HookLoadFile  ./log-ocsp <...>/log-ocsp.zeek
 0.000000 | HookLoadFile  ./logging.bif.zeek <...>/logging.bif.zeek
 0.000000 | HookLoadFile  ./magic <...>/magic
 0.000000 | HookLoadFile  ./main <...>/main.zeek
+0.000000 | HookLoadFile  ./main.zeek <...>/main.zeek
 0.000000 | HookLoadFile  ./max <...>/max.zeek
 0.000000 | HookLoadFile  ./messaging.bif.zeek <...>/messaging.bif.zeek
 0.000000 | HookLoadFile  ./min <...>/min.zeek
@@ -2971,13 +3854,16 @@
 0.000000 | HookLoadFile  base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
 0.000000 | HookLoadFile  base/packet-protocols <...>/packet-protocols
 0.000000 | HookLoadFile  base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
+0.000000 | HookLoadFile  base<...>/Zeek_GTPv1.functions.bif <...>/Zeek_GTPv1.functions.bif.zeek
 0.000000 | HookLoadFile  base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
 0.000000 | HookLoadFile  base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFile  base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
 0.000000 | HookLoadFile  base<...>/active-http <...>/active-http.zeek
 0.000000 | HookLoadFile  base<...>/addrs <...>/addrs.zeek
 0.000000 | HookLoadFile  base<...>/analyzer <...>/analyzer
 0.000000 | HookLoadFile  base<...>/analyzer.bif <...>/analyzer.bif.zeek
 0.000000 | HookLoadFile  base<...>/api <...>/api.zeek
+0.000000 | HookLoadFile  base<...>/ayiya <...>/ayiya
 0.000000 | HookLoadFile  base<...>/backtrace <...>/backtrace.zeek
 0.000000 | HookLoadFile  base<...>/broker <...>/broker
 0.000000 | HookLoadFile  base<...>/cluster <...>/cluster
@@ -3007,8 +3893,10 @@
 0.000000 | HookLoadFile  base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
 0.000000 | HookLoadFile  base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
 0.000000 | HookLoadFile  base<...>/ftp <...>/ftp
+0.000000 | HookLoadFile  base<...>/geneve <...>/geneve
 0.000000 | HookLoadFile  base<...>/geoip-distance <...>/geoip-distance.zeek
 0.000000 | HookLoadFile  base<...>/gre <...>/gre
+0.000000 | HookLoadFile  base<...>/gtpv1 <...>/gtpv1
 0.000000 | HookLoadFile  base<...>/hash <...>/hash
 0.000000 | HookLoadFile  base<...>/hash_hrw <...>/hash_hrw.zeek
 0.000000 | HookLoadFile  base<...>/http <...>/http
@@ -3027,6 +3915,7 @@
 0.000000 | HookLoadFile  base<...>/logging <...>/logging
 0.000000 | HookLoadFile  base<...>/logging.bif <...>/logging.bif.zeek
 0.000000 | HookLoadFile  base<...>/main <...>/main.zeek
+0.000000 | HookLoadFile  base<...>/main.zeek <...>/main.zeek
 0.000000 | HookLoadFile  base<...>/messaging.bif <...>/messaging.bif.zeek
 0.000000 | HookLoadFile  base<...>/modbus <...>/modbus
 0.000000 | HookLoadFile  base<...>/mpls <...>/mpls
@@ -3078,6 +3967,7 @@
 0.000000 | HookLoadFile  base<...>/supervisor.bif <...>/supervisor.bif.zeek
 0.000000 | HookLoadFile  base<...>/syslog <...>/syslog
 0.000000 | HookLoadFile  base<...>/tcp <...>/tcp
+0.000000 | HookLoadFile  base<...>/teredo <...>/teredo
 0.000000 | HookLoadFile  base<...>/thresholds <...>/thresholds.zeek
 0.000000 | HookLoadFile  base<...>/time <...>/time.zeek
 0.000000 | HookLoadFile  base<...>/tunnels <...>/tunnels
@@ -3088,10 +3978,392 @@
 0.000000 | HookLoadFile  base<...>/version <...>/version.zeek
 0.000000 | HookLoadFile  base<...>/vlan <...>/vlan
 0.000000 | HookLoadFile  base<...>/vntag <...>/vntag
+0.000000 | HookLoadFile  base<...>/vxlan <...>/vxlan
 0.000000 | HookLoadFile  base<...>/weird <...>/weird.zeek
 0.000000 | HookLoadFile  base<...>/x509 <...>/x509
 0.000000 | HookLoadFile  base<...>/xmpp <...>/xmpp
 0.000000 | HookLoadFile  base<...>/zeek.bif <...>/zeek.bif.zeek
+0.000000 | HookLoadFile  builtin-plugins/__load__.zeek <...>/__load__.zeek
+0.000000 | HookLoadFile  builtin-plugins/__preload__.zeek <...>/__preload__.zeek
+0.000000 | HookLoadFile  s1.sig ./s1.sig
+0.000000 | HookLoadFile  s2 ./s2.sig
+0.000000 | HookLoadFileExtended ../main <...>/main.zeek
+0.000000 | HookLoadFileExtended ../plugin <...>/plugin.zeek
+0.000000 | HookLoadFileExtended ./CPP-load.bif.zeek <...>/CPP-load.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ARP.events.bif.zeek <...>/Zeek_ARP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_AsciiReader.ascii.bif.zeek <...>/Zeek_AsciiReader.ascii.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_AsciiWriter.ascii.bif.zeek <...>/Zeek_AsciiWriter.ascii.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_BenchmarkReader.benchmark.bif.zeek <...>/Zeek_BenchmarkReader.benchmark.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_BinaryReader.binary.bif.zeek <...>/Zeek_BinaryReader.binary.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_BitTorrent.events.bif.zeek <...>/Zeek_BitTorrent.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ConfigReader.config.bif.zeek <...>/Zeek_ConfigReader.config.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ConnSize.events.bif.zeek <...>/Zeek_ConnSize.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ConnSize.functions.bif.zeek <...>/Zeek_ConnSize.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DCE_RPC.consts.bif.zeek <...>/Zeek_DCE_RPC.consts.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DCE_RPC.events.bif.zeek <...>/Zeek_DCE_RPC.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DCE_RPC.types.bif.zeek <...>/Zeek_DCE_RPC.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DHCP.events.bif.zeek <...>/Zeek_DHCP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DHCP.types.bif.zeek <...>/Zeek_DHCP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DNP3.events.bif.zeek <...>/Zeek_DNP3.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_DNS.events.bif.zeek <...>/Zeek_DNS.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FTP.events.bif.zeek <...>/Zeek_FTP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FTP.functions.bif.zeek <...>/Zeek_FTP.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_File.events.bif.zeek <...>/Zeek_File.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FileEntropy.events.bif.zeek <...>/Zeek_FileEntropy.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FileExtract.events.bif.zeek <...>/Zeek_FileExtract.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FileExtract.functions.bif.zeek <...>/Zeek_FileExtract.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_FileHash.events.bif.zeek <...>/Zeek_FileHash.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Finger.events.bif.zeek <...>/Zeek_Finger.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_GSSAPI.events.bif.zeek <...>/Zeek_GSSAPI.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_GTPv1.events.bif.zeek <...>/Zeek_GTPv1.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_GTPv1.functions.bif.zeek <...>/Zeek_GTPv1.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Geneve.events.bif.zeek <...>/Zeek_Geneve.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Gnutella.events.bif.zeek <...>/Zeek_Gnutella.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_HTTP.events.bif.zeek <...>/Zeek_HTTP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_HTTP.functions.bif.zeek <...>/Zeek_HTTP.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_ICMP.events.bif.zeek <...>/Zeek_ICMP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_IMAP.events.bif.zeek <...>/Zeek_IMAP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_IRC.events.bif.zeek <...>/Zeek_IRC.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Ident.events.bif.zeek <...>/Zeek_Ident.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_KRB.events.bif.zeek <...>/Zeek_KRB.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_KRB.types.bif.zeek <...>/Zeek_KRB.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Login.events.bif.zeek <...>/Zeek_Login.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Login.functions.bif.zeek <...>/Zeek_Login.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_MIME.events.bif.zeek <...>/Zeek_MIME.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_MQTT.events.bif.zeek <...>/Zeek_MQTT.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_MQTT.types.bif.zeek <...>/Zeek_MQTT.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Modbus.events.bif.zeek <...>/Zeek_Modbus.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_MySQL.events.bif.zeek <...>/Zeek_MySQL.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NCP.consts.bif.zeek <...>/Zeek_NCP.consts.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NCP.events.bif.zeek <...>/Zeek_NCP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NTLM.events.bif.zeek <...>/Zeek_NTLM.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NTLM.types.bif.zeek <...>/Zeek_NTLM.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NTP.events.bif.zeek <...>/Zeek_NTP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NTP.types.bif.zeek <...>/Zeek_NTP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.events.bif.zeek <...>/Zeek_NetBIOS.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NetBIOS.functions.bif.zeek <...>/Zeek_NetBIOS.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_NoneWriter.none.bif.zeek <...>/Zeek_NoneWriter.none.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_PE.events.bif.zeek <...>/Zeek_PE.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_POP3.events.bif.zeek <...>/Zeek_POP3.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RADIUS.events.bif.zeek <...>/Zeek_RADIUS.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RDP.events.bif.zeek <...>/Zeek_RDP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RDP.types.bif.zeek <...>/Zeek_RDP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RFB.events.bif.zeek <...>/Zeek_RFB.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RPC.events.bif.zeek <...>/Zeek_RPC.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_RawReader.raw.bif.zeek <...>/Zeek_RawReader.raw.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SIP.events.bif.zeek <...>/Zeek_SIP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.consts.bif.zeek <...>/Zeek_SMB.consts.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.events.bif.zeek <...>/Zeek_SMB.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_check_directory.bif.zeek <...>/Zeek_SMB.smb1_com_check_directory.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_close.bif.zeek <...>/Zeek_SMB.smb1_com_close.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_create_directory.bif.zeek <...>/Zeek_SMB.smb1_com_create_directory.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_echo.bif.zeek <...>/Zeek_SMB.smb1_com_echo.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_logoff_andx.bif.zeek <...>/Zeek_SMB.smb1_com_logoff_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_negotiate.bif.zeek <...>/Zeek_SMB.smb1_com_negotiate.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_nt_cancel.bif.zeek <...>/Zeek_SMB.smb1_com_nt_cancel.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_nt_create_andx.bif.zeek <...>/Zeek_SMB.smb1_com_nt_create_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_query_information.bif.zeek <...>/Zeek_SMB.smb1_com_query_information.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_read_andx.bif.zeek <...>/Zeek_SMB.smb1_com_read_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_session_setup_andx.bif.zeek <...>/Zeek_SMB.smb1_com_session_setup_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction.bif.zeek <...>/Zeek_SMB.smb1_com_transaction.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction2.bif.zeek <...>/Zeek_SMB.smb1_com_transaction2.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek <...>/Zeek_SMB.smb1_com_transaction2_secondary.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_transaction_secondary.bif.zeek <...>/Zeek_SMB.smb1_com_transaction_secondary.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek <...>/Zeek_SMB.smb1_com_tree_connect_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_tree_disconnect.bif.zeek <...>/Zeek_SMB.smb1_com_tree_disconnect.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_com_write_andx.bif.zeek <...>/Zeek_SMB.smb1_com_write_andx.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb1_events.bif.zeek <...>/Zeek_SMB.smb1_events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_close.bif.zeek <...>/Zeek_SMB.smb2_com_close.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_create.bif.zeek <...>/Zeek_SMB.smb2_com_create.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_negotiate.bif.zeek <...>/Zeek_SMB.smb2_com_negotiate.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_read.bif.zeek <...>/Zeek_SMB.smb2_com_read.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_session_setup.bif.zeek <...>/Zeek_SMB.smb2_com_session_setup.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_set_info.bif.zeek <...>/Zeek_SMB.smb2_com_set_info.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_transform_header.bif.zeek <...>/Zeek_SMB.smb2_com_transform_header.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_tree_connect.bif.zeek <...>/Zeek_SMB.smb2_com_tree_connect.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_tree_disconnect.bif.zeek <...>/Zeek_SMB.smb2_com_tree_disconnect.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_com_write.bif.zeek <...>/Zeek_SMB.smb2_com_write.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.smb2_events.bif.zeek <...>/Zeek_SMB.smb2_events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMB.types.bif.zeek <...>/Zeek_SMB.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMTP.events.bif.zeek <...>/Zeek_SMTP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SMTP.functions.bif.zeek <...>/Zeek_SMTP.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SNMP.events.bif.zeek <...>/Zeek_SNMP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SNMP.types.bif.zeek <...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SOCKS.events.bif.zeek <...>/Zeek_SOCKS.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SQLiteReader.sqlite.bif.zeek <...>/Zeek_SQLiteReader.sqlite.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SQLiteWriter.sqlite.bif.zeek <...>/Zeek_SQLiteWriter.sqlite.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSH.events.bif.zeek <...>/Zeek_SSH.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSH.types.bif.zeek <...>/Zeek_SSH.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSL.consts.bif.zeek <...>/Zeek_SSL.consts.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSL.events.bif.zeek <...>/Zeek_SSL.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSL.functions.bif.zeek <...>/Zeek_SSL.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_SSL.types.bif.zeek <...>/Zeek_SSL.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Syslog.events.bif.zeek <...>/Zeek_Syslog.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_TCP.events.bif.zeek <...>/Zeek_TCP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_TCP.functions.bif.zeek <...>/Zeek_TCP.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_TCP.types.bif.zeek <...>/Zeek_TCP.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Teredo.events.bif.zeek <...>/Zeek_Teredo.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Teredo.functions.bif.zeek <...>/Zeek_Teredo.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_UDP.events.bif.zeek <...>/Zeek_UDP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Unified2.events.bif.zeek <...>/Zeek_Unified2.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_Unified2.types.bif.zeek <...>/Zeek_Unified2.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_VXLAN.events.bif.zeek <...>/Zeek_VXLAN.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_X509.events.bif.zeek <...>/Zeek_X509.events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_X509.functions.bif.zeek <...>/Zeek_X509.functions.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_X509.ocsp_events.bif.zeek <...>/Zeek_X509.ocsp_events.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_X509.types.bif.zeek <...>/Zeek_X509.types.bif.zeek
+0.000000 | HookLoadFileExtended ./Zeek_XMPP.events.bif.zeek <...>/Zeek_XMPP.events.bif.zeek
+0.000000 | HookLoadFileExtended ./acld <...>/acld.zeek
+0.000000 | HookLoadFileExtended ./addrs <...>/addrs.zeek
+0.000000 | HookLoadFileExtended ./analyzer.bif.zeek <...>/analyzer.bif.zeek
+0.000000 | HookLoadFileExtended ./api <...>/api.zeek
+0.000000 | HookLoadFileExtended ./archive <...>/archive.sig
+0.000000 | HookLoadFileExtended ./audio <...>/audio.sig
+0.000000 | HookLoadFileExtended ./average <...>/average.zeek
+0.000000 | HookLoadFileExtended ./bloom-filter.bif.zeek <...>/bloom-filter.bif.zeek
+0.000000 | HookLoadFileExtended ./broker <...>/broker.zeek
+0.000000 | HookLoadFileExtended ./cardinality-counter.bif.zeek <...>/cardinality-counter.bif.zeek
+0.000000 | HookLoadFileExtended ./certificate-event-cache <...>/certificate-event-cache.zeek
+0.000000 | HookLoadFileExtended ./comm.bif.zeek <...>/comm.bif.zeek
+0.000000 | HookLoadFileExtended ./const-dos-error <...>/const-dos-error.zeek
+0.000000 | HookLoadFileExtended ./const-nt-status <...>/const-nt-status.zeek
+0.000000 | HookLoadFileExtended ./const.bif.zeek <...>/const.bif.zeek
+0.000000 | HookLoadFileExtended ./consts <...>/consts.zeek
+0.000000 | HookLoadFileExtended ./contents <...>/contents.zeek
+0.000000 | HookLoadFileExtended ./control <...>/control.zeek
+0.000000 | HookLoadFileExtended ./ct-list <...>/ct-list.zeek
+0.000000 | HookLoadFileExtended ./data.bif.zeek <...>/data.bif.zeek
+0.000000 | HookLoadFileExtended ./dcc-send <...>/dcc-send.zeek
+0.000000 | HookLoadFileExtended ./debug <...>/debug.zeek
+0.000000 | HookLoadFileExtended ./dpd.sig <...>/dpd.sig
+0.000000 | HookLoadFileExtended ./drop <...>/drop.zeek
+0.000000 | HookLoadFileExtended ./entities <...>/entities.zeek
+0.000000 | HookLoadFileExtended ./event.bif.zeek <...>/event.bif.zeek
+0.000000 | HookLoadFileExtended ./exec <...>/exec.zeek
+0.000000 | HookLoadFileExtended ./executable <...>/executable.sig
+0.000000 | HookLoadFileExtended ./file_analysis.bif.zeek <...>/file_analysis.bif.zeek
+0.000000 | HookLoadFileExtended ./files <...>/files.zeek
+0.000000 | HookLoadFileExtended ./font <...>/font.sig
+0.000000 | HookLoadFileExtended ./general <...>/general.sig
+0.000000 | HookLoadFileExtended ./gridftp <...>/gridftp.zeek
+0.000000 | HookLoadFileExtended ./hll_unique <...>/hll_unique.zeek
+0.000000 | HookLoadFileExtended ./hooks.bif.zeek <...>/hooks.bif.zeek
+0.000000 | HookLoadFileExtended ./image <...>/image.sig
+0.000000 | HookLoadFileExtended ./inactivity <...>/inactivity.zeek
+0.000000 | HookLoadFileExtended ./info <...>/info.zeek
+0.000000 | HookLoadFileExtended ./input <...>/input.zeek
+0.000000 | HookLoadFileExtended ./input.bif.zeek <...>/input.bif.zeek
+0.000000 | HookLoadFileExtended ./java <...>/java.sig
+0.000000 | HookLoadFileExtended ./last <...>/last.zeek
+0.000000 | HookLoadFileExtended ./libmagic <...>/libmagic.sig
+0.000000 | HookLoadFileExtended ./log <...>/log.zeek
+0.000000 | HookLoadFileExtended ./log-ocsp <...>/log-ocsp.zeek
+0.000000 | HookLoadFileExtended ./logging.bif.zeek <...>/logging.bif.zeek
+0.000000 | HookLoadFileExtended ./magic <...>/magic
+0.000000 | HookLoadFileExtended ./main <...>/main.zeek
+0.000000 | HookLoadFileExtended ./main.zeek <...>/main.zeek
+0.000000 | HookLoadFileExtended ./max <...>/max.zeek
+0.000000 | HookLoadFileExtended ./messaging.bif.zeek <...>/messaging.bif.zeek
+0.000000 | HookLoadFileExtended ./min <...>/min.zeek
+0.000000 | HookLoadFileExtended ./mozilla-ca-list <...>/mozilla-ca-list.zeek
+0.000000 | HookLoadFileExtended ./netstats <...>/netstats.zeek
+0.000000 | HookLoadFileExtended ./non-cluster <...>/non-cluster.zeek
+0.000000 | HookLoadFileExtended ./office <...>/office.sig
+0.000000 | HookLoadFileExtended ./openflow <...>/openflow.zeek
+0.000000 | HookLoadFileExtended ./option.bif.zeek <...>/option.bif.zeek
+0.000000 | HookLoadFileExtended ./packet_analysis.bif.zeek <...>/packet_analysis.bif.zeek
+0.000000 | HookLoadFileExtended ./packetfilter <...>/packetfilter.zeek
+0.000000 | HookLoadFileExtended ./patterns <...>/patterns.zeek
+0.000000 | HookLoadFileExtended ./pcap.bif.zeek <...>/pcap.bif.zeek
+0.000000 | HookLoadFileExtended ./plugin <...>/plugin.zeek
+0.000000 | HookLoadFileExtended ./plugins <...>/plugins
+0.000000 | HookLoadFileExtended ./polling <...>/polling.zeek
+0.000000 | HookLoadFileExtended ./pools <...>/pools.zeek
+0.000000 | HookLoadFileExtended ./postprocessors <...>/postprocessors
+0.000000 | HookLoadFileExtended ./programming <...>/programming.sig
+0.000000 | HookLoadFileExtended ./removal-hooks <...>/removal-hooks.zeek
+0.000000 | HookLoadFileExtended ./reporter.bif.zeek <...>/reporter.bif.zeek
+0.000000 | HookLoadFileExtended ./ryu <...>/ryu.zeek
+0.000000 | HookLoadFileExtended ./sample <...>/sample.zeek
+0.000000 | HookLoadFileExtended ./scp <...>/scp.zeek
+0.000000 | HookLoadFileExtended ./sftp <...>/sftp.zeek
+0.000000 | HookLoadFileExtended ./shunt <...>/shunt.zeek
+0.000000 | HookLoadFileExtended ./site <...>/site.zeek
+0.000000 | HookLoadFileExtended ./smb1-main <...>/smb1-main.zeek
+0.000000 | HookLoadFileExtended ./smb2-main <...>/smb2-main.zeek
+0.000000 | HookLoadFileExtended ./stats.bif.zeek <...>/stats.bif.zeek
+0.000000 | HookLoadFileExtended ./std-dev <...>/std-dev.zeek
+0.000000 | HookLoadFileExtended ./store <...>/store.zeek
+0.000000 | HookLoadFileExtended ./store.bif.zeek <...>/store.bif.zeek
+0.000000 | HookLoadFileExtended ./strings.bif.zeek <...>/strings.bif.zeek
+0.000000 | HookLoadFileExtended ./sum <...>/sum.zeek
+0.000000 | HookLoadFileExtended ./supervisor.bif.zeek <...>/supervisor.bif.zeek
+0.000000 | HookLoadFileExtended ./telemetry.bif.zeek <...>/telemetry.bif.zeek
+0.000000 | HookLoadFileExtended ./thresholds <...>/thresholds.zeek
+0.000000 | HookLoadFileExtended ./top-k.bif.zeek <...>/top-k.bif.zeek
+0.000000 | HookLoadFileExtended ./topk <...>/topk.zeek
+0.000000 | HookLoadFileExtended ./types <...>/types.zeek
+0.000000 | HookLoadFileExtended ./types.bif.zeek <...>/types.bif.zeek
+0.000000 | HookLoadFileExtended ./unique <...>/unique.zeek
+0.000000 | HookLoadFileExtended ./utils <...>/utils.zeek
+0.000000 | HookLoadFileExtended ./utils-commands <...>/utils-commands.zeek
+0.000000 | HookLoadFileExtended ./variance <...>/variance.zeek
+0.000000 | HookLoadFileExtended ./video <...>/video.sig
+0.000000 | HookLoadFileExtended ./weird <...>/weird.zeek
+0.000000 | HookLoadFileExtended ./zeek.bif.zeek <...>/zeek.bif.zeek
+0.000000 | HookLoadFileExtended ./zeekygen.bif.zeek <...>/zeekygen.bif.zeek
+0.000000 | HookLoadFileExtended .<...>/add-geodata <...>/add-geodata.zeek
+0.000000 | HookLoadFileExtended .<...>/ascii <...>/ascii.zeek
+0.000000 | HookLoadFileExtended .<...>/benchmark <...>/benchmark.zeek
+0.000000 | HookLoadFileExtended .<...>/binary <...>/binary.zeek
+0.000000 | HookLoadFileExtended .<...>/config <...>/config.zeek
+0.000000 | HookLoadFileExtended .<...>/email_admin <...>/email_admin.zeek
+0.000000 | HookLoadFileExtended .<...>/none <...>/none.zeek
+0.000000 | HookLoadFileExtended .<...>/page <...>/page.zeek
+0.000000 | HookLoadFileExtended .<...>/pp-alarms <...>/pp-alarms.zeek
+0.000000 | HookLoadFileExtended .<...>/raw <...>/raw.zeek
+0.000000 | HookLoadFileExtended .<...>/sqlite <...>/sqlite.zeek
+0.000000 | HookLoadFileExtended <...>/__load__.zeek <...>/__load__.zeek
+0.000000 | HookLoadFileExtended <...>/__preload__.zeek <...>/__preload__.zeek
+0.000000 | HookLoadFileExtended <...>/hooks.zeek <...>/hooks.zeek
+0.000000 | HookLoadFileExtended base/bif <...>/bif
+0.000000 | HookLoadFileExtended base/init-default <...>/init-default.zeek
+0.000000 | HookLoadFileExtended base/init-frameworks-and-bifs.zeek <...>/init-frameworks-and-bifs.zeek
+0.000000 | HookLoadFileExtended base/packet-protocols <...>/packet-protocols
+0.000000 | HookLoadFileExtended base<...>/CPP-load.bif <...>/CPP-load.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/Zeek_GTPv1.functions.bif <...>/Zeek_GTPv1.functions.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/Zeek_KRB.types.bif <...>/Zeek_KRB.types.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/Zeek_SNMP.types.bif <...>/Zeek_SNMP.types.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/Zeek_Teredo.functions.bif <...>/Zeek_Teredo.functions.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/active-http <...>/active-http.zeek
+0.000000 | HookLoadFileExtended base<...>/addrs <...>/addrs.zeek
+0.000000 | HookLoadFileExtended base<...>/analyzer <...>/analyzer
+0.000000 | HookLoadFileExtended base<...>/analyzer.bif <...>/analyzer.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/api <...>/api.zeek
+0.000000 | HookLoadFileExtended base<...>/ayiya <...>/ayiya
+0.000000 | HookLoadFileExtended base<...>/backtrace <...>/backtrace.zeek
+0.000000 | HookLoadFileExtended base<...>/broker <...>/broker
+0.000000 | HookLoadFileExtended base<...>/cluster <...>/cluster
+0.000000 | HookLoadFileExtended base<...>/comm.bif <...>/comm.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/config <...>/config
+0.000000 | HookLoadFileExtended base<...>/conn <...>/conn
+0.000000 | HookLoadFileExtended base<...>/conn-ids <...>/conn-ids.zeek
+0.000000 | HookLoadFileExtended base<...>/const.bif <...>/const.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/control <...>/control
+0.000000 | HookLoadFileExtended base<...>/data.bif <...>/data.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/dce-rpc <...>/dce-rpc
+0.000000 | HookLoadFileExtended base<...>/dhcp <...>/dhcp
+0.000000 | HookLoadFileExtended base<...>/dir <...>/dir.zeek
+0.000000 | HookLoadFileExtended base<...>/directions-and-hosts <...>/directions-and-hosts.zeek
+0.000000 | HookLoadFileExtended base<...>/dnp3 <...>/dnp3
+0.000000 | HookLoadFileExtended base<...>/dns <...>/dns
+0.000000 | HookLoadFileExtended base<...>/dpd <...>/dpd
+0.000000 | HookLoadFileExtended base<...>/email <...>/email.zeek
+0.000000 | HookLoadFileExtended base<...>/ethernet <...>/ethernet
+0.000000 | HookLoadFileExtended base<...>/event.bif <...>/event.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/exec <...>/exec.zeek
+0.000000 | HookLoadFileExtended base<...>/extract <...>/extract
+0.000000 | HookLoadFileExtended base<...>/fddi <...>/fddi
+0.000000 | HookLoadFileExtended base<...>/file_analysis.bif <...>/file_analysis.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/files <...>/files
+0.000000 | HookLoadFileExtended base<...>/files <...>/files.zeek
+0.000000 | HookLoadFileExtended base<...>/find-checksum-offloading <...>/find-checksum-offloading.zeek
+0.000000 | HookLoadFileExtended base<...>/find-filtered-trace <...>/find-filtered-trace.zeek
+0.000000 | HookLoadFileExtended base<...>/ftp <...>/ftp
+0.000000 | HookLoadFileExtended base<...>/geneve <...>/geneve
+0.000000 | HookLoadFileExtended base<...>/geoip-distance <...>/geoip-distance.zeek
+0.000000 | HookLoadFileExtended base<...>/gre <...>/gre
+0.000000 | HookLoadFileExtended base<...>/gtpv1 <...>/gtpv1
+0.000000 | HookLoadFileExtended base<...>/hash <...>/hash
+0.000000 | HookLoadFileExtended base<...>/hash_hrw <...>/hash_hrw.zeek
+0.000000 | HookLoadFileExtended base<...>/http <...>/http
+0.000000 | HookLoadFileExtended base<...>/icmp <...>/icmp
+0.000000 | HookLoadFileExtended base<...>/ieee802_11 <...>/ieee802_11
+0.000000 | HookLoadFileExtended base<...>/ieee802_11_radio <...>/ieee802_11_radio
+0.000000 | HookLoadFileExtended base<...>/imap <...>/imap
+0.000000 | HookLoadFileExtended base<...>/input <...>/input
+0.000000 | HookLoadFileExtended base<...>/input.bif <...>/input.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/intel <...>/intel
+0.000000 | HookLoadFileExtended base<...>/ip <...>/ip
+0.000000 | HookLoadFileExtended base<...>/iptunnel <...>/iptunnel
+0.000000 | HookLoadFileExtended base<...>/irc <...>/irc
+0.000000 | HookLoadFileExtended base<...>/krb <...>/krb
+0.000000 | HookLoadFileExtended base<...>/linux_sll <...>/linux_sll
+0.000000 | HookLoadFileExtended base<...>/logging <...>/logging
+0.000000 | HookLoadFileExtended base<...>/logging.bif <...>/logging.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/main <...>/main.zeek
+0.000000 | HookLoadFileExtended base<...>/main.zeek <...>/main.zeek
+0.000000 | HookLoadFileExtended base<...>/messaging.bif <...>/messaging.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/modbus <...>/modbus
+0.000000 | HookLoadFileExtended base<...>/mpls <...>/mpls
+0.000000 | HookLoadFileExtended base<...>/mqtt <...>/mqtt
+0.000000 | HookLoadFileExtended base<...>/mysql <...>/mysql
+0.000000 | HookLoadFileExtended base<...>/netcontrol <...>/netcontrol
+0.000000 | HookLoadFileExtended base<...>/nflog <...>/nflog
+0.000000 | HookLoadFileExtended base<...>/notice <...>/notice
+0.000000 | HookLoadFileExtended base<...>/ntlm <...>/ntlm
+0.000000 | HookLoadFileExtended base<...>/ntp <...>/ntp
+0.000000 | HookLoadFileExtended base<...>/null <...>/null
+0.000000 | HookLoadFileExtended base<...>/numbers <...>/numbers.zeek
+0.000000 | HookLoadFileExtended base<...>/openflow <...>/openflow
+0.000000 | HookLoadFileExtended base<...>/option.bif <...>/option.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/packet-filter <...>/packet-filter
+0.000000 | HookLoadFileExtended base<...>/packet_analysis.bif <...>/packet_analysis.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/paths <...>/paths.zeek
+0.000000 | HookLoadFileExtended base<...>/patterns <...>/patterns.zeek
+0.000000 | HookLoadFileExtended base<...>/pe <...>/pe
+0.000000 | HookLoadFileExtended base<...>/plugins <...>/plugins
+0.000000 | HookLoadFileExtended base<...>/pop3 <...>/pop3
+0.000000 | HookLoadFileExtended base<...>/ppp_serial <...>/ppp_serial
+0.000000 | HookLoadFileExtended base<...>/pppoe <...>/pppoe
+0.000000 | HookLoadFileExtended base<...>/queue <...>/queue.zeek
+0.000000 | HookLoadFileExtended base<...>/radius <...>/radius
+0.000000 | HookLoadFileExtended base<...>/rdp <...>/rdp
+0.000000 | HookLoadFileExtended base<...>/removal-hooks <...>/removal-hooks.zeek
+0.000000 | HookLoadFileExtended base<...>/reporter <...>/reporter
+0.000000 | HookLoadFileExtended base<...>/reporter.bif <...>/reporter.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/rfb <...>/rfb
+0.000000 | HookLoadFileExtended base<...>/root <...>/root
+0.000000 | HookLoadFileExtended base<...>/signatures <...>/signatures
+0.000000 | HookLoadFileExtended base<...>/sip <...>/sip
+0.000000 | HookLoadFileExtended base<...>/site <...>/site.zeek
+0.000000 | HookLoadFileExtended base<...>/skip <...>/skip
+0.000000 | HookLoadFileExtended base<...>/smb <...>/smb
+0.000000 | HookLoadFileExtended base<...>/smtp <...>/smtp
+0.000000 | HookLoadFileExtended base<...>/snmp <...>/snmp
+0.000000 | HookLoadFileExtended base<...>/socks <...>/socks
+0.000000 | HookLoadFileExtended base<...>/software <...>/software
+0.000000 | HookLoadFileExtended base<...>/ssh <...>/ssh
+0.000000 | HookLoadFileExtended base<...>/ssl <...>/ssl
+0.000000 | HookLoadFileExtended base<...>/stats.bif <...>/stats.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/store.bif <...>/store.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/strings <...>/strings.zeek
+0.000000 | HookLoadFileExtended base<...>/strings.bif <...>/strings.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/sumstats <...>/sumstats
+0.000000 | HookLoadFileExtended base<...>/supervisor <...>/supervisor
+0.000000 | HookLoadFileExtended base<...>/supervisor.bif <...>/supervisor.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/syslog <...>/syslog
+0.000000 | HookLoadFileExtended base<...>/tcp <...>/tcp
+0.000000 | HookLoadFileExtended base<...>/teredo <...>/teredo
+0.000000 | HookLoadFileExtended base<...>/thresholds <...>/thresholds.zeek
+0.000000 | HookLoadFileExtended base<...>/time <...>/time.zeek
+0.000000 | HookLoadFileExtended base<...>/tunnels <...>/tunnels
+0.000000 | HookLoadFileExtended base<...>/types.bif <...>/types.bif.zeek
+0.000000 | HookLoadFileExtended base<...>/udp <...>/udp
+0.000000 | HookLoadFileExtended base<...>/urls <...>/urls.zeek
+0.000000 | HookLoadFileExtended base<...>/utils <...>/utils.zeek
+0.000000 | HookLoadFileExtended base<...>/version <...>/version.zeek
+0.000000 | HookLoadFileExtended base<...>/vlan <...>/vlan
+0.000000 | HookLoadFileExtended base<...>/vntag <...>/vntag
+0.000000 | HookLoadFileExtended base<...>/vxlan <...>/vxlan
+0.000000 | HookLoadFileExtended base<...>/weird <...>/weird.zeek
+0.000000 | HookLoadFileExtended base<...>/x509 <...>/x509
+0.000000 | HookLoadFileExtended base<...>/xmpp <...>/xmpp
+0.000000 | HookLoadFileExtended base<...>/zeek.bif <...>/zeek.bif.zeek
+0.000000 | HookLoadFileExtended builtin-plugins/__load__.zeek <...>/__load__.zeek
+0.000000 | HookLoadFileExtended builtin-plugins/__preload__.zeek <...>/__preload__.zeek
+0.000000 | HookLoadFileExtended s1.sig ./s1.sig
+0.000000 | HookLoadFileExtended s2 ./s2.sig
 0.000000 | HookLogInit   packet_filter 1/1 {ts (time), node (string), filter (string), init (bool), success (bool)}
 0.000000 | HookLogWrite  packet_filter [ts=XXXXXXXXXX.XXXXXX, node=zeek, filter=ip or not ip, init=T, success=T]
 0.000000 | HookQueueEvent NetControl::init()
@@ -3172,6 +4444,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[o
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(analyzer_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(fmt, <frame>, (-%s, HTTP)) -> <no result>
@@ -3186,10 +4459,10 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_message_done, <null>, ([id=[
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(network_time, <frame>, ()) -> <no result>
-XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(split_string1, <frame>, (bro.org, /^?(:)$?/)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
+XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> false
@@ -3199,7 +4472,6 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)) -> false
-XXXXXXXXXX.XXXXXX   MetaHookPost  QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)) -> false
 XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Analyzer::__name, <frame>, (Analyzer::ANALYZER_HTTP))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Analyzer::name, <frame>, (Analyzer::ANALYZER_HTTP))
@@ -3212,6 +4484,7 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[o
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(analyzer_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(fmt, <frame>, (-%s, HTTP))
@@ -3226,10 +4499,10 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_message_done, <null>, ([id=[
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(http_request, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(id_string, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(network_time, <frame>, ())
-XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(protocol_confirmation, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(set_file_handle, <frame>, (Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(split_string1, <frame>, (bro.org, /^?(:)$?/))
 XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
+XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
@@ -3239,7 +4512,6 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0)))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1))
-XXXXXXXXXX.XXXXXX   MetaHookPre   QueueEvent(protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3))
 XXXXXXXXXX.XXXXXX   MetaHookPre   UpdateNetworkTime(XXXXXXXXXX.XXXXXX)
 XXXXXXXXXX.XXXXXX  | HookUpdateNetworkTime XXXXXXXXXX.XXXXXX
 XXXXXXXXXX.XXXXXX | HookCallFunction Analyzer::__name(Analyzer::ANALYZER_HTTP)
@@ -3253,6 +4525,7 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5,
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=<uninitialized>, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=[filename=<uninitialized>], orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
+XXXXXXXXXX.XXXXXX | HookCallFunction analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction fmt(%s:%d > %s:%d, 141.142.228.5, 59856/tcp, 192.150.187.43, 80/tcp)
 XXXXXXXXXX.XXXXXX | HookCallFunction fmt(-%s, HTTP)
@@ -3267,10 +4540,10 @@ XXXXXXXXXX.XXXXXX | HookCallFunction http_message_done([id=[orig_h=141.142.228.5
 XXXXXXXXXX.XXXXXX | HookCallFunction http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)
 XXXXXXXXXX.XXXXXX | HookCallFunction id_string([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
 XXXXXXXXXX.XXXXXX | HookCallFunction network_time()
-XXXXXXXXXX.XXXXXX | HookCallFunction protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX | HookCallFunction set_file_handle(Analyzer::ANALYZER_HTTPXXXXXXXXXX.XXXXXXT11141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction split_string1(bro.org, /^?(:)$?/)
 XXXXXXXXXX.XXXXXX | HookDrainEvents
+XXXXXXXXXX.XXXXXX | HookQueueEvent analyzer_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX | HookQueueEvent get_file_handle(Analyzer::ANALYZER_HTTP, [id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_begin_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_end_entity([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
@@ -3280,7 +4553,6 @@ XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_header([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, User-Agent, USER-AGENT, Wget/1.14 (darwin12.2.0))
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_message_done([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={HTTP}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=<uninitialized>, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=<uninitialized>, status_msg=<uninitialized>, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=<uninitialized>, resp_filenames=<uninitialized>, resp_mime_types=<uninitialized>, current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=0]}, current_request=1, current_response=0, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T, [start=XXXXXXXXXX.XXXXXX, interrupted=F, finish_msg=message ends normally, body_length=0, content_gap_length=0, header_length=124])
 XXXXXXXXXX.XXXXXX | HookQueueEvent http_request([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], GET, <...>/CHANGES.bro-aux.txt, <...>/CHANGES.bro-aux.txt, 1.1)
-XXXXXXXXXX.XXXXXX | HookQueueEvent protocol_confirmation([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=2, num_bytes_ip=116, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=0, state=4, num_pkts=1, num_bytes_ip=60, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=70.0 msecs 183.038712 usecs, service={}, history=ShAD, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks=<uninitialized>, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=<uninitialized>, http_state=<uninitialized>, irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], Analyzer::ANALYZER_HTTP, 3)
 XXXXXXXXXX.XXXXXX   MetaHookPost  DrainEvents() -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPost  UpdateNetworkTime(XXXXXXXXXX.XXXXXX) -> <void>
 XXXXXXXXXX.XXXXXX   MetaHookPre   DrainEvents()
@@ -3443,6 +4715,8 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::log_policy, <null>, ([ts=XX
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::__write, <frame>, (Files::LOG, [ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], HTTP::LOG)) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], Files::LOG)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::write, <frame>, (Files::LOG, [ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
@@ -3474,6 +4748,8 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::log_policy, <null>, ([ts=XX
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::set_state, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::__write, <frame>, (Files::LOG, [ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::__write, <frame>, (HTTP::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], HTTP::LOG))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], Files::LOG))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::write, <frame>, (Files::LOG, [ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::write, <frame>, (HTTP::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
@@ -3506,6 +4782,8 @@ XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::log_policy([ts=XXXXXXXXXX.XXXXXX, uid
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::set_state([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=4, num_pkts=3, num_bytes_ip=304, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=4, num_pkts=5, num_bytes_ip=4612, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=140.0 msecs 430.927277 usecs, service={HTTP}, history=ShADad, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={[1] = [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=0, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1]}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], F)
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Files::LOG, [ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(HTTP::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
+XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], HTTP::LOG)
+XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>], Files::LOG)
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Files::LOG, [ts=XXXXXXXXXX.XXXXXX, fuid=FMnxxt3xjVcWNS2141, tx_hosts={192.150.187.43}, rx_hosts={141.142.228.5}, conn_uids={CHhAvVGS1DHFjwGM9}, source=HTTP, depth=0, analyzers={}, mime_type=text/plain, filename=<uninitialized>, duration=262.975693 usecs, local_orig=<uninitialized>, is_orig=F, seen_bytes=4705, total_bytes=4705, missing_bytes=0, overflow_bytes=0, timedout=F, parent_fuid=<uninitialized>, md5=<uninitialized>, sha1=<uninitialized>, sha256=<uninitialized>, x509=<uninitialized>, extracted=<uninitialized>, extracted_cutoff=<uninitialized>, extracted_size=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(HTTP::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1])
 XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, F, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
@@ -3562,7 +4840,10 @@ XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Conn::set_conn, <frame>, ([id=[or
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::finalize_http, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(PacketAnalyzer::GTPV1::remove_gtpv1_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
+XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])) -> <no result>
 XXXXXXXXXX.XXXXXX   MetaHookPost  CallFunction(filter_change_tracking, <null>, ()) -> <no result>
@@ -3598,7 +4879,10 @@ XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Conn::set_conn, <frame>, ([id=[or
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::finalize_http, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(HTTP::get_file_handle, <frame>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::__write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::log_stream_policy, <null>, ([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(Log::write, <frame>, (Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(PacketAnalyzer::GTPV1::remove_gtpv1_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
+XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(PacketAnalyzer::TEREDO::remove_teredo_connection, <frame>, ([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(cat, <frame>, (Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(connection_state_remove, <null>, ([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>]))
 XXXXXXXXXX.XXXXXX   MetaHookPre   CallFunction(filter_change_tracking, <null>, ())
@@ -3635,7 +4919,10 @@ XXXXXXXXXX.XXXXXX | HookCallFunction Conn::set_conn([id=[orig_h=141.142.228.5, o
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::finalize_http([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction HTTP::get_file_handle([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>], T)
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::__write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
+XXXXXXXXXX.XXXXXX | HookCallFunction Log::log_stream_policy([ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>], Conn::LOG)
 XXXXXXXXXX.XXXXXX | HookCallFunction Log::write(Conn::LOG, [ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], proto=tcp, service=http, duration=211.0 msecs 483.955383 usecs, orig_bytes=136, resp_bytes=5007, conn_state=SF, local_orig=<uninitialized>, local_resp=<uninitialized>, missed_bytes=0, history=ShADadFf, orig_pkts=7, orig_ip_bytes=512, resp_pkts=7, resp_ip_bytes=5379, tunnel_parents=<uninitialized>])
+XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::GTPV1::remove_gtpv1_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
+XXXXXXXXXX.XXXXXX | HookCallFunction PacketAnalyzer::TEREDO::remove_teredo_connection([orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp])
 XXXXXXXXXX.XXXXXX | HookCallFunction cat(Analyzer::ANALYZER_HTTP, XXXXXXXXXX.XXXXXX, T, 1, 1, 141.142.228.5:59856 > 192.150.187.43:80)
 XXXXXXXXXX.XXXXXX | HookCallFunction connection_state_remove([id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], orig=[size=136, state=5, num_pkts=7, num_bytes_ip=512, flow_label=0, l2_addr=c8:bc:c8:96:d2:a0], resp=[size=5007, state=5, num_pkts=7, num_bytes_ip=5379, flow_label=0, l2_addr=00:10:db:88:d2:ef], start_time=XXXXXXXXXX.XXXXXX, duration=211.0 msecs 483.955383 usecs, service={HTTP}, history=ShADadFf, uid=CHhAvVGS1DHFjwGM9, tunnel=<uninitialized>, vlan=<uninitialized>, inner_vlan=<uninitialized>, dpd=<uninitialized>, dpd_state=<uninitialized>, removal_hooks={HTTP::finalize_http{ <init> HTTP::r, HTTP::infoif (HTTP::c?$http_state) { <internal>::#0 = HTTP::c$http_state<internal>::#1 = <internal>::#0$pendingfor ([HTTP::r] in <internal>::#1) { if (0 == HTTP::r) next <internal>::#2 = to_any_coerceHTTP::infoLog::write(HTTP::LOG, <internal>::#2)}}}}, conn=<uninitialized>, extract_orig=F, extract_resp=F, thresholds=<uninitialized>, dce_rpc=<uninitialized>, dce_rpc_state=<uninitialized>, dce_rpc_backing=<uninitialized>, dhcp=<uninitialized>, dnp3=<uninitialized>, dns=<uninitialized>, dns_state=<uninitialized>, ftp=<uninitialized>, ftp_data_reuse=F, ssl=<uninitialized>, http=[ts=XXXXXXXXXX.XXXXXX, uid=CHhAvVGS1DHFjwGM9, id=[orig_h=141.142.228.5, orig_p=59856/tcp, resp_h=192.150.187.43, resp_p=80/tcp], trans_depth=1, method=GET, host=bro.org, uri=<...>/CHANGES.bro-aux.txt, referrer=<uninitialized>, version=1.1, user_agent=Wget/1.14 (darwin12.2.0), origin=<uninitialized>, request_body_len=0, response_body_len=4705, status_code=200, status_msg=OK, info_code=<uninitialized>, info_msg=<uninitialized>, tags={}, username=<uninitialized>, password=<uninitialized>, capture_password=F, proxied=<uninitialized>, range_request=F, orig_fuids=<uninitialized>, orig_filenames=<uninitialized>, orig_mime_types=<uninitialized>, resp_fuids=[FMnxxt3xjVcWNS2141], resp_filenames=<uninitialized>, resp_mime_types=[text/plain], current_entity=<uninitialized>, orig_mime_depth=1, resp_mime_depth=1], http_state=[pending={}, current_request=1, current_response=1, trans_depth=1], irc=<uninitialized>, krb=<uninitialized>, modbus=<uninitialized>, mysql=<uninitialized>, ntlm=<uninitialized>, ntp=<uninitialized>, radius=<uninitialized>, rdp=<uninitialized>, rfb=<uninitialized>, sip=<uninitialized>, sip_state=<uninitialized>, snmp=<uninitialized>, smb_state=<uninitialized>, smtp=<uninitialized>, smtp_state=<uninitialized>, socks=<uninitialized>, ssh=<uninitialized>, syslog=<uninitialized>])
 XXXXXXXXXX.XXXXXX | HookCallFunction filter_change_tracking()
diff --git a/testing/btest/Baseline/language.unused-assignment/out b/testing/btest/Baseline/language.unused-assignment/out
index 87aacb83bf..8b9959a034 100644
--- a/testing/btest/Baseline/language.unused-assignment/out
+++ b/testing/btest/Baseline/language.unused-assignment/out
@@ -1,2 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-warning: please_warn assignment unused: please_warn = test; <...>/unused-assignement.zeek, line 7
+warning: please_warn assignment unused: please_warn = test; <...>/unused-assignment.zeek, line 7

From bfaf891a99d7a1161c5772b329e96ac1e074fd81 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 14 Dec 2021 14:01:10 -0700
Subject: [PATCH 169/210] NEWS: add updates for new ZAM/script_opt features

---
 NEWS | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 26c1805e6d..18b21c64cb 100644
--- a/NEWS
+++ b/NEWS
@@ -46,8 +46,29 @@ New Functionality
   specifying ``-O ZAM`` on the command line.  See
   ``src/script_opt/ZAM/README.md`` for more information.
 
-- The DNS analyzer has initial support for the SVCB and HTTPS types. The new events
-  are ``dns_SVCB`` and ``dns_HTTPS``.
+- Improvements for compiling scripts to C++ (an experimental optimization
+  feature introduced in 4.1).  The generated C++ now compiles much faster than
+  previously, though it can still take quite a while when using C++ optimization
+  on large sets of scripts.  You can incrementally compile additional scripts
+  using ``-O add-C++``.  See ``src/script_opt/CPP/README.md`` for details.
+
+- The new flags --optimize-files=/pat/ and --optimize-funcs=/pat/ apply
+  to both ZAM and compile-to-C++ script optimization.  The first instructs
+  Zeek to optimize any functions/hooks/event handlers residing in files
+  matching the given pattern (unanchored).  The second does the same but
+  based on the function name, and with the pattern anchored (so for example
+  --optimize-funcs=foo will optimize any functions named "foo" but not
+  those named "foobar", or "MYSCOPE::foo").  The flags can be combined
+  and can also be used multiple times to specify a set of patterns.
+  If neither flag is used then optimization is applied to all loaded
+  scripts; if used, then only to those that match.
+
+- The ``-uu`` flag for analyzing potentially unused record fields has been
+  removed because, due to other changes in script optimization, keeping it
+  would now require about 1,800 lines of code not otherwise needed.
+
+- The DNS analyzer has initial support for the SVCB and HTTPS types. The new
+  events are ``dns_SVCB`` and ``dns_HTTPS``.
 
 - The ``find_str`` and ``rfind_str`` bifs now support case-insensitive searches.
 

From ba0a7c0fede8f085af92ad5368adea5d74d3712d Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 14 Dec 2021 14:01:27 -0700
Subject: [PATCH 170/210] NEWS: Fix some formatting issues

---
 NEWS | 50 ++++++++++++++++++++++++++------------------------
 1 file changed, 26 insertions(+), 24 deletions(-)

diff --git a/NEWS b/NEWS
index 18b21c64cb..06c03755ca 100644
--- a/NEWS
+++ b/NEWS
@@ -9,13 +9,13 @@ Zeek 4.2.0
 Breaking Changes
 ----------------
 
-- The existing ``Tag`` types in C++ (``zeek::Analyzer::Tag``, etc) have been merged
-  into a single type called ``zeek::Tag``. This is a breaking change, and may result
-  in plugins failing to build where they were relying on those types being different
-  for function overloading and such. We attempted to include deprecated versions of
-  the old types, but were unable to do so because of changes to return types from a
-  number of methods. With this change, any uses of the `zeek::*::Tag` types will
-  need to be replaced by `zeek::Tag`.
+- The existing ``Tag`` types in C++ (``zeek::Analyzer::Tag``, etc) have been
+  merged into a single type called ``zeek::Tag``. This is a breaking change, and
+  may result in plugins failing to build where they were relying on those types
+  being different for function overloading and such. We attempted to include
+  deprecated versions of the old types, but were unable to do so because of
+  changes to return types from a number of methods. With this change, any uses
+  of the `zeek::*::Tag` types will need to be replaced by `zeek::Tag`.
 
 New Functionality
 -----------------
@@ -79,7 +79,8 @@ New Functionality
   reports the same packets.
 
 - A new command-line option ``-c`` or ``--capture-unprocessed`` will dump any
-  packets not marked as being processed, similar to the new hook and event above.
+  packets not marked as being processed, similar to the new hook and event
+  above.
 
 - In Zeek plugins, the new cmake function ``zeek_plugin_scripts()`` should be
   used alongside ``zeek_plugin_cc()`` and related functions to establish
@@ -119,26 +120,27 @@ Changed Functionality
   to serialize, meaning that you can now also index with sets, vectors,
   patterns, and even tables.
 
-- The traditional TSV Zeek logs are now valid UTF8 by default. It's possible
-  to revert to the previous behavior by setting ``LogAscii::enable_utf_8`` to
+- The traditional TSV Zeek logs are now valid UTF8 by default. It's possible to
+  revert to the previous behavior by setting ``LogAscii::enable_utf_8`` to
   false.
 
-- The ``SYN_packet`` record now records TCP timestamps (TSval/TSecr)
-  when available.
+- The ``SYN_packet`` record now records TCP timestamps (TSval/TSecr) when
+  available.
 
 - The ``init-plugin`` script now focuses purely on dynamic Zeek plugins. It no
   longer generates Zeek packages. To instantiate new Zeek packages, use the
   ``zkg create`` command instead.
 
-- The ``ignore_checksums`` options and the ``-C`` command-line option now additionally cause
-  Zeek to accept IPv4 packets that provide a length of zero in the total-length IPv4 header
-  field. When the length is set to zero, the capture length of the packet is used instead.
-  This can be used to replay traces, or analyze traffic when TCP sequence offloading is enabled
-  on the local NIC - which typically causes the total-length of affected packets to be set to
-  zero.
+- The ``ignore_checksums`` options and the ``-C`` command-line option now
+  additionally cause Zeek to accept IPv4 packets that provide a length of zero
+  in the total-length IPv4 header field. When the length is set to zero, the
+  capture length of the packet is used instead.  This can be used to replay
+  traces, or analyze traffic when TCP sequence offloading is enabled on the
+  local NIC - which typically causes the total-length of affected packets to be
+  set to zero.
 
-- The existing tunnel analyzers for AYIYA, Geneve, GTPv1, Teredo, and VXLAN
-  are now packet analyzers.
+- The existing tunnel analyzers for AYIYA, Geneve, GTPv1, Teredo, and VXLAN are
+  now packet analyzers.
 
 - C++ unit tests are now compiled in by default and can be disabled by
   configuring the build with --disable-cpp-tests. We removed the former
@@ -151,11 +153,11 @@ Removed Functionality
 Deprecated Functionality
 ------------------------
 
-- The ``protocol_confirmation`` and ``protocol_violation`` events along with
-  the corresponding ``Analyzer::ProtocolConfirmation` and
+- The ``protocol_confirmation`` and ``protocol_violation`` events along with the
+  corresponding ``Analyzer::ProtocolConfirmation` and
   ``Analyzer::ProtocolViolation`` C++ methods are marked as deprecated. They are
-  replaced by ``analyzer_confirmation`` and ``analyzer_violation`` which can also
-  now be implemented in packet analyzers.
+  replaced by ``analyzer_confirmation`` and ``analyzer_violation`` which can
+  also now be implemented in packet analyzers.
 
 Zeek 4.1.0
 ==========

From 77f6a658e6ebb3f7eccf66a820ce83f9d65a2799 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Tue, 14 Dec 2021 15:35:24 -0800
Subject: [PATCH 171/210] additional test suite updates for "-u" usage issues

---
 .../btest/Baseline.usage/language.uninitialized-local2/err    | 4 ++++
 .../btest/Baseline.usage/language.uninitialized-local2/out    | 3 ---
 testing/btest/language/unused-assignment.zeek                 | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)
 create mode 100644 testing/btest/Baseline.usage/language.uninitialized-local2/err

diff --git a/testing/btest/Baseline.usage/language.uninitialized-local2/err b/testing/btest/Baseline.usage/language.uninitialized-local2/err
new file mode 100644
index 0000000000..cb1e83f91c
--- /dev/null
+++ b/testing/btest/Baseline.usage/language.uninitialized-local2/err
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning: var_a assignment unused: var_a = foo; <...>/uninitialized-local2.zeek, line 10
+warning in <...>/uninitialized-local2.zeek, line 23: used without definition (var_b)
+expression error in <...>/uninitialized-local2.zeek, line 23: value used but not set (var_b)
diff --git a/testing/btest/Baseline.usage/language.uninitialized-local2/out b/testing/btest/Baseline.usage/language.uninitialized-local2/out
index 71f45795aa..ba5c5cef5e 100644
--- a/testing/btest/Baseline.usage/language.uninitialized-local2/out
+++ b/testing/btest/Baseline.usage/language.uninitialized-local2/out
@@ -1,5 +1,2 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-warning: var_a assignment unused: var_a = foo; <...>/uninitialized-local2.zeek, line 6
-warning in <...>/uninitialized-local2.zeek, line 19: possibly used without definition (var_b)
-expression error in <...>/uninitialized-local2.zeek, line 19: value used but not set (var_b)
 var_a is, baz
diff --git a/testing/btest/language/unused-assignment.zeek b/testing/btest/language/unused-assignment.zeek
index 543b4ddab9..0958eaa7d5 100644
--- a/testing/btest/language/unused-assignment.zeek
+++ b/testing/btest/language/unused-assignment.zeek
@@ -1,6 +1,6 @@
 # @TEST-EXEC: ZEEK_USAGE_ISSUES=1 zeek -b %INPUT >out 2>&1
 # @TEST-EXEC: TEST_DIFF_CANONIFIER=$SCRIPTS/diff-remove-abspath btest-diff out
-# @TEST-DOC: The "-u" flags should warn about unused assignments and &is_used suppresses it.
+# @TEST-DOC: The "-u" flag should warn about unused assignments and &is_used suppresses it.
 
 event zeek_init()
 	{

From 06ffd97749c9f68e63ac3dc43e019e61cd8f6b4e Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Tue, 14 Dec 2021 15:36:03 -0800
Subject: [PATCH 172/210] fixes for double-delete and reducing '?' operator
 with constant alternatives

---
 src/script_opt/Expr.cc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/script_opt/Expr.cc b/src/script_opt/Expr.cc
index 75e7fb74e7..b69ee6d30d 100644
--- a/src/script_opt/Expr.cc
+++ b/src/script_opt/Expr.cc
@@ -1407,6 +1407,8 @@ ExprPtr CondExpr::Reduce(Reducer* c, StmtPtr& red_stmt)
 		auto op2_t = op2->IsOne();
 		ASSERT(op2_t != op3->IsOne());
 
+		red_stmt = MergeStmts(op1_red_stmt, red_stmt);
+
 		if ( op2_t )
 			// This is "var ? T : F", which can be replaced by var.
 			return op1;
@@ -1821,7 +1823,7 @@ ExprPtr FieldExpr::Duplicate()
 
 ExprPtr HasFieldExpr::Duplicate()
 	{
-	return SetSucc(new HasFieldExpr(op->Duplicate(), field_name));
+	return SetSucc(new HasFieldExpr(op->Duplicate(), util::copy_string(field_name)));
 	}
 
 ExprPtr RecordConstructorExpr::Duplicate()

From e93fcd3c648ea2cc5ece592c4ec4273f58308f8c Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Wed, 15 Dec 2021 00:36:00 +0000
Subject: [PATCH 173/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 43ff1249e8..8c19fb230a 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 43ff1249e8f32b4f7031e2480dfd710396817ba8
+Subproject commit 8c19fb230ae9e1e1ddb6b7e6cafcee9e5415c8c7

From 1e60264548fd3bde5222c027de21c482b009ccb1 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 20 Dec 2021 19:33:46 -0800
Subject: [PATCH 174/210] Update auxil/broker submodule [nomail] [skip ci]

---
 auxil/broker | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/broker b/auxil/broker
index 36339ad8c9..07f42c7c77 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 36339ad8c9844f1758f8e9d0da4645047f480c34
+Subproject commit 07f42c7c772b1fd79385466584f8322905f981d8

From 0507f6005c705d2cddff591797049a6ef2e7eb8e Mon Sep 17 00:00:00 2001
From: Robin Sommer <robin@corelight.com>
Date: Tue, 21 Dec 2021 17:09:39 +0100
Subject: [PATCH 175/210] Adding test for BitTorrent tracker.

Our test trace is extracted from https://www.cloudshark.org/captures/b9089aac6eee.

There actually seems to be a bug in the existing code: the URI passed to
bt_tracker_request() includes a partial HTTP version. This commits
includes the baseline as the current code produces it, we'll fix that in
a subsequent comment.
---
 .../output                                    |   4 ++
 testing/btest/Traces/bittorrent/tracker.pcap  | Bin 0 -> 1614 bytes
 .../base/protocols/bittorrent/tracker.zeek    |  45 ++++++++++++++++++
 3 files changed, 49 insertions(+)
 create mode 100644 testing/btest/Baseline/scripts.base.protocols.bittorrent.tracker/output
 create mode 100644 testing/btest/Traces/bittorrent/tracker.pcap
 create mode 100644 testing/btest/scripts/base/protocols/bittorrent/tracker.zeek

diff --git a/testing/btest/Baseline/scripts.base.protocols.bittorrent.tracker/output b/testing/btest/Baseline/scripts.base.protocols.bittorrent.tracker/output
new file mode 100644
index 0000000000..b5fa94bb24
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.bittorrent.tracker/output
@@ -0,0 +1,4 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+[orig_h=10.0.0.201, orig_p=49842/tcp, resp_h=91.189.95.21, resp_p=6969/tcp],  /announce?info_hash=%e4%be%9eM%b8v%e3%e3%17%97x%b0%3e%90b%97%be%5c%8d%be&peer_id=-DE13F0-VnpZRF8ZP9iv&port=63448&uploaded=0&downloaded=0&left=1921843200&corrupt=0&key=764CA003&event=started&numwant=200&compact=1&no_peer_id=1&supportcrypto=1&redundant=0 HTTP/1., {
+
+}
diff --git a/testing/btest/Traces/bittorrent/tracker.pcap b/testing/btest/Traces/bittorrent/tracker.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..a0bccfe87f5d6c4cff95d1321bc6ef574efa5aae
GIT binary patch
literal 1614
zcma)+ZA?>F7{^b`dqW9gU<gyLkrqfOw6v7AQkC&CUP@q4z<>*0ZV#oS+*{jQ-V6-G
zK5S!T#wc?-Q5R%pAg@+P*s=)yfLo9cg1QN^kPKgDTyb%b2I$Uhbz<SeZtj!ZbI&=y
z`~1)Izt7CX&}BC81g|fL0{|8p%>SHSHm&yn@1bWVfZs^e<pUt(ozTijUyu%fMD2YD
zw0JMz8~|>W{a7A6J`^s`9BcW4S=_?5+q_N!!1naI&hqf^WwAWj4Dp*ZFQ7p4Ot@Gs
zu9FxWnT&RN=SdhELk*XY4`p;@_aJKf(IC6+LZOSukQy_*fD}QP*pgec+Q*rj-YvIw
zMC;8DwA(C!E``St<vS#o33m$XYqc*!nYV9C3ANiESpj%IU5&-#BuSY`0v^<nl~j2Z
zZmLr9poCWed2*P`tB}?5pqRNuNj!N{J+DH@6Qe0%1sXAn5(%D6gC6(>2#w`BjZ%=7
zE)r)51;wPHv>-!PnlIPY@(q-cR!YSZiHvVH=qX$SHA*30L)DT04fL>*R*K{aBAG;-
zAQbWm%4jqjXtb;vHYk&%lGGHTP|Sz5kffC+8aL8V!zax(bvPQkHq;n!0x|d`RsK2~
z5#MAsFkdH(4F;M*lSZg9lNx4|5X)4n^W#NvA}%MBGSLc*M&CsEICF)Wq|I>zRilu~
zrE)H($OMgo6fK%lU};cq)<R4aCyo;(aycmk0S&Yuog^rYj?^kJZKKY><)l(12?<(9
zkqV5^Qzppea5+rzn>H8UX~|7CijGt|ZIt9@qu$K16B|tNhcCK{e@*HG;@Q9%?q+1~
zjZ9%Exr%KmsQ3Z(0KC#J#L(Gcc{$FEX(Ujff~1zNQea|v(wmp+1_MOr1MBH{gC5tB
zTu#0b*Vf<)jHCnvPE;X%NU{^)eiU3zM4PYkr(`>F1_!clPYWiq1X)uO(cpDeqGTvL
z?)%v2TVLk=lBJ55CJt0!yF$Yb!=;<;iIM@81#nJxg`D9nX~IfFL%YtE26uIb1c!%*
z9<I?GIsT`$sQ6_|OjKX?=>6RN#}X%RUR|`#K4DoFLiQBSPyJK7?l(K{zjQC)!#U%|
zrI`uti?Wr@(R28{rf1fo^F9TBQGJcm%{Oe;*~eZ1pL5?0YCCl!dAN15ugRf$y!M&w
z`I-FzyC23h-dPOm5jhmoJ4-BQ?YH-QFfvAuzxeI^)w7H1Q3?B$Q~sxCQ@wglHIwbK
zj=I0c4^$s)%`5z2@6sprQlp~TA7A2JjL_D_%%FV6a-vEm=6?V7r>74_VwbTy&s%q=
z=z`k5T9YOBq)PASzC8NOUfTSizbQWNh}k5Q{4wsa^0BG7b2N<qDEWzX_S2_D=}~?5
z2+I!B+T_Txb;tt`AFb_~d)Q&So3U!04cNE*>!rYa-{fPK-jWf^H6BrYcYS9`Aqy6q
zobE@xf-&K$!skr~+G;}7G*K^0c-uazD^3&cvfBnPxF~&xHc{MrY_!^s=|Bq~z1@LM
zY-Dt(y7L29SB5+P7lq@b=(eToK$KUx^l#2(tD;n=B9WV-ZluV8eyhI*uK@5bARsfz

literal 0
HcmV?d00001

diff --git a/testing/btest/scripts/base/protocols/bittorrent/tracker.zeek b/testing/btest/scripts/base/protocols/bittorrent/tracker.zeek
new file mode 100644
index 0000000000..d12040a672
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/bittorrent/tracker.zeek
@@ -0,0 +1,45 @@
+# @TEST-DOC: Basic functionality test for Bittorrent Tracker analyzer.
+
+# @TEST-EXEC: zeek -C -b -r $TRACES/bittorrent/tracker.pcap -s bittorrent.sig %INPUT >output
+# @TEST-EXEC: btest-diff output
+
+# Zeek doesn't ship with scripts or DPD sigs for Bittorrent, so we need to provide what
+# we need ourselves.
+
+event bt_tracker_request(c: connection, uri: string, headers: bt_tracker_headers) {
+    print c$id, uri, headers;
+}
+
+@TEST-START-FILE bittorrent.sig
+
+# Reusing the old Bro 1.5 signatures here.
+
+signature dpd_bittorrenttracker_client {
+  ip-proto == tcp
+  payload /^.*\/announce\?.*info_hash/
+  tcp-state originator
+}
+
+signature dpd_bittorrenttracker_server {
+  ip-proto == tcp
+  payload /^HTTP\/[0-9]/
+  tcp-state responder
+  requires-reverse-signature dpd_bittorrenttracker_client
+  enable "bittorrenttracker"
+}
+
+signature dpd_bittorrent_peer1 {
+  ip-proto == tcp
+  payload /^\x13BitTorrent protocol/
+  tcp-state originator
+}
+
+signature dpd_bittorrent_peer2 {
+  ip-proto == tcp
+  payload /^\x13BitTorrent protocol/
+  tcp-state responder
+  requires-reverse-signature dpd_bittorrent_peer1
+  enable "bittorrent"
+}
+
+@TEST-END-FILE

From eafa77b2b6ec298e978dd1e97ff2c86d8b951615 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 27 Sep 2021 23:38:47 -0700
Subject: [PATCH 176/210] Add Docker image artifact storage

This enables subsequent jobs/workflows to access the generated image without use
of an image registry.
---
 .github/workflows/docker.yml | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index d84c714ee1..74868ca35c 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -13,8 +13,12 @@ defaults:
   run:
     shell: bash
 
+env:
+  IMAGE_NAME: zeek-image.tar
+  IMAGE_FILE: /tmp/zeek-image.tar
+
 jobs:
-  build:
+  docker-build:
     runs-on: ubuntu-latest
     env:
       TEST_TAG: zeek:latest
@@ -28,7 +32,7 @@ jobs:
       # so we avoid rebuilds of the same image after this step.
       - uses: docker/setup-buildx-action@v1
 
-      - name: Build
+      - name: Build image
         uses: docker/build-push-action@v2
         with:
           context: ./
@@ -41,6 +45,9 @@ jobs:
       - name: Run btests
         run: make -C docker/btest
 
+      - name: Save image tarball
+        run: docker save -o ${{ env.IMAGE_FILE }} ${{ env.TEST_TAG }}
+
       - name: Get version
         id: version
         run: echo "::set-output name=RELEASE_VERSION::$(cat VERSION)"
@@ -74,7 +81,7 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
-      - name: Push
+      - name: Push image
         # Only publish if we did compute a tag.
         if: github.repository == 'zeek/zeek' && github.event_name == 'push' && steps.target.outputs.tag != ''
         uses: docker/build-push-action@v2
@@ -87,7 +94,14 @@ jobs:
           tags: |
             zeekurity/${{ steps.target.outputs.tag }}
 
-      - name: Preserve artifacts
+      - name: Preserve image artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: ${{ env.IMAGE_NAME }}
+          path: ${{ env.IMAGE_FILE }}
+          retention-days: 1
+
+      - name: Preserve btest artifacts
         uses: actions/upload-artifact@v2
         if: failure()
         with:

From 2a5690fd00c1e2bb65f924234597b324fafc93ee Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Fri, 1 Oct 2021 17:27:01 -0700
Subject: [PATCH 177/210] Tweak Docker image configure invocation to include
 zeek-client

We don't yet install zeek-client by default, but need it in the image for
testing the cluster.
---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 74868ca35c..f9f9795753 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       TEST_TAG: zeek:latest
-      CONFFLAGS: --generator=Ninja --build-type=Release
+      CONFFLAGS: --generator=Ninja --build-type=Release --enable-zeek-client
     steps:
       - uses: actions/checkout@v2
         with:

From e9bdaebc70e8b6d83cba3cdd3155c1957e63d098 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 27 Sep 2021 23:39:05 -0700
Subject: [PATCH 178/210] Add Github action job for cluster tests

This job runs in sequence after the image build one, using its resulting image.
The actual tests live in the external zeek-testing-cluster testsuite, which
the new job clones and runs.

To specify a version of the testsuite to use, testing/external/ has a new
commit-hash.zeek-testing-cluster file that tracks the testsuite's relevant
commit ref
---
 .github/workflows/docker.yml                  | 49 +++++++++++++++++++
 .../external/commit-hash.zeek-testing-cluster |  1 +
 2 files changed, 50 insertions(+)
 create mode 100644 testing/external/commit-hash.zeek-testing-cluster

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index f9f9795753..738cbf727e 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -16,6 +16,7 @@ defaults:
 env:
   IMAGE_NAME: zeek-image.tar
   IMAGE_FILE: /tmp/zeek-image.tar
+  IMAGE_PATH: /tmp
 
 jobs:
   docker-build:
@@ -108,3 +109,51 @@ jobs:
           name: docker-btest
           path: docker/btest/.tmp
           if-no-files-found: ignore
+
+  cluster-testing:
+    # We need the Zeek Docker image build job to complete first, since we need
+    # the resulting image for our docker-compose setup.
+    needs: docker-build
+    runs-on: ubuntu-latest
+    steps:
+      # Grab the sources so we have access to btest. Could also use pip, but it
+      # seems appealing to be using the in-tree version of btest. btest is in a
+      # submodule; we check it out selectively to save time.
+      - uses: actions/checkout@v2
+      - name: Check out btest
+        run: git submodule update --init ./auxil/btest
+
+      - name: Download Docker image artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: ${{ env.IMAGE_NAME }}
+          path: ${{ env.IMAGE_PATH }}
+
+      - name: Load Docker image
+        run: |
+          docker load --input ${{ env.IMAGE_FILE }}
+          docker tag zeek:latest zeektest:latest
+
+      # The testsuite ref to use for this version of Zeek is stored in a file in
+      # the Zeek source tree.
+      - name: Get testsuite version
+        run: |
+          echo "TESTSUITE_COMMIT=$(cat ./testing/external/commit-hash.zeek-testing-cluster)" >> $GITHUB_ENV
+
+      - name: Retrieve cluster testsuite
+        uses: actions/checkout@v2
+        with:
+          repository: zeek/zeek-testing-cluster
+          path: testing/external/zeek-testing-cluster
+          ref: ${{ ENV.TESTSUITE_COMMIT }}
+
+      - name: Run testsuite
+        run: make -C testing/external/zeek-testing-cluster
+
+      - name: Preserve btest artifacts
+        uses: actions/upload-artifact@v2
+        if: failure()
+        with:
+          name: cluster-btest
+          path: testing/external/zeek-testing-cluster/.tmp
+          if-no-files-found: ignore
diff --git a/testing/external/commit-hash.zeek-testing-cluster b/testing/external/commit-hash.zeek-testing-cluster
new file mode 100644
index 0000000000..42d09860d4
--- /dev/null
+++ b/testing/external/commit-hash.zeek-testing-cluster
@@ -0,0 +1 @@
+cc4e2ad8b24015849043b523f0aef00acf41d602

From aceb05099a57b07dd2a4dff4d1ac9acf6513aac4 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 14 Dec 2021 18:52:16 -0800
Subject: [PATCH 179/210] Whitespace tweaks in cluster controller and agent
 scripts

---
 scripts/policy/frameworks/cluster/agent/config.zeek  |  8 ++++----
 scripts/policy/frameworks/cluster/agent/main.zeek    |  6 +++---
 .../policy/frameworks/cluster/controller/config.zeek |  2 +-
 .../policy/frameworks/cluster/controller/main.zeek   | 12 ++++++------
 .../frameworks/cluster/controller/request.zeek       |  2 +-
 .../policy/frameworks/cluster/controller/types.zeek  |  2 +-
 6 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/scripts/policy/frameworks/cluster/agent/config.zeek b/scripts/policy/frameworks/cluster/agent/config.zeek
index 2e836d08ab..464f1e485c 100644
--- a/scripts/policy/frameworks/cluster/agent/config.zeek
+++ b/scripts/policy/frameworks/cluster/agent/config.zeek
@@ -4,7 +4,7 @@ module ClusterAgent;
 
 export {
 	# The name this agent uses to represent the cluster instance
-        # it manages. When the environment variable isn't set and there's,
+	# it manages. When the environment variable isn't set and there's,
 	# no redef, this falls back to "agent-<hostname>".
 	const name = getenv("ZEEK_AGENT_NAME") &redef;
 
@@ -33,7 +33,7 @@ export {
 		$address="0.0.0.0", $bound_port=0/unknown] &redef;
 
 	# Agent and controller currently log only, not via the data cluster's
-        # logger. (This might get added later.) For now, this means that
+	# logger. (This might get added later.) For now, this means that
 	# if both write to the same log file, it gets garbled. The following
 	# lets you specify the working directory specifically for the agent.
 	const directory = "" &redef;
@@ -53,8 +53,8 @@ function instance(): ClusterController::Types::Instance
 	{
 	local epi = endpoint_info();
 	return ClusterController::Types::Instance($name=epi$id,
-		$host=to_addr(epi$network$address),
-		$listen_port=epi$network$bound_port);
+	    $host=to_addr(epi$network$address),
+	    $listen_port=epi$network$bound_port);
 	}
 
 function endpoint_info(): Broker::EndpointInfo
diff --git a/scripts/policy/frameworks/cluster/agent/main.zeek b/scripts/policy/frameworks/cluster/agent/main.zeek
index 1956d47d0c..d33decc732 100644
--- a/scripts/policy/frameworks/cluster/agent/main.zeek
+++ b/scripts/policy/frameworks/cluster/agent/main.zeek
@@ -185,7 +185,7 @@ event zeek_init()
 	Broker::peer(supervisor_addr, Broker::default_port, Broker::default_listen_retry);
 
 	# Agents need receive communication targeted at it, and any responses
-        # from the supervisor.
+	# from the supervisor.
 	Broker::subscribe(agent_topic);
 	Broker::subscribe(SupervisorControl::topic_prefix);
 
@@ -210,8 +210,8 @@ event zeek_init()
 		{
 		# We connect to the controller.
 		Broker::peer(ClusterAgent::controller$address,
-			     ClusterAgent::controller$bound_port,
-			     ClusterController::connect_retry);
+		             ClusterAgent::controller$bound_port,
+		             ClusterController::connect_retry);
 		}
 	else
 		{
diff --git a/scripts/policy/frameworks/cluster/controller/config.zeek b/scripts/policy/frameworks/cluster/controller/config.zeek
index 36c4a0b5bd..f889512fec 100644
--- a/scripts/policy/frameworks/cluster/controller/config.zeek
+++ b/scripts/policy/frameworks/cluster/controller/config.zeek
@@ -40,7 +40,7 @@ export {
 	const role = ClusterController::Types::NONE &redef;
 
 	# Agent and controller currently log only, not via the data cluster's
-        # logger. (This might get added later.) For now, this means that
+	# logger. (This might get added later.) For now, this means that
 	# if both write to the same log file, it gets garbled. The following
 	# lets you specify the working directory specifically for the agent.
 	const directory = "" &redef;
diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index afc439b49d..9dfe3249ad 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -53,8 +53,8 @@ event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_ve
 
 
 event ClusterAgent::API::notify_change(instance: string, n: ClusterController::Types::Node,
-				       old: ClusterController::Types::State,
-				       new: ClusterController::Types::State)
+                                       old: ClusterController::Types::State,
+                                       new: ClusterController::Types::State)
 	{
 	# XXX TODO
 	}
@@ -96,10 +96,10 @@ event ClusterAgent::API::set_configuration_response(reqid: string, result: Clust
 			return;
 
 	# All set_configuration requests to instances are done, so respond
-        # back to client. We need to compose the result, aggregating
-        # the results we got from the requests to the agents. In the
-        # end we have one Result per instance requested in the
-        # original set_configuration_request.
+	# back to client. We need to compose the result, aggregating
+	# the results we got from the requests to the agents. In the
+	# end we have one Result per instance requested in the
+	# original set_configuration_request.
 	#
 	# XXX we can likely generalize result aggregation in the request module.
 	for ( i in req$set_configuration_state$requests )
diff --git a/scripts/policy/frameworks/cluster/controller/request.zeek b/scripts/policy/frameworks/cluster/controller/request.zeek
index 868b84d0f0..c15e2df1db 100644
--- a/scripts/policy/frameworks/cluster/controller/request.zeek
+++ b/scripts/policy/frameworks/cluster/controller/request.zeek
@@ -27,7 +27,7 @@ export {
 	};
 
 	# The redef is a workaround so we can use the Request type
-        # while it is still being defined
+	# while it is still being defined
 	redef record Request += {
 		results: ClusterController::Types::ResultVec &default=vector();
 		finished: bool &default=F;
diff --git a/scripts/policy/frameworks/cluster/controller/types.zeek b/scripts/policy/frameworks/cluster/controller/types.zeek
index e2e0899a88..03785fb262 100644
--- a/scripts/policy/frameworks/cluster/controller/types.zeek
+++ b/scripts/policy/frameworks/cluster/controller/types.zeek
@@ -37,7 +37,7 @@ export {
 		Stopped,  # Explicitly stopped
 		Failed,   # Failed to start; and permanently halted
 		Crashed,  # Crashed, will be restarted,
-	        Unknown,  # State not known currently (e.g., because of lost connectivity)
+		Unknown,  # State not known currently (e.g., because of lost connectivity)
 	};
 
 	## Configuration describing a Cluster Node process.

From 484f79f599768fab9573d870a7084ca867282cc1 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 9 Nov 2021 21:53:33 -0800
Subject: [PATCH 180/210] Expand requests support in the controller

Request records for configuration updates now store the full configuration. The
ClusterController::Request module now provies a to_string() function for
rendering requests to a string.
---
 .../cluster/controller/request.zeek           | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/scripts/policy/frameworks/cluster/controller/request.zeek b/scripts/policy/frameworks/cluster/controller/request.zeek
index c15e2df1db..07fcb5a808 100644
--- a/scripts/policy/frameworks/cluster/controller/request.zeek
+++ b/scripts/policy/frameworks/cluster/controller/request.zeek
@@ -13,6 +13,7 @@ export {
 
 	# State specific to the set_configuration request/response events
 	type SetConfigurationState: record {
+		config: ClusterController::Types::Configuration;
 		requests: vector of Request &default=vector();
 	};
 
@@ -44,6 +45,7 @@ export {
 	global finish: function(reqid: string): bool;
 
 	global is_null: function(request: Request): bool;
+	global to_string: function(request: Request): string;
 }
 
 # XXX this needs a mechanism for expiring stale requests
@@ -84,3 +86,28 @@ function is_null(request: Request): bool
 
 	return F;
 	}
+
+function to_string(request: Request): string
+	{
+	local results: string_vec;
+	local res: ClusterController::Types::Result;
+	local parent_id = "";
+
+	if ( request?$parent_id )
+		parent_id = fmt(" (via %s)", request$parent_id);
+
+	for ( idx in request$results )
+		{
+		res = request$results[idx];
+		if ( res$success )
+			results[|results|] = "success";
+		else if ( |res$error| > 0 )
+			results[|results|] = fmt("error (%s)", res$error);
+		else
+			results[|results|] = "error";
+		}
+
+	return fmt("[request %s%s %s, results: %s]", request$id, parent_id,
+	           request$finished ? "finished" : "pending",
+	           join_string_vec(results, ","));
+	}

From 5cb44c2f69141de78423a8bfe4ba5f4d53d07b52 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 9 Nov 2021 21:55:30 -0800
Subject: [PATCH 181/210] Support on-demand peering with agents when receiving
 new cluster configuration

Prior to this, static configuration needed to be in place to configure the
controller/agent layout. The configuration update can now include new instances
that the controller will connect to, assuming they're instances with a listening
agent.
---
 .../frameworks/cluster/controller/main.zeek   | 164 ++++++++++++++----
 .../frameworks/cluster/controller/types.zeek  |  15 +-
 2 files changed, 135 insertions(+), 44 deletions(-)

diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index 9dfe3249ad..3ba14e446a 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -9,6 +9,30 @@
 
 redef ClusterController::role = ClusterController::Types::CONTROLLER;
 
+global config_current: ClusterController::Types::Configuration;
+global config_reqid_pending: string = "";
+
+function send_config_to_agents(req: ClusterController::Request::Request,
+                               config: ClusterController::Types::Configuration)
+	{
+	for ( name in ClusterController::instances )
+		{
+		local agent_topic = ClusterAgent::topic_prefix + "/" + name;
+		local areq = ClusterController::Request::create();
+		areq$parent_id = req$id;
+
+		# We track the requests sent off to each agent. As the
+		# responses come in, we can check them off as completed,
+		# and once all are, we respond back to the client.
+		req$set_configuration_state$requests += areq;
+
+		# XXX could also broadcast just once on the agent prefix, but
+		# explicit request/response pairs for each agent seems cleaner.
+		ClusterController::Log::info(fmt("tx ClusterAgent::API::set_configuration_request %s to %s", areq$id, name));
+		Broker::publish(agent_topic, ClusterAgent::API::set_configuration_request, areq$id, config);
+		}
+	}
+
 event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_version: count)
 	{
 	# See if we already know about this agent; if not, register
@@ -16,13 +40,15 @@ event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_ve
 	#
 	# XXX protection against rogue agents?
 
+	local inst: ClusterController::Types::Instance;
+
 	if ( instance in ClusterController::instances )
 		{
 		# Do nothing, unless this known agent checks in with a mismatching
 		# API version, in which case we kick it out.
 		if ( api_version != ClusterController::API::version )
 			{
-			local inst = ClusterController::instances[instance];
+			inst = ClusterController::instances[instance];
 			if ( inst?$listen_port )
 				{
 				# We peered with this instance, unpeer.
@@ -36,19 +62,50 @@ event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_ve
 		# was previously named otherwise. Not being too picky here allows
 		# the user some leeway in spelling out the original config.
 		ClusterController::instances[instance]$name = instance;
-
 		return;
 		}
 
 	if ( api_version != ClusterController::API::version )
 		{
 		ClusterController::Log::warning(
-		    fmt("agent %s/%s speaks incompatible agent protocol (%s, need %s), unpeering",
+		    fmt("agent %s/%s speaks incompatible agent protocol (%s, need %s), ignoring",
 		        instance, host, api_version, ClusterController::API::version));
+		return;
 		}
 
 	ClusterController::instances[instance] = ClusterController::Types::Instance($name=instance, $host=host);
 	ClusterController::Log::info(fmt("instance %s/%s has checked in", instance, host));
+
+	# If we have a pending configuration request, check in on it now to see whether
+	# we have all agents required, and finalize the config request.
+	if ( config_reqid_pending == "" )
+		return;
+
+	local req = ClusterController::Request::lookup(config_reqid_pending);
+
+	if ( ClusterController::Request::is_null(req) || ! req?$set_configuration_state )
+		{
+		# Odd, just clear out pending state.
+		config_reqid_pending = "";
+		return;
+		}
+
+	for ( inst in req$set_configuration_state$config$instances )
+		{
+		if ( inst$name !in ClusterController::instances )
+			{
+			# The request still has instances not known to us, try again
+			# later.
+			return;
+			}
+		}
+
+	# All instances requested in the configuration are now known to us.
+	# Send them the config. As they send their response events we
+	# update the request state and eventually send the response event
+	# to the client.
+	send_config_to_agents(req, req$set_configuration_state$config);
+	config_reqid_pending = "";
 	}
 
 
@@ -132,7 +189,8 @@ event ClusterAgent::API::set_configuration_response(reqid: string, result: Clust
 		ClusterController::Request::finish(r$id);
 		}
 
-	ClusterController::Log::info(fmt("tx ClusterController::API::set_configuration_response %s", req$id));
+	ClusterController::Log::info(fmt("tx ClusterController::API::set_configuration_response %s",
+	                                 ClusterController::Request::to_string(req)));
 	event ClusterController::API::set_configuration_response(req$id, req$results);
 	ClusterController::Request::finish(req$id);
 	}
@@ -141,27 +199,80 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 	{
 	ClusterController::Log::info(fmt("rx ClusterController::API::set_configuration_request %s", reqid));
 
+	local res: ClusterController::Types::Result;
 	local req = ClusterController::Request::create(reqid);
-	req$set_configuration_state = ClusterController::Request::SetConfigurationState();
+	req$set_configuration_state = ClusterController::Request::SetConfigurationState($config = config);
 
-	# Compare new configuration to the current one and send updates
-	# to the instances as needed.
-	if ( config?$instances )
+	# At the moment there can only be one pending request.
+	if ( config_reqid_pending != "" )
 		{
-		# XXX properly handle instance update: connect to new instances provided
-		# when they are listening, accept connections from new instances that are
-		# not
-		for ( inst in config$instances )
+		res = ClusterController::Types::Result($reqid=reqid);
+		res$success = F;
+		res$error = fmt("request %s still pending", config_reqid_pending);
+		req$results += res;
+
+		ClusterController::Log::info(fmt("tx ClusterController::API::set_configuration_response %s",
+		                                 ClusterController::Request::to_string(req)));
+		event ClusterController::API::set_configuration_response(req$id, req$results);
+		ClusterController::Request::finish(req$id);
+		return;
+		}
+
+	# Compare the instance configuration to our current one. For instances
+	# that are supposed to be checking in with us but have not, record
+	# errors. We will fail the request in those cases. For instances we
+	# don't know and are supposed to connect to, do so next.
+	local inst: ClusterController::Types::Instance;
+	local insts_todo: ClusterController::Types::InstanceVec;
+
+	for ( inst in config$instances )
+		{
+		if ( inst$name !in ClusterController::instances )
 			{
-			if ( inst$name !in ClusterController::instances )
+			if ( ! inst?$listen_port )
 				{
-				local res = ClusterController::Types::Result($reqid=reqid, $instance=inst$name);
-				res$error = fmt("instance %s is unknown, skipping", inst$name);
+				# If a requested instance doesn't have a listen port and isn't known
+				# to us, we have no way to establish connectivity. We reject the
+				# request.
+				res = ClusterController::Types::Result($reqid=reqid, $instance=inst$name);
+				res$success = F;
+				res$error = fmt("instance %s is unknown", inst$name);
 				req$results += res;
 				}
+			else
+				{
+				# We'll need to connect to this instance.
+				insts_todo[|insts_todo|] = inst;
+				}
 			}
 		}
 
+	# An error at this point means that we're rejecting this request.
+	if ( |req$results| > 0 )
+		{
+		ClusterController::Log::info(fmt("tx ClusterController::API::set_configuration_response %s",
+		                                 ClusterController::Request::to_string(req)));
+		event ClusterController::API::set_configuration_response(req$id, req$results);
+		ClusterController::Request::finish(req$id);
+		return;
+		}
+
+	# We have instances to connect to, so initiate peering and
+	# stop for now. Processing will continue as the agents check
+	# in.
+	if ( |insts_todo| > 0 )
+		{
+		for ( idx in insts_todo )
+			{
+			inst = insts_todo[idx];
+			Broker::peer(cat(inst$host), inst$listen_port,
+			             ClusterController::connect_retry);
+			}
+
+		config_reqid_pending = req$id;
+		return;
+		}
+
 	# XXX validate the configuration:
 	# - Are node instances among defined instances?
 	# - Are all names unique?
@@ -169,29 +280,8 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 	# - Do node types with optional fields have required values?
 	# ...
 
-	# Transmit the configuration on to the agents. They need to be aware of
-	# each other's location and nodes, so the data cluster nodes can connect
-	# (for example, so a worker on instance 1 can connect to a logger on
-	# instance 2).
-	for ( name in ClusterController::instances )
-		{
-		local agent_topic = ClusterAgent::topic_prefix + "/" + name;
-		local areq = ClusterController::Request::create();
-		areq$parent_id = reqid;
-
-		# We track the requests sent off to each agent. As the
-		# responses come in, we can check them off as completed,
-		# and once all are, we respond back to the client.
-		req$set_configuration_state$requests += areq;
-
-		# XXX could also broadcast just once on the agent prefix, but
-		# explicit request/response pairs for each agent seems cleaner.
-		ClusterController::Log::info(fmt("tx ClusterAgent::API::set_configuration_request %s to %s",
-		                                 areq$id, name));
-		Broker::publish(agent_topic, ClusterAgent::API::set_configuration_request, areq$id, config);
-		}
-
 	# Response event gets sent via the agents' reponse event.
+	send_config_to_agents(req, config);
 	}
 
 event ClusterController::API::get_instances_request(reqid: string)
diff --git a/scripts/policy/frameworks/cluster/controller/types.zeek b/scripts/policy/frameworks/cluster/controller/types.zeek
index 03785fb262..597de78d84 100644
--- a/scripts/policy/frameworks/cluster/controller/types.zeek
+++ b/scripts/policy/frameworks/cluster/controller/types.zeek
@@ -30,6 +30,8 @@ export {
 		listen_port: port &optional;
 	};
 
+	type InstanceVec: vector of Instance;
+
 	## State that a Cluster Node can be in. State changes trigger an
 	## API notification (see notify_change()).
 	type State: enum {
@@ -59,7 +61,6 @@ export {
 		id: string &default=unique_id(""); # Unique identifier for a particular configuration
 
 		## The instances in the cluster.
-		## XXX we may be able to make this optional
 		instances: set[Instance];
 
 		## The set of nodes in the cluster, as distributed over the instances.
@@ -68,12 +69,12 @@ export {
 
 	# Return value for request-response API event pairs
 	type Result: record {
-		reqid: string;              # Request ID of operation this result refers to
-		instance: string;           # Name of associated instance (for context)
-		success: bool &default=T;   # True if successful
-		data: any &optional;        # Addl data returned for successful operation
-		error: string &default="";  # Descriptive error on failure
-		node: string &optional;     # Name of associated node (for context)
+		reqid: string;                # Request ID of operation this result refers to
+		instance: string &default=""; # Name of associated instance (for context)
+		success: bool &default=T;     # True if successful
+		data: any &optional;          # Addl data returned for successful operation
+		error: string &default="";    # Descriptive error on failure
+		node: string &optional;       # Name of associated node (for context)
 	};
 
 	type ResultVec: vector of Result;

From 239530116854e81b0a15229b97cc7746780720ad Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 9 Nov 2021 22:00:23 -0800
Subject: [PATCH 182/210] Bump zeek-client

---
 auxil/zeek-client | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/zeek-client b/auxil/zeek-client
index afe253c775..57a970f139 160000
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@@ -1 +1 @@
-Subproject commit afe253c77591e87b2a6cf6d5682cd02caa78e9d2
+Subproject commit 57a970f139b3febf7fafc707655946e13d526d2b

From 8eee5bb3d2e0230d6951362117c8639fccf52838 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 9 Nov 2021 23:54:24 -0800
Subject: [PATCH 183/210] Additional infrastructure for printing types

Also added convenience for instantiating (dummy) configuration records.
---
 .../cluster/controller/request.zeek           |  7 +---
 .../frameworks/cluster/controller/types.zeek  | 32 +++++++++++++++++--
 2 files changed, 31 insertions(+), 8 deletions(-)

diff --git a/scripts/policy/frameworks/cluster/controller/request.zeek b/scripts/policy/frameworks/cluster/controller/request.zeek
index 07fcb5a808..fbd4a0ff6d 100644
--- a/scripts/policy/frameworks/cluster/controller/request.zeek
+++ b/scripts/policy/frameworks/cluster/controller/request.zeek
@@ -99,12 +99,7 @@ function to_string(request: Request): string
 	for ( idx in request$results )
 		{
 		res = request$results[idx];
-		if ( res$success )
-			results[|results|] = "success";
-		else if ( |res$error| > 0 )
-			results[|results|] = fmt("error (%s)", res$error);
-		else
-			results[|results|] = "error";
+		results[|results|] = ClusterController::Types::result_to_string(res);
 		}
 
 	return fmt("[request %s%s %s, results: %s]", request$id, parent_id,
diff --git a/scripts/policy/frameworks/cluster/controller/types.zeek b/scripts/policy/frameworks/cluster/controller/types.zeek
index 597de78d84..a54f6069ed 100644
--- a/scripts/policy/frameworks/cluster/controller/types.zeek
+++ b/scripts/policy/frameworks/cluster/controller/types.zeek
@@ -61,10 +61,10 @@ export {
 		id: string &default=unique_id(""); # Unique identifier for a particular configuration
 
 		## The instances in the cluster.
-		instances: set[Instance];
+		instances: set[Instance] &default=set();
 
 		## The set of nodes in the cluster, as distributed over the instances.
-		nodes: set[Node];
+		nodes: set[Node] &default=set();
 	};
 
 	# Return value for request-response API event pairs
@@ -78,4 +78,32 @@ export {
 	};
 
 	type ResultVec: vector of Result;
+
+	global result_to_string: function(res: Result): string;
 }
+
+function result_to_string(res: Result): string
+	{
+	local result = "";
+
+	if ( res$success )
+		result = "success";
+	else if ( res$error != "" )
+		result = fmt("error (%s)", res$error);
+	else
+		result = "error";
+
+	local details: string_vec;
+
+	if ( res$reqid != "" )
+		details[|details|] = fmt("reqid %s", res$reqid);
+	if ( res$instance != "" )
+		details[|details|] = fmt("instance %s", res$instance);
+	if ( res?$node && res$node != "" )
+		details[|details|] = fmt("node %s", res$node);
+
+	if ( |details| > 0 )
+		result = fmt("%s (%s)", result, join_string_vec(details, ", "));
+
+	return result;
+	}

From ddbd83fee4d728c673fc0f62b8489c07af8776cf Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 9 Nov 2021 23:55:10 -0800
Subject: [PATCH 184/210] Support for dropping instances no longer needed after
 config updates

This sends such expired instances empty configurations that will cause them to
shut down their remaining data cluster nodes.
---
 .../policy/frameworks/cluster/agent/main.zeek | 14 ++--
 .../frameworks/cluster/controller/main.zeek   | 79 ++++++++++++++-----
 2 files changed, 70 insertions(+), 23 deletions(-)

diff --git a/scripts/policy/frameworks/cluster/agent/main.zeek b/scripts/policy/frameworks/cluster/agent/main.zeek
index d33decc732..7669942585 100644
--- a/scripts/policy/frameworks/cluster/agent/main.zeek
+++ b/scripts/policy/frameworks/cluster/agent/main.zeek
@@ -149,12 +149,16 @@ event ClusterAgent::API::set_configuration_request(reqid: string, config: Cluste
 	# events asynchonously. The only indication of error will be
 	# notification events to the controller.
 
-	local res = ClusterController::Types::Result(
-	    $reqid = reqid,
-	    $instance = ClusterAgent::name);
+	if ( reqid != "" )
+		{
+		local res = ClusterController::Types::Result(
+		    $reqid = reqid,
+		    $instance = ClusterAgent::name);
 
-	ClusterController::Log::info(fmt("tx ClusterAgent::API::set_configuration_response %s", reqid));
-	event ClusterAgent::API::set_configuration_response(reqid, res);
+		ClusterController::Log::info(fmt("tx ClusterAgent::API::set_configuration_response %s",
+		                                 ClusterController::Types::result_to_string(res)));
+		event ClusterAgent::API::set_configuration_response(reqid, res);
+		}
 	}
 
 event Broker::peer_added(peer: Broker::EndpointInfo, msg: string)
diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index 3ba14e446a..11e88fe3fd 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -33,6 +33,27 @@ function send_config_to_agents(req: ClusterController::Request::Request,
 		}
 	}
 
+function drop_instance(inst: ClusterController::Types::Instance)
+	{
+	if ( inst$name in ClusterController::instances )
+		{
+		# Send this agent a config that will terminate any data cluster
+		# nodes it might have. This is "fire and forget" -- there will
+		# not be a response.
+		Broker::publish(ClusterAgent::topic_prefix + "/" + inst$name,
+		                ClusterAgent::API::set_configuration_request,
+		                "", ClusterController::Types::Configuration());
+
+		delete ClusterController::instances[inst$name];
+		}
+
+	# If the instance has a port, we peered with it, so now unpeer.
+	if ( inst?$listen_port )
+		Broker::unpeer(cat(inst$host), inst$listen_port );
+
+	ClusterController::Log::info(fmt("dropped instance %s", inst$name));
+	}
+
 event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_version: count)
 	{
 	# See if we already know about this agent; if not, register
@@ -47,16 +68,7 @@ event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_ve
 		# Do nothing, unless this known agent checks in with a mismatching
 		# API version, in which case we kick it out.
 		if ( api_version != ClusterController::API::version )
-			{
-			inst = ClusterController::instances[instance];
-			if ( inst?$listen_port )
-				{
-				# We peered with this instance, unpeer.
-				Broker::unpeer(cat(inst$host), inst$listen_port );
-				# XXX what to do if they connected to us?
-				}
-			delete ClusterController::instances[instance];
-			}
+			drop_instance(ClusterController::instances[instance]);
 
 		# Update the instance name in the pointed-to record, in case it
 		# was previously named otherwise. Not being too picky here allows
@@ -222,13 +234,41 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 	# that are supposed to be checking in with us but have not, record
 	# errors. We will fail the request in those cases. For instances we
 	# don't know and are supposed to connect to, do so next.
+	local inst_name: string;
 	local inst: ClusterController::Types::Instance;
-	local insts_todo: ClusterController::Types::InstanceVec;
+	local insts_to_add: ClusterController::Types::InstanceVec;
+
+	# A set of instances not contained in the config, that therefore needs
+	# to be dropped.
+	local insts_to_drop: set[string] = {};
+
+	for ( inst_name in ClusterController::instances )
+		add insts_to_drop[inst_name];
 
 	for ( inst in config$instances )
 		{
+		if ( inst$name in ClusterController::instances )
+			{
+			# Verify that it's actually the same endpoint. If not, kick out
+			# the old one. XXX 0.0.0.0 is a workaround until we've resolved
+			# how agents that peer with us obtain their identity.
+			if ( ( inst$host != 0.0.0.0 && inst$host != ClusterController::instances[inst$name]$host ) ||
+			     inst?$listen_port != ClusterController::instances[inst$name]?$listen_port ||
+			     ( inst?$listen_port && ClusterController::instances[inst$name]?$listen_port &&
+			       inst$listen_port != ClusterController::instances[inst$name]$listen_port ) )
+				{
+				drop_instance(ClusterController::instances[inst$name]);
+				}
+			else
+				{
+				# We know this instance, don't drop it below.
+				delete insts_to_drop[inst$name];
+				}
+			}
+
 		if ( inst$name !in ClusterController::instances )
 			{
+			# It's an instance we don't currently know about.
 			if ( ! inst?$listen_port )
 				{
 				# If a requested instance doesn't have a listen port and isn't known
@@ -242,7 +282,7 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 			else
 				{
 				# We'll need to connect to this instance.
-				insts_todo[|insts_todo|] = inst;
+				insts_to_add[|insts_to_add|] = inst;
 				}
 			}
 		}
@@ -257,14 +297,17 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 		return;
 		}
 
-	# We have instances to connect to, so initiate peering and
-	# stop for now. Processing will continue as the agents check
-	# in.
-	if ( |insts_todo| > 0 )
+	for ( inst_name in insts_to_drop )
+		drop_instance(ClusterController::instances[inst_name]);
+
+	# We have instances to connect to, so initiate peering and stop for now.
+	# Processing will continue as the agents check in. That's also when they
+	# get added to ClusterController::instances.
+	if ( |insts_to_add| > 0 )
 		{
-		for ( idx in insts_todo )
+		for ( idx in insts_to_add )
 			{
-			inst = insts_todo[idx];
+			inst = insts_to_add[idx];
 			Broker::peer(cat(inst$host), inst$listen_port,
 			             ClusterController::connect_retry);
 			}

From 6fcd99b4a0c9d6a94c5b3f39b43561a25af22e7c Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 22 Nov 2021 16:20:17 -0800
Subject: [PATCH 185/210] Bump zeek-client

---
 auxil/zeek-client | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/zeek-client b/auxil/zeek-client
index 57a970f139..a6bfea8aee 160000
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@@ -1 +1 @@
-Subproject commit 57a970f139b3febf7fafc707655946e13d526d2b
+Subproject commit a6bfea8aee544f612e4ee7237f567d2fbbdfff3f

From a56ee6b9a615c466eee3c8a6d16245813662488f Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 29 Nov 2021 11:37:00 -0800
Subject: [PATCH 186/210] Add separate utility module for controller and agent

We can figure out later whether & where to re-settle helper functions that end
up in there.
---
 .../frameworks/cluster/controller/util.zeek     | 17 +++++++++++++++++
 scripts/test-all-policy.zeek                    |  1 +
 .../Baseline/coverage.bare-mode-errors/errors   |  4 ++--
 3 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 scripts/policy/frameworks/cluster/controller/util.zeek

diff --git a/scripts/policy/frameworks/cluster/controller/util.zeek b/scripts/policy/frameworks/cluster/controller/util.zeek
new file mode 100644
index 0000000000..cfc87d6b63
--- /dev/null
+++ b/scripts/policy/frameworks/cluster/controller/util.zeek
@@ -0,0 +1,17 @@
+module ClusterController::Util;
+
+export {
+	global set_to_vector: function(ss: set[string]): vector of string;
+}
+
+function set_to_vector(ss: set[string]): vector of string
+	{
+	local res: vector of string;
+
+	for ( s in ss )
+		res[|res|] = s;
+
+	sort(res, strcmp);
+
+	return res;
+	}
diff --git a/scripts/test-all-policy.zeek b/scripts/test-all-policy.zeek
index ea36a239ef..bdc052d301 100644
--- a/scripts/test-all-policy.zeek
+++ b/scripts/test-all-policy.zeek
@@ -24,6 +24,7 @@
 # @load frameworks/cluster/controller/main.zeek
 @load frameworks/cluster/controller/request.zeek
 @load frameworks/cluster/controller/types.zeek
+@load frameworks/cluster/controller/util.zeek
 @load frameworks/dpd/detect-protocols.zeek
 @load frameworks/dpd/packet-segment-logging.zeek
 @load frameworks/intel/do_notice.zeek
diff --git a/testing/btest/Baseline/coverage.bare-mode-errors/errors b/testing/btest/Baseline/coverage.bare-mode-errors/errors
index ed8c1aa4a4..31f9346536 100644
--- a/testing/btest/Baseline/coverage.bare-mode-errors/errors
+++ b/testing/btest/Baseline/coverage.bare-mode-errors/errors
@@ -2,8 +2,8 @@
 ### NOTE: This file has been sorted with diff-sort.
 warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:12 "Remove in v5.1. Use log-certs-base64.zeek instead."
 warning in <...>/extract-certs-pem.zeek, line 1: deprecated script loaded from command line arguments "Remove in v5.1. Use log-certs-base64.zeek instead."
-warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:58 ("Remove in v5.1. OCSP logging is now enabled by default")
-warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:58 ("Remove in v5.1. OCSP logging is now enabled by default")
+warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:59 ("Remove in v5.1. OCSP logging is now enabled by default")
+warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from <...>/test-all-policy.zeek:59 ("Remove in v5.1. OCSP logging is now enabled by default")
 warning in <...>/log-ocsp.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. OCSP logging is now enabled by default")
 warning in <...>/notary.zeek, line 1: deprecated script loaded from <...>/__load__.zeek:4 ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")
 warning in <...>/notary.zeek, line 1: deprecated script loaded from command line arguments ("Remove in v5.1. Please switch to other more modern approaches like SCT validation (validate-sct.zeek).")

From 14a8c979c12d4fa90ee5652f21e1f56ea7829b14 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 29 Nov 2021 11:38:22 -0800
Subject: [PATCH 187/210] Add missing debug() log function to log module's API

---
 scripts/policy/frameworks/cluster/controller/log.zeek | 1 +
 1 file changed, 1 insertion(+)

diff --git a/scripts/policy/frameworks/cluster/controller/log.zeek b/scripts/policy/frameworks/cluster/controller/log.zeek
index 49aeb9b282..a0970728e8 100644
--- a/scripts/policy/frameworks/cluster/controller/log.zeek
+++ b/scripts/policy/frameworks/cluster/controller/log.zeek
@@ -32,6 +32,7 @@ export {
 
 	global log_level = DEBUG &redef;
 
+	global debug: function(message: string);
 	global info: function(message: string);
 	global warning: function(message: string);
 	global error: function(message: string);

From b57be021b79ec6786ce5d67336fe0af433a2074e Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 29 Nov 2021 11:56:03 -0800
Subject: [PATCH 188/210] Make all globals start with a "g_" prefix

This makes it easier to spot them in code, and is shorter than using explicit
namespacing.
---
 .../policy/frameworks/cluster/agent/main.zeek | 32 +++++++++----------
 .../frameworks/cluster/controller/main.zeek   | 18 +++++------
 .../cluster/controller/request.zeek           | 14 ++++----
 3 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/scripts/policy/frameworks/cluster/agent/main.zeek b/scripts/policy/frameworks/cluster/agent/main.zeek
index 7669942585..b139d6677a 100644
--- a/scripts/policy/frameworks/cluster/agent/main.zeek
+++ b/scripts/policy/frameworks/cluster/agent/main.zeek
@@ -9,18 +9,18 @@
 redef ClusterController::role = ClusterController::Types::AGENT;
 
 # The global configuration as passed to us by the controller
-global global_config: ClusterController::Types::Configuration;
+global g_config: ClusterController::Types::Configuration;
 
 # A map to make other instance info accessible
-global instances: table[string] of ClusterController::Types::Instance;
+global g_instances: table[string] of ClusterController::Types::Instance;
 
 # A map for the nodes we run on this instance, via this agent.
-global nodes: table[string] of ClusterController::Types::Node;
+global g_nodes: table[string] of ClusterController::Types::Node;
 
 # The node map employed by the supervisor to describe the cluster
 # topology to newly forked nodes. We refresh it when we receive
 # new configurations.
-global data_cluster: table[string] of Supervisor::ClusterEndpoint;
+global g_data_cluster: table[string] of Supervisor::ClusterEndpoint;
 
 event SupervisorControl::create_response(reqid: string, result: string)
 	{
@@ -86,43 +86,43 @@ event ClusterAgent::API::set_configuration_request(reqid: string, config: Cluste
 	# Adopt the global configuration provided.
 	# XXX this can later handle validation and persistence
 	# XXX should do this transactionally, only set when all else worked
-	global_config = config;
+	g_config = config;
 
 	# Refresh the instances table:
-	instances = table();
+	g_instances = table();
 	for ( inst in config$instances )
-		instances[inst$name] = inst;
+		g_instances[inst$name] = inst;
 
 	# Terminate existing nodes
-	for ( nodename in nodes )
+	for ( nodename in g_nodes )
 		supervisor_destroy(nodename);
 
-	nodes = table();
+	g_nodes = table();
 
 	# Refresh the data cluster and nodes tables
 
-	data_cluster = table();
+	g_data_cluster = table();
 	for ( node in config$nodes )
 		{
 		if ( node$instance == ClusterAgent::name )
-			nodes[node$name] = node;
+			g_nodes[node$name] = node;
 
 		local cep = Supervisor::ClusterEndpoint(
 		    $role = node$role,
-		    $host = instances[node$instance]$host,
+		    $host = g_instances[node$instance]$host,
 		    $p = node$p);
 
 		if ( node?$interface )
 			cep$interface = node$interface;
 
-		data_cluster[node$name] = cep;
+		g_data_cluster[node$name] = cep;
 		}
 
 	# Apply the new configuration via the supervisor
 
-	for ( nodename in nodes )
+	for ( nodename in g_nodes )
 		{
-		node = nodes[nodename];
+		node = g_nodes[nodename];
 		nc = Supervisor::NodeConfig($name=nodename);
 
 		if ( ClusterAgent::cluster_directory != "" )
@@ -140,7 +140,7 @@ event ClusterAgent::API::set_configuration_request(reqid: string, config: Cluste
 		# XXX could use options to enable per-node overrides for
 		# directory, stdout, stderr, others?
 
-		nc$cluster = data_cluster;
+		nc$cluster = g_data_cluster;
 		supervisor_create(nc);
 		}
 
diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index 11e88fe3fd..5c8c57a057 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -9,8 +9,8 @@
 
 redef ClusterController::role = ClusterController::Types::CONTROLLER;
 
-global config_current: ClusterController::Types::Configuration;
-global config_reqid_pending: string = "";
+global g_config_current: ClusterController::Types::Configuration;
+global g_config_reqid_pending: string = "";
 
 function send_config_to_agents(req: ClusterController::Request::Request,
                                config: ClusterController::Types::Configuration)
@@ -90,15 +90,15 @@ event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_ve
 
 	# If we have a pending configuration request, check in on it now to see whether
 	# we have all agents required, and finalize the config request.
-	if ( config_reqid_pending == "" )
+	if ( g_config_reqid_pending == "" )
 		return;
 
-	local req = ClusterController::Request::lookup(config_reqid_pending);
+	local req = ClusterController::Request::lookup(g_config_reqid_pending);
 
 	if ( ClusterController::Request::is_null(req) || ! req?$set_configuration_state )
 		{
 		# Odd, just clear out pending state.
-		config_reqid_pending = "";
+		g_config_reqid_pending = "";
 		return;
 		}
 
@@ -117,7 +117,7 @@ event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_ve
 	# update the request state and eventually send the response event
 	# to the client.
 	send_config_to_agents(req, req$set_configuration_state$config);
-	config_reqid_pending = "";
+	g_config_reqid_pending = "";
 	}
 
 
@@ -216,11 +216,11 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 	req$set_configuration_state = ClusterController::Request::SetConfigurationState($config = config);
 
 	# At the moment there can only be one pending request.
-	if ( config_reqid_pending != "" )
+	if ( g_config_reqid_pending != "" )
 		{
 		res = ClusterController::Types::Result($reqid=reqid);
 		res$success = F;
-		res$error = fmt("request %s still pending", config_reqid_pending);
+		res$error = fmt("request %s still pending", g_config_reqid_pending);
 		req$results += res;
 
 		ClusterController::Log::info(fmt("tx ClusterController::API::set_configuration_response %s",
@@ -312,7 +312,7 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 			             ClusterController::connect_retry);
 			}
 
-		config_reqid_pending = req$id;
+		g_config_reqid_pending = req$id;
 		return;
 		}
 
diff --git a/scripts/policy/frameworks/cluster/controller/request.zeek b/scripts/policy/frameworks/cluster/controller/request.zeek
index fbd4a0ff6d..21fcad1117 100644
--- a/scripts/policy/frameworks/cluster/controller/request.zeek
+++ b/scripts/policy/frameworks/cluster/controller/request.zeek
@@ -49,30 +49,30 @@ export {
 }
 
 # XXX this needs a mechanism for expiring stale requests
-global requests: table[string] of Request;
+global g_requests: table[string] of Request;
 
 function create(reqid: string): Request
 	{
 	local ret = Request($id=reqid);
-	requests[reqid] = ret;
+	g_requests[reqid] = ret;
 	return ret;
 	}
 
 function lookup(reqid: string): Request
 	{
-	if ( reqid in requests )
-		return requests[reqid];
+	if ( reqid in g_requests )
+		return g_requests[reqid];
 
 	return null_req;
 	}
 
 function finish(reqid: string): bool
 	{
-	if ( reqid !in requests )
+	if ( reqid !in g_requests )
 		return F;
 
-	local req = requests[reqid];
-	delete requests[reqid];
+	local req = g_requests[reqid];
+	delete g_requests[reqid];
 
 	req$finished = T;
 

From 09d9be3433911ce7df7c60584d0023c8dcacb1f1 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 29 Nov 2021 11:41:49 -0800
Subject: [PATCH 189/210] Add ClusterController::API::notify_agents_ready event

This changes the basic agent-management model to one in which the configurations
received from the client define not just the data cluster, but also set the set
of acceptable instances. Unless connectivity already exists, the controller will
establish peerings with new agents that listen, or wait for ones that connect to
the controller to check in.

Once all required agents are available, the controller triggers the new
notify_agents_ready event, an agent/controller-level "cluster-is-ready"
event. The controller also uses this event to submit a pending config update to
the now-ready instances.
---
 .../policy/frameworks/cluster/agent/api.zeek  |   7 +
 .../policy/frameworks/cluster/agent/main.zeek |  22 +-
 .../frameworks/cluster/controller/api.zeek    |   4 +
 .../frameworks/cluster/controller/config.zeek |   7 -
 .../frameworks/cluster/controller/main.zeek   | 352 ++++++++++--------
 5 files changed, 221 insertions(+), 171 deletions(-)

diff --git a/scripts/policy/frameworks/cluster/agent/api.zeek b/scripts/policy/frameworks/cluster/agent/api.zeek
index a5334fbbef..6263bf9d9d 100644
--- a/scripts/policy/frameworks/cluster/agent/api.zeek
+++ b/scripts/policy/frameworks/cluster/agent/api.zeek
@@ -30,4 +30,11 @@ export {
 
 	# Report informational message.
 	global notify_log: event(instance: string, msg: string, node: string &default="");
+
+	# Notification events, controller -> agent
+
+	# Confirmation from controller in response to notify_agent_hello
+	# that the agent is welcome.
+	global notify_controller_hello: event(controller: string, host: addr);
+
 }
diff --git a/scripts/policy/frameworks/cluster/agent/main.zeek b/scripts/policy/frameworks/cluster/agent/main.zeek
index b139d6677a..a70c7c6269 100644
--- a/scripts/policy/frameworks/cluster/agent/main.zeek
+++ b/scripts/policy/frameworks/cluster/agent/main.zeek
@@ -22,6 +22,12 @@ global g_nodes: table[string] of ClusterController::Types::Node;
 # new configurations.
 global g_data_cluster: table[string] of Supervisor::ClusterEndpoint;
 
+# Whether we currenty keep notifying the controller that we're here.
+# We stop once the controller responds back, and resume when we've
+# lost the peering.
+global g_notify_controller: bool = T;
+
+
 event SupervisorControl::create_response(reqid: string, result: string)
 	{
 	local req = ClusterController::Request::lookup(reqid);
@@ -161,14 +167,28 @@ event ClusterAgent::API::set_configuration_request(reqid: string, config: Cluste
 		}
 	}
 
+event ClusterAgent::API::notify_controller_hello(controller: string, host: addr)
+	{
+	ClusterController::Log::info(fmt("rx ClusterAgent::API::notify_controller_hello %s %s", controller, host));
+	g_notify_controller = F;
+	}
+
+event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_version: count)
+	{
+	if ( g_notify_controller )
+		schedule 1sec { ClusterAgent::API::notify_agent_hello(instance, host, api_version) };
+	}
+
 event Broker::peer_added(peer: Broker::EndpointInfo, msg: string)
 	{
 	# This does not (cannot?) immediately verify that the new peer
 	# is in fact a controller, so we might send this redundantly.
 	# Controllers handle the hello event accordingly.
 
+	g_notify_controller = T;
+
 	local epi = ClusterAgent::endpoint_info();
-	# XXX deal with unexpected peers, unless we're okay with it
+
 	event ClusterAgent::API::notify_agent_hello(epi$id,
 	    to_addr(epi$network$address), ClusterAgent::API::version);
 	}
diff --git a/scripts/policy/frameworks/cluster/controller/api.zeek b/scripts/policy/frameworks/cluster/controller/api.zeek
index 4d3e1ba70d..d742a332ef 100644
--- a/scripts/policy/frameworks/cluster/controller/api.zeek
+++ b/scripts/policy/frameworks/cluster/controller/api.zeek
@@ -5,6 +5,10 @@ module ClusterController::API;
 export {
 	const version = 1;
 
+	# Triggered when the operational instances align with desired ones, as
+	# defined by the latest cluster config sent by the client.
+	global notify_agents_ready: event(instances: set[string]);
+
 	global get_instances_request: event(reqid: string);
 	global get_instances_response: event(reqid: string,
 	    instances: vector of ClusterController::Types::Instance);
diff --git a/scripts/policy/frameworks/cluster/controller/config.zeek b/scripts/policy/frameworks/cluster/controller/config.zeek
index f889512fec..5605bd39a6 100644
--- a/scripts/policy/frameworks/cluster/controller/config.zeek
+++ b/scripts/policy/frameworks/cluster/controller/config.zeek
@@ -28,13 +28,6 @@ export {
 	# The controller listens for messages on this topic:
 	const topic = "zeek/cluster-control/controller" &redef;
 
-	# The set of agents to interact with. When this is non-empty
-	# at startup, the controller contacts the agents; when it is
-	# empty, it waits for agents to connect. They key is a name of
-	# each instance. This should match the $name member of the
-	# instance records.
-	const instances: table[string] of ClusterController::Types::Instance = { } &redef;
-
 	# The role of this node in cluster management. Agent and
 	# controller both redef this. Used during logging.
 	const role = ClusterController::Types::NONE &redef;
diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index 5c8c57a057..fb01f72628 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -6,16 +6,35 @@
 @load ./api
 @load ./log
 @load ./request
+@load ./util
 
 redef ClusterController::role = ClusterController::Types::CONTROLLER;
 
-global g_config_current: ClusterController::Types::Configuration;
+global check_instances_ready: function(insts: set[string], tc: TableChange, inst: string);
+global add_instance: function(inst: ClusterController::Types::Instance);
+global drop_instance: function(inst: ClusterController::Types::Instance);
+
+# The desired set of agents the controller interact with, as provided by the
+# most recent config update sent by the client. They key is a name of each
+# instance. This should match the $name member of the instance records.
+global g_instances: table[string] of ClusterController::Types::Instance = table();
+
+# A corresponding set of instances/agents that we track in order to understand
+# when all of the above instances have checked in with a notify_agent_hello
+# event. (An alternative would be to use a record that adds a single state bit
+# for each instance, and store that above.)
+global g_instances_ready: set[string] = set() &on_change=check_instances_ready;
+
+# The request ID of the most recent configuration update that's come in from
+# a client. We track it here until we know we are ready to communicate with all
+# agents required by the update.
 global g_config_reqid_pending: string = "";
 
+
 function send_config_to_agents(req: ClusterController::Request::Request,
                                config: ClusterController::Types::Configuration)
 	{
-	for ( name in ClusterController::instances )
+	for ( name in g_instances )
 		{
 		local agent_topic = ClusterAgent::topic_prefix + "/" + name;
 		local areq = ClusterController::Request::create();
@@ -26,100 +45,129 @@ function send_config_to_agents(req: ClusterController::Request::Request,
 		# and once all are, we respond back to the client.
 		req$set_configuration_state$requests += areq;
 
-		# XXX could also broadcast just once on the agent prefix, but
+		# We could also broadcast just once on the agent prefix, but
 		# explicit request/response pairs for each agent seems cleaner.
 		ClusterController::Log::info(fmt("tx ClusterAgent::API::set_configuration_request %s to %s", areq$id, name));
 		Broker::publish(agent_topic, ClusterAgent::API::set_configuration_request, areq$id, config);
 		}
 	}
 
+# This is the &on_change handler for the g_instances_ready set.
+function check_instances_ready(insts: set[string], tc: TableChange, inst: string)
+	{
+	local cur_instances: set[string];
+
+	# See if the new update to the readiness set makes it match the current
+	# instances. If so, trigger the notify_agents_ready event.
+	if ( tc == TABLE_ELEMENT_NEW || tc == TABLE_ELEMENT_REMOVED )
+		{
+		for ( inst in g_instances )
+			add cur_instances[inst];
+
+		if ( cur_instances == g_instances_ready )
+			{
+			event ClusterController::API::notify_agents_ready(cur_instances);
+			}
+		}
+	}
+
+function add_instance(inst: ClusterController::Types::Instance)
+	{
+	g_instances[inst$name] = inst;
+
+	if ( inst?$listen_port )
+		Broker::peer(cat(inst$host), inst$listen_port,
+		             ClusterController::connect_retry);
+	}
+
 function drop_instance(inst: ClusterController::Types::Instance)
 	{
-	if ( inst$name in ClusterController::instances )
-		{
-		# Send this agent a config that will terminate any data cluster
-		# nodes it might have. This is "fire and forget" -- there will
-		# not be a response.
-		Broker::publish(ClusterAgent::topic_prefix + "/" + inst$name,
-		                ClusterAgent::API::set_configuration_request,
-		                "", ClusterController::Types::Configuration());
+	if ( inst$name !in g_instances )
+		return;
 
-		delete ClusterController::instances[inst$name];
-		}
+	# Send this agent a config that will terminate any data cluster
+	# nodes it might have. This is "fire and forget" -- there will
+	# not be a response.
+	Broker::publish(ClusterAgent::topic_prefix + "/" + inst$name,
+	                ClusterAgent::API::set_configuration_request,
+	                "", ClusterController::Types::Configuration());
 
 	# If the instance has a port, we peered with it, so now unpeer.
 	if ( inst?$listen_port )
 		Broker::unpeer(cat(inst$host), inst$listen_port );
 
+	delete g_instances[inst$name];
+
+	if ( inst$name in g_instances_ready )
+		delete g_instances_ready[inst$name];
+
 	ClusterController::Log::info(fmt("dropped instance %s", inst$name));
 	}
 
-event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_version: count)
+event ClusterController::API::notify_agents_ready(instances: set[string])
 	{
-	# See if we already know about this agent; if not, register
-	# it.
-	#
-	# XXX protection against rogue agents?
+	local insts = ClusterController::Util::set_to_vector(instances);
 
-	local inst: ClusterController::Types::Instance;
-
-	if ( instance in ClusterController::instances )
-		{
-		# Do nothing, unless this known agent checks in with a mismatching
-		# API version, in which case we kick it out.
-		if ( api_version != ClusterController::API::version )
-			drop_instance(ClusterController::instances[instance]);
-
-		# Update the instance name in the pointed-to record, in case it
-		# was previously named otherwise. Not being too picky here allows
-		# the user some leeway in spelling out the original config.
-		ClusterController::instances[instance]$name = instance;
-		return;
-		}
-
-	if ( api_version != ClusterController::API::version )
-		{
-		ClusterController::Log::warning(
-		    fmt("agent %s/%s speaks incompatible agent protocol (%s, need %s), ignoring",
-		        instance, host, api_version, ClusterController::API::version));
-		return;
-		}
-
-	ClusterController::instances[instance] = ClusterController::Types::Instance($name=instance, $host=host);
-	ClusterController::Log::info(fmt("instance %s/%s has checked in", instance, host));
-
-	# If we have a pending configuration request, check in on it now to see whether
-	# we have all agents required, and finalize the config request.
-	if ( g_config_reqid_pending == "" )
-		return;
+	ClusterController::Log::info(fmt("rx ClusterController::API:notify_agents_ready %s", join_string_vec(insts, ",")));
 
+	# When all agents are ready, send them the pending config update.
 	local req = ClusterController::Request::lookup(g_config_reqid_pending);
 
+	# If the request isn't available or doesn't have config state, we just
+	# clear it out and stop.
 	if ( ClusterController::Request::is_null(req) || ! req?$set_configuration_state )
 		{
-		# Odd, just clear out pending state.
 		g_config_reqid_pending = "";
 		return;
 		}
 
-	for ( inst in req$set_configuration_state$config$instances )
-		{
-		if ( inst$name !in ClusterController::instances )
-			{
-			# The request still has instances not known to us, try again
-			# later.
-			return;
-			}
-		}
-
-	# All instances requested in the configuration are now known to us.
-	# Send them the config. As they send their response events we
-	# update the request state and eventually send the response event
-	# to the client.
+	# All instances requested in the pending configuration update are now
+	# known to us. Send them the config. As they send their response events
+	# we update the client's request state and eventually send the response
+	# event to the it.
 	send_config_to_agents(req, req$set_configuration_state$config);
+
+	# The request object continues to exist and will be referenced by the
+	# responses coming in, but there's no longer a pending config update to
+	# track.
 	g_config_reqid_pending = "";
 	}
 
+event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_version: count)
+	{
+	if ( instance !in g_instances )
+		{
+		# An unknown agent has checked in. This can happen with agentsthat aren't yet
+		# showing in a configuration received by the client. We log at debug level only.
+		ClusterController::Log::debug(
+		    fmt("unknown instance %s/%s has checked in, ignoring", instance, host));
+		return;
+		}
+
+	ClusterController::Log::info(fmt("rx ClusterAgent::API::notify_agent_hello %s %s", instance, host));
+
+	local inst = g_instances[instance];
+
+	# When a known agent checks in with a mismatching API version we kick it out.
+	if ( api_version != ClusterController::API::version )
+		{
+		ClusterController::Log::warning(
+		    fmt("instance %s/%s has checked in with incompatible API version %s, dropping",
+		        instance, host, api_version));
+		drop_instance(inst);
+		return;
+		}
+
+	if ( instance !in g_instances_ready )
+		{
+		ClusterController::Log::info(fmt("instance %s/%s has checked in", instance, host));
+		add g_instances_ready[instance];
+		}
+
+	Broker::publish(ClusterAgent::topic_prefix + "/" + instance,
+	                ClusterAgent::API::notify_controller_hello, ClusterController::name,
+	                to_addr(ClusterController::network_info()$address));
+	}
 
 event ClusterAgent::API::notify_change(instance: string, n: ClusterController::Types::Node,
                                        old: ClusterController::Types::State,
@@ -213,6 +261,7 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 
 	local res: ClusterController::Types::Result;
 	local req = ClusterController::Request::create(reqid);
+
 	req$set_configuration_state = ClusterController::Request::SetConfigurationState($config = config);
 
 	# At the moment there can only be one pending request.
@@ -230,91 +279,78 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 		return;
 		}
 
-	# Compare the instance configuration to our current one. For instances
-	# that are supposed to be checking in with us but have not, record
-	# errors. We will fail the request in those cases. For instances we
-	# don't know and are supposed to connect to, do so next.
+	# Compare the instance configuration to our current one. If it matches,
+	# we can proceed to deploying the new data cluster topology. If it does
+	# not, we need to establish connectivity with agents we connect to, or
+	# wait until all instances that connect to us have done so. Either triggers
+	# a notify_agents_ready event, upon which we then deploy the data cluster.
+
+	# The current & new set of instance names.
+	local insts_current: set[string];
+	local insts_new: set[string];
+
+	# A set of current instances not contained in the new config.
+	# Those will need to get dropped.
+	local insts_to_drop: set[string];
+
+	# The opposite: new instances not yet in our current set. Those we will need
+	# to establish contact with (or they with us).
+	local insts_to_add: set[string];
+
+	# The overlap: instances in both the current and new set. For those we verify
+	# that we're actually dealign with the same entities, and might need to re-
+	# connect if not.
+	local insts_to_keep: set[string];
+
+	# Alternative representation of insts_to_add, directly providing the instances.
+	local insts_to_peer: table[string] of ClusterController::Types::Instance;
+
+	# Helpful locals.
 	local inst_name: string;
 	local inst: ClusterController::Types::Instance;
-	local insts_to_add: ClusterController::Types::InstanceVec;
 
-	# A set of instances not contained in the config, that therefore needs
-	# to be dropped.
-	local insts_to_drop: set[string] = {};
+	for ( inst_name in g_instances )
+		add insts_current[inst_name];
+	for ( inst in config$instances )
+		add insts_new[inst$name];
 
-	for ( inst_name in ClusterController::instances )
-		add insts_to_drop[inst_name];
+	# Populate TODO lists for instances we need to drop, check, or add.
+	insts_to_drop = insts_current - insts_new;
+	insts_to_add = insts_new - insts_current;
+	insts_to_keep = insts_new & insts_current;
 
 	for ( inst in config$instances )
 		{
-		if ( inst$name in ClusterController::instances )
+		if ( inst$name in insts_to_add )
 			{
-			# Verify that it's actually the same endpoint. If not, kick out
-			# the old one. XXX 0.0.0.0 is a workaround until we've resolved
-			# how agents that peer with us obtain their identity.
-			if ( ( inst$host != 0.0.0.0 && inst$host != ClusterController::instances[inst$name]$host ) ||
-			     inst?$listen_port != ClusterController::instances[inst$name]?$listen_port ||
-			     ( inst?$listen_port && ClusterController::instances[inst$name]?$listen_port &&
-			       inst$listen_port != ClusterController::instances[inst$name]$listen_port ) )
-				{
-				drop_instance(ClusterController::instances[inst$name]);
-				}
-			else
-				{
-				# We know this instance, don't drop it below.
-				delete insts_to_drop[inst$name];
-				}
+			insts_to_peer[inst$name] = inst;
+			next;
 			}
 
-		if ( inst$name !in ClusterController::instances )
+		# Focus on the keepers: check for change in identity/location.
+		if ( inst$name !in insts_to_keep )
+			next;
+
+		# XXX 0.0.0.0 is a workaround until we've resolved
+		# how agents that peer with us obtain their identity.
+		# Broker ID?
+		if ( ( inst$host != 0.0.0.0 && inst$host != g_instances[inst$name]$host ) ||
+		     inst?$listen_port != g_instances[inst$name]?$listen_port ||
+		     ( inst?$listen_port && g_instances[inst$name]?$listen_port &&
+		       inst$listen_port != g_instances[inst$name]$listen_port ) )
 			{
-			# It's an instance we don't currently know about.
-			if ( ! inst?$listen_port )
-				{
-				# If a requested instance doesn't have a listen port and isn't known
-				# to us, we have no way to establish connectivity. We reject the
-				# request.
-				res = ClusterController::Types::Result($reqid=reqid, $instance=inst$name);
-				res$success = F;
-				res$error = fmt("instance %s is unknown", inst$name);
-				req$results += res;
-				}
-			else
-				{
-				# We'll need to connect to this instance.
-				insts_to_add[|insts_to_add|] = inst;
-				}
+			# The endpoint looks different. We drop the current one
+			# and need to re-establish connectivity.
+			add insts_to_drop[inst$name];
 			}
 		}
 
-	# An error at this point means that we're rejecting this request.
-	if ( |req$results| > 0 )
-		{
-		ClusterController::Log::info(fmt("tx ClusterController::API::set_configuration_response %s",
-		                                 ClusterController::Request::to_string(req)));
-		event ClusterController::API::set_configuration_response(req$id, req$results);
-		ClusterController::Request::finish(req$id);
-		return;
-		}
-
+	# Process our TODO lists.
 	for ( inst_name in insts_to_drop )
-		drop_instance(ClusterController::instances[inst_name]);
+		drop_instance(g_instances[inst_name]);
 
-	# We have instances to connect to, so initiate peering and stop for now.
-	# Processing will continue as the agents check in. That's also when they
-	# get added to ClusterController::instances.
-	if ( |insts_to_add| > 0 )
-		{
-		for ( idx in insts_to_add )
-			{
-			inst = insts_to_add[idx];
-			Broker::peer(cat(inst$host), inst$listen_port,
-			             ClusterController::connect_retry);
-			}
-
-		g_config_reqid_pending = req$id;
-		return;
-		}
+	for ( inst_name in insts_to_peer )
+		add_instance(insts_to_peer[inst_name]);
 
 	# XXX validate the configuration:
 	# - Are node instances among defined instances?
@@ -323,8 +359,15 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 	# - Do node types with optional fields have required values?
 	# ...
 
-	# Response event gets sent via the agents' reponse event.
-	send_config_to_agents(req, config);
+	# Track this config request globally until all of the agents required
+	# for it have checked in.  It gets cleared in the notify_agents_ready
+	# event handler.
+	g_config_reqid_pending = req$id;
+
+	# Special case: if the new request kept the set of instances identical,
+	# trigger notify_agents_ready explicitly so we transmit the new config.
+	if ( |insts_to_drop| == 0 && |insts_to_add| == 0 && |insts_to_keep| > 0 )
+		event ClusterController::API::notify_agents_ready(insts_to_keep);
 	}
 
 event ClusterController::API::get_instances_request(reqid: string)
@@ -333,8 +376,8 @@ event ClusterController::API::get_instances_request(reqid: string)
 
 	local insts: vector of ClusterController::Types::Instance;
 
-	for ( i in ClusterController::instances )
-		insts += ClusterController::instances[i];
+	for ( i in g_instances )
+		insts += g_instances[i];
 
 	ClusterController::Log::info(fmt("tx ClusterController::API::get_instances_response %s", reqid));
 	event ClusterController::API::get_instances_response(reqid, insts);
@@ -342,42 +385,25 @@ event ClusterController::API::get_instances_request(reqid: string)
 
 event zeek_init()
 	{
-	# Controller always listens -- it needs to be able to respond
-	# to the Zeek client. This port is also used by the agents
-	# if they connect to the client.
+	# The controller always listens -- it needs to be able to respond to the
+	# Zeek client. This port is also used by the agents if they connect to
+	# the client. The client doesn't automatically establish or accept
+	# connectivity to agents: agents are defined and communicated with as
+	# defined via configurations defined by the client.
+
 	local cni = ClusterController::network_info();
+
 	Broker::listen(cat(cni$address), cni$bound_port);
 
 	Broker::subscribe(ClusterAgent::topic_prefix);
 	Broker::subscribe(ClusterController::topic);
 
+	# Events sent to the client:
+
 	Broker::auto_publish(ClusterController::topic,
 	    ClusterController::API::get_instances_response);
 	Broker::auto_publish(ClusterController::topic,
 	    ClusterController::API::set_configuration_response);
 
-	if ( |ClusterController::instances| > 0 )
-		{
-		# We peer with the agents -- otherwise, the agents peer
-		# with (i.e., connect to) us.
-		for ( i in ClusterController::instances )
-			{
-			local inst = ClusterController::instances[i];
-
-			if ( ! inst?$listen_port )
-				{
-				# XXX config error -- this must be there
-				next;
-				}
-
-			Broker::peer(cat(inst$host), inst$listen_port,
-			             ClusterController::connect_retry);
-			}
-		}
-
-	# If ClusterController::instances is empty, agents peer with
-	# us and we do nothing. We'll build up state as the
-	# notify_agent_hello() events come int.
-
 	ClusterController::Log::info("controller is live");
 	}

From bbe7d3252922e91ebf580d87490bb124fa6117dc Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 29 Nov 2021 17:06:11 -0800
Subject: [PATCH 190/210] Bump zeek-client

---
 auxil/zeek-client | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/zeek-client b/auxil/zeek-client
index a6bfea8aee..ba412be977 160000
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@@ -1 +1 @@
-Subproject commit a6bfea8aee544f612e4ee7237f567d2fbbdfff3f
+Subproject commit ba412be97716417737a643b3f5666ad37a5f4494

From 1461d56340b8ecd84e22a1a10b4baa908058b1ee Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 6 Dec 2021 22:22:09 -0800
Subject: [PATCH 191/210] Track successful config deployment in cluster
 controller

This allows us to start returning deployed configurations to the client upon
request.
---
 .../frameworks/cluster/controller/main.zeek   | 26 +++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index fb01f72628..87d975715c 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -14,6 +14,9 @@ global check_instances_ready: function(insts: set[string], tc: TableChange, inst
 global add_instance: function(inst: ClusterController::Types::Instance);
 global drop_instance: function(inst: ClusterController::Types::Instance);
 
+global null_config: function(): ClusterController::Types::Configuration;
+global is_null_config: function(config: ClusterController::Types::Configuration): bool;
+
 # The desired set of agents the controller interact with, as provided by the
 # most recent config update sent by the client. They key is a name of each
 # instance. This should match the $name member of the instance records.
@@ -30,6 +33,9 @@ global g_instances_ready: set[string] = set() &on_change=check_instances_ready;
 # agents required by the update.
 global g_config_reqid_pending: string = "";
 
+# The most recent configuration we have successfully deployed. This is also
+# the one we send whenever the client requests it.
+global g_config_current: ClusterController::Types::Configuration;
 
 function send_config_to_agents(req: ClusterController::Request::Request,
                                config: ClusterController::Types::Configuration)
@@ -104,6 +110,16 @@ function drop_instance(inst: ClusterController::Types::Instance)
 	ClusterController::Log::info(fmt("dropped instance %s", inst$name));
 	}
 
+function null_config(): ClusterController::Types::Configuration
+	{
+	return ClusterController::Types::Configuration($id="");
+	}
+
+function is_null_config(config: ClusterController::Types::Configuration): bool
+	{
+	return config$id == "";
+	}
+
 event ClusterController::API::notify_agents_ready(instances: set[string])
 	{
 	local insts = ClusterController::Util::set_to_vector(instances);
@@ -249,6 +265,11 @@ event ClusterAgent::API::set_configuration_response(reqid: string, result: Clust
 		ClusterController::Request::finish(r$id);
 		}
 
+	# This is the point where we're really done with the original
+	# set_configuration request. We adopt the configuration as the current
+	# one.
+	g_config_current = req$set_configuration_state$config;
+
 	ClusterController::Log::info(fmt("tx ClusterController::API::set_configuration_response %s",
 	                                 ClusterController::Request::to_string(req)));
 	event ClusterController::API::set_configuration_response(req$id, req$results);
@@ -385,6 +406,11 @@ event ClusterController::API::get_instances_request(reqid: string)
 
 event zeek_init()
 	{
+	# Initialize null config at startup. We will replace it once we have
+	# persistence, and again whenever we complete a client's
+	# set_configuration request.
+	g_config_current = null_config();
+
 	# The controller always listens -- it needs to be able to respond to the
 	# Zeek client. This port is also used by the agents if they connect to
 	# the client. The client doesn't automatically establish or accept

From fc9679e510dcfdd373ca2df519784add4eb97841 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 13 Dec 2021 13:33:16 -0800
Subject: [PATCH 192/210] Move get_instances_response event to using a Result
 record

Includes corresponding zeek-client bump.
---
 auxil/zeek-client                                      | 2 +-
 scripts/policy/frameworks/cluster/controller/api.zeek  | 2 +-
 scripts/policy/frameworks/cluster/controller/main.zeek | 5 ++++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/auxil/zeek-client b/auxil/zeek-client
index ba412be977..a38ff3fe5d 160000
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@@ -1 +1 @@
-Subproject commit ba412be97716417737a643b3f5666ad37a5f4494
+Subproject commit a38ff3fe5ddd59f2ec587191862b763ccb599454
diff --git a/scripts/policy/frameworks/cluster/controller/api.zeek b/scripts/policy/frameworks/cluster/controller/api.zeek
index d742a332ef..019695ffbb 100644
--- a/scripts/policy/frameworks/cluster/controller/api.zeek
+++ b/scripts/policy/frameworks/cluster/controller/api.zeek
@@ -11,7 +11,7 @@ export {
 
 	global get_instances_request: event(reqid: string);
 	global get_instances_response: event(reqid: string,
-	    instances: vector of ClusterController::Types::Instance);
+	    result: ClusterController::Types::Result);
 
 	global set_configuration_request: event(reqid: string,
 	    config: ClusterController::Types::Configuration);
diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index 87d975715c..8884371548 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -395,13 +395,16 @@ event ClusterController::API::get_instances_request(reqid: string)
 	{
 	ClusterController::Log::info(fmt("rx ClusterController::API::set_instances_request %s", reqid));
 
+	local res = ClusterController::Types::Result($reqid = reqid);
 	local insts: vector of ClusterController::Types::Instance;
 
 	for ( i in g_instances )
 		insts += g_instances[i];
 
+	res$data = insts;
+
 	ClusterController::Log::info(fmt("tx ClusterController::API::get_instances_response %s", reqid));
-	event ClusterController::API::get_instances_response(reqid, insts);
+	event ClusterController::API::get_instances_response(reqid, res);
 	}
 
 event zeek_init()

From 1e823f931ea1c4fb9709c5600537e2a74e474459 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 13 Dec 2021 14:14:24 -0800
Subject: [PATCH 193/210] Add expiration mechanism to client request state.

This establishes a timeout controlled via ClusterController::request_timeout,
triggering a ClusterController::Request::request_expired event whenever a
timeout rolls around before request state has been finalized by a request's
normal processing.
---
 .../frameworks/cluster/controller/config.zeek |  3 +++
 .../cluster/controller/request.zeek           | 24 +++++++++++++++----
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/scripts/policy/frameworks/cluster/controller/config.zeek b/scripts/policy/frameworks/cluster/controller/config.zeek
index 5605bd39a6..335d485f79 100644
--- a/scripts/policy/frameworks/cluster/controller/config.zeek
+++ b/scripts/policy/frameworks/cluster/controller/config.zeek
@@ -32,6 +32,9 @@ export {
 	# controller both redef this. Used during logging.
 	const role = ClusterController::Types::NONE &redef;
 
+	# The timeout for client request state.
+	const request_timeout = 15sec &redef;
+
 	# Agent and controller currently log only, not via the data cluster's
 	# logger. (This might get added later.) For now, this means that
 	# if both write to the same log file, it gets garbled. The following
diff --git a/scripts/policy/frameworks/cluster/controller/request.zeek b/scripts/policy/frameworks/cluster/controller/request.zeek
index 21fcad1117..0e7cfc86cd 100644
--- a/scripts/policy/frameworks/cluster/controller/request.zeek
+++ b/scripts/policy/frameworks/cluster/controller/request.zeek
@@ -1,4 +1,5 @@
 @load ./types
+@load ./config
 
 module ClusterController::Request;
 
@@ -8,8 +9,10 @@ export {
 		parent_id: string &optional;
 	};
 
-	# API-specific state. XXX we may be able to generalize after this
-	# has settled a bit more.
+	# API-specific state. XXX we may be able to generalize after this has
+	# settled a bit more. It would also be nice to move request-specific
+	# state out of this module -- we could for example redef Request in
+	# main.zeek as needed.
 
 	# State specific to the set_configuration request/response events
 	type SetConfigurationState: record {
@@ -44,12 +47,25 @@ export {
 	global lookup: function(reqid: string): Request;
 	global finish: function(reqid: string): bool;
 
+	global request_expired: event(req: Request);
+
 	global is_null: function(request: Request): bool;
 	global to_string: function(request: Request): string;
 }
 
-# XXX this needs a mechanism for expiring stale requests
-global g_requests: table[string] of Request;
+function requests_expire_func(reqs: table[string] of Request, reqid: string): interval
+	{
+	event ClusterController::Request::request_expired(reqs[reqid]);
+	return 0secs;
+	}
+
+# This is the global request-tracking table. The table maps from request ID
+# strings to corresponding Request records. Entries time out after the
+# ClusterController::request_timeout interval. Upon expiration, a
+# request_expired event triggers that conveys the request state.
+global g_requests: table[string] of Request
+    &create_expire=ClusterController::request_timeout
+    &expire_func=requests_expire_func;
 
 function create(reqid: string): Request
 	{

From 30db1b3bfb5a7868d77dceb1e280805e6101ddd3 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 13 Dec 2021 19:28:48 -0800
Subject: [PATCH 194/210] First uses of request state timeouts

This now features support for the test_timeout_request/response events, as
supported by the client, and also adds a timeout event for set_configuration, in
case agents do not respond in time.

Includes corresponding zeek-client submodule bump.
---
 auxil/zeek-client                             |  2 +-
 .../frameworks/cluster/controller/api.zeek    | 13 +++++-
 .../frameworks/cluster/controller/config.zeek |  6 ++-
 .../frameworks/cluster/controller/main.zeek   | 46 +++++++++++++++++++
 .../cluster/controller/request.zeek           | 11 ++---
 5 files changed, 68 insertions(+), 10 deletions(-)

diff --git a/auxil/zeek-client b/auxil/zeek-client
index a38ff3fe5d..1858f92820 160000
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@@ -1 +1 @@
-Subproject commit a38ff3fe5ddd59f2ec587191862b763ccb599454
+Subproject commit 1858f9282014934083869799f891796e7ae1ea90
diff --git a/scripts/policy/frameworks/cluster/controller/api.zeek b/scripts/policy/frameworks/cluster/controller/api.zeek
index 019695ffbb..0cd1f49558 100644
--- a/scripts/policy/frameworks/cluster/controller/api.zeek
+++ b/scripts/policy/frameworks/cluster/controller/api.zeek
@@ -17,4 +17,15 @@ export {
 	    config: ClusterController::Types::Configuration);
 	global set_configuration_response: event(reqid: string,
 	    result: ClusterController::Types::ResultVec);
-}
+
+	# Testing events. These don't provide operational value but expose
+	# internal functionality, triggered by test cases.
+
+	# This event causes no further action (other than getting logged) if
+	# set_state is F. When T, the controller establishes request state. The
+	# conroller only ever sends the response event when this state times
+	# out.
+	global test_timeout_request: event(reqid: string, with_state: bool);
+	global test_timeout_response: event(reqid: string,
+	    result: ClusterController::Types::Result);
+	}
diff --git a/scripts/policy/frameworks/cluster/controller/config.zeek b/scripts/policy/frameworks/cluster/controller/config.zeek
index 335d485f79..0d559b0b64 100644
--- a/scripts/policy/frameworks/cluster/controller/config.zeek
+++ b/scripts/policy/frameworks/cluster/controller/config.zeek
@@ -32,8 +32,10 @@ export {
 	# controller both redef this. Used during logging.
 	const role = ClusterController::Types::NONE &redef;
 
-	# The timeout for client request state.
-	const request_timeout = 15sec &redef;
+	# The timeout for request state. Applies both to state kept for client
+	# requests, as well as state in the agents for requests to the
+	# supervisor.
+	const request_timeout = 10sec &redef;
 
 	# Agent and controller currently log only, not via the data cluster's
 	# logger. (This might get added later.) For now, this means that
diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index 8884371548..835b517ede 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -407,6 +407,50 @@ event ClusterController::API::get_instances_request(reqid: string)
 	event ClusterController::API::get_instances_response(reqid, res);
 	}
 
+event ClusterController::Request::request_expired(req: ClusterController::Request::Request)
+	{
+	# Various handlers for timed-out request state. We use the state members
+	# to identify how to respond.  No need to clean up the request itself,
+	# since we're getting here via the request module's expiration
+	# mechanism that handles the cleanup.
+	local res: ClusterController::Types::Result;
+
+	if ( req?$set_configuration_state )
+		{
+		res = ClusterController::Types::Result($reqid=req$id);
+		res$success = F;
+		res$error = "request timed out";
+		req$results += res;
+
+		ClusterController::Log::info(fmt("tx ClusterController::API::set_configuration_response %s",
+		                                 ClusterController::Request::to_string(req)));
+		event ClusterController::API::set_configuration_response(req$id, req$results);
+		}
+
+	if ( req?$test_state )
+		{
+		res = ClusterController::Types::Result($reqid=req$id);
+		res$success = F;
+		res$error = "request timed out";
+
+		ClusterController::Log::info(fmt("tx ClusterController::API::test_timeout_response %s", req$id));
+		event ClusterController::API::test_timeout_response(req$id, res);
+		}
+	}
+
+event ClusterController::API::test_timeout_request(reqid: string, with_state: bool)
+	{
+	ClusterController::Log::info(fmt("rx ClusterController::API::test_timeout_request %s %s", reqid, with_state));
+
+	if ( with_state )
+		{
+		# This state times out and triggers a timeout response in the
+		# above request_expired event handler.
+		local req = ClusterController::Request::create(reqid);
+		req$test_state = ClusterController::Request::TestState();
+		}
+	}
+
 event zeek_init()
 	{
 	# Initialize null config at startup. We will replace it once we have
@@ -433,6 +477,8 @@ event zeek_init()
 	    ClusterController::API::get_instances_response);
 	Broker::auto_publish(ClusterController::topic,
 	    ClusterController::API::set_configuration_response);
+	Broker::auto_publish(ClusterController::topic,
+	    ClusterController::API::test_timeout_response);
 
 	ClusterController::Log::info("controller is live");
 	}
diff --git a/scripts/policy/frameworks/cluster/controller/request.zeek b/scripts/policy/frameworks/cluster/controller/request.zeek
index 0e7cfc86cd..b6735d79ba 100644
--- a/scripts/policy/frameworks/cluster/controller/request.zeek
+++ b/scripts/policy/frameworks/cluster/controller/request.zeek
@@ -20,16 +20,15 @@ export {
 		requests: vector of Request &default=vector();
 	};
 
-	# State specific to the set_nodes request/response events
-	type SetNodesState: record {
-		requests: vector of Request &default=vector();
-	};
-
 	# State specific to supervisor interactions
 	type SupervisorState: record {
 		node: string;
 	};
 
+	# State for testing events
+	type TestState: record {
+	};
+
 	# The redef is a workaround so we can use the Request type
 	# while it is still being defined
 	redef record Request += {
@@ -37,8 +36,8 @@ export {
 		finished: bool &default=F;
 
 		set_configuration_state: SetConfigurationState &optional;
-		set_nodes_state: SetNodesState &optional;
 		supervisor_state: SupervisorState &optional;
+		test_state: TestState &optional;
 	};
 
 	global null_req = Request($id="", $finished=T);

From 069eb28987c64c85a4f6b96b3d4baaf45568ca12 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 14 Dec 2021 00:19:57 -0800
Subject: [PATCH 195/210] Bump zeek-client

---
 auxil/zeek-client | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/zeek-client b/auxil/zeek-client
index 1858f92820..802668e719 160000
--- a/auxil/zeek-client
+++ b/auxil/zeek-client
@@ -1 +1 @@
-Subproject commit 1858f9282014934083869799f891796e7ae1ea90
+Subproject commit 802668e71961d471769625024be471c7975e6f49

From 8463f14a523f1bd01d1453742c7b3b04be5e1cf2 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 14 Dec 2021 18:38:29 -0800
Subject: [PATCH 196/210] Move cluster controller/agent main.zeek scripts into
 their own modules

This has no practical relevance other than allowing the two to be loaded a the
same time, which some of our (cluster-unrelated) tests require. Absence of
namespacing would trigger symbol clashes at this point.
---
 scripts/policy/frameworks/cluster/agent/main.zeek      | 2 ++
 scripts/policy/frameworks/cluster/controller/main.zeek | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/scripts/policy/frameworks/cluster/agent/main.zeek b/scripts/policy/frameworks/cluster/agent/main.zeek
index a70c7c6269..734a55a126 100644
--- a/scripts/policy/frameworks/cluster/agent/main.zeek
+++ b/scripts/policy/frameworks/cluster/agent/main.zeek
@@ -6,6 +6,8 @@
 
 @load ./api
 
+module ClusterAgent::Runtime;
+
 redef ClusterController::role = ClusterController::Types::AGENT;
 
 # The global configuration as passed to us by the controller
diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index 835b517ede..a774bba119 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -8,6 +8,8 @@
 @load ./request
 @load ./util
 
+module ClusterController::Runtime;
+
 redef ClusterController::role = ClusterController::Types::CONTROLLER;
 
 global check_instances_ready: function(insts: set[string], tc: TableChange, inst: string);

From ac40d5c5b2d16043e8717f56f76ec6c78d6166be Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 20 Dec 2021 16:30:58 -0800
Subject: [PATCH 197/210] Remove periodic pinging of controller by agents

This changes the agent-controller communication to remove the need for ongoing
pinging of the controller by agents not actively "in service". Instead, agents
now use the notify_agent_hello event to the controller to report only their
identity. The controller puts them into service via an agent_welcome_request/
response pair, and takes them out of service via agent_standby_request/response.

This removes the on_change handler from the set of agents that is ready for
service, because not every change to this set is now a suitable time to
potentially send out the configuration. We now invoke this check explicitly in
the two situations where it's warranted: when a agent reports ready for service,
and when we've received a new configuration.
---
 .../policy/frameworks/cluster/agent/api.zeek  |  30 ++-
 .../policy/frameworks/cluster/agent/main.zeek |  47 ++--
 .../frameworks/cluster/controller/main.zeek   | 244 +++++++++++-------
 3 files changed, 208 insertions(+), 113 deletions(-)

diff --git a/scripts/policy/frameworks/cluster/agent/api.zeek b/scripts/policy/frameworks/cluster/agent/api.zeek
index 6263bf9d9d..f570a93786 100644
--- a/scripts/policy/frameworks/cluster/agent/api.zeek
+++ b/scripts/policy/frameworks/cluster/agent/api.zeek
@@ -8,14 +8,35 @@ export {
 
 	# Agent API events
 
+	# The controller uses this event to convey a new cluster
+	# configuration to the agent. Once processed, the agent
+	# responds with the response event.
 	global set_configuration_request: event(reqid: string,
 	    config: ClusterController::Types::Configuration);
 	global set_configuration_response: event(reqid: string,
 	    result: ClusterController::Types::Result);
 
+	# The controller uses this event to confirm to the agent
+	# that it is part of the current cluster. The agent
+	# acknowledges with the response event.
+	global agent_welcome_request: event(reqid: string);
+	global agent_welcome_response: event(reqid: string,
+	    result: ClusterController::Types::Result);
+
+	# The controller sends this event to convey that the agent is not
+	# currently required. This status may later change, depending on
+	# updates from the client, so the peering can remain active. The
+	# agent releases any cluster-related resources when processing the
+	# request.
+	global agent_standby_request: event(reqid: string);
+	global agent_standby_response: event(reqid: string,
+	    result: ClusterController::Types::Result);
+
 	# Notification events, agent -> controller
 
-	# Report agent being available.
+	# The agent sends this upon peering as a "check in", informing the
+	# controller that an agent of the given name is now available to
+	# communicate with.
 	global notify_agent_hello: event(instance: string, host: addr,
 	    api_version: count);
 
@@ -30,11 +51,4 @@ export {
 
 	# Report informational message.
 	global notify_log: event(instance: string, msg: string, node: string &default="");
-
-	# Notification events, controller -> agent
-
-	# Confirmation from controller in response to notify_agent_hello
-	# that the agent is welcome.
-	global notify_controller_hello: event(controller: string, host: addr);
-
 }
diff --git a/scripts/policy/frameworks/cluster/agent/main.zeek b/scripts/policy/frameworks/cluster/agent/main.zeek
index 734a55a126..fd0bee533e 100644
--- a/scripts/policy/frameworks/cluster/agent/main.zeek
+++ b/scripts/policy/frameworks/cluster/agent/main.zeek
@@ -24,11 +24,6 @@ global g_nodes: table[string] of ClusterController::Types::Node;
 # new configurations.
 global g_data_cluster: table[string] of Supervisor::ClusterEndpoint;
 
-# Whether we currenty keep notifying the controller that we're here.
-# We stop once the controller responds back, and resume when we've
-# lost the peering.
-global g_notify_controller: bool = T;
-
 
 event SupervisorControl::create_response(reqid: string, result: string)
 	{
@@ -169,25 +164,44 @@ event ClusterAgent::API::set_configuration_request(reqid: string, config: Cluste
 		}
 	}
 
-event ClusterAgent::API::notify_controller_hello(controller: string, host: addr)
+event ClusterAgent::API::agent_welcome_request(reqid: string)
 	{
-	ClusterController::Log::info(fmt("rx ClusterAgent::API::notify_controller_hello %s %s", controller, host));
-	g_notify_controller = F;
+	ClusterController::Log::info(fmt("rx ClusterAgent::API::agent_welcome_request %s", reqid));
+
+	local res = ClusterController::Types::Result(
+	    $reqid = reqid,
+	    $instance = ClusterAgent::name);
+
+	ClusterController::Log::info(fmt("tx ClusterAgent::API::agent_welcome_response %s",
+	                                 ClusterController::Types::result_to_string(res)));
+	event ClusterAgent::API::agent_welcome_response(reqid, res);
 	}
 
-event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_version: count)
+event ClusterAgent::API::agent_standby_request(reqid: string)
 	{
-	if ( g_notify_controller )
-		schedule 1sec { ClusterAgent::API::notify_agent_hello(instance, host, api_version) };
+	ClusterController::Log::info(fmt("rx ClusterAgent::API::agent_standby_request %s", reqid));
+
+	# We shut down any existing cluster nodes via an empty configuration,
+	# and fall silent. We do not unpeer/disconnect (assuming we earlier
+	# peered/connected -- otherwise there's nothing we can do here via
+	# Broker anyway), mainly to keep open the possibility of running
+	# cluster nodes again later.
+	event ClusterAgent::API::set_configuration_request("", ClusterController::Types::Configuration());
+
+	local res = ClusterController::Types::Result(
+	    $reqid = reqid,
+	    $instance = ClusterAgent::name);
+
+	ClusterController::Log::info(fmt("tx ClusterAgent::API::agent_standby_response %s",
+	                                 ClusterController::Types::result_to_string(res)));
+	event ClusterAgent::API::agent_standby_response(reqid, res);
 	}
 
 event Broker::peer_added(peer: Broker::EndpointInfo, msg: string)
 	{
 	# This does not (cannot?) immediately verify that the new peer
-	# is in fact a controller, so we might send this redundantly.
-	# Controllers handle the hello event accordingly.
-
-	g_notify_controller = T;
+	# is in fact a controller, so we might send this in vain.
+	# Controllers register the agent upon receipt of the event.
 
 	local epi = ClusterAgent::endpoint_info();
 
@@ -218,6 +232,9 @@ event zeek_init()
 	# Auto-publish a bunch of events. Glob patterns or module-level
 	# auto-publish would be helpful here.
 	Broker::auto_publish(agent_topic, ClusterAgent::API::set_configuration_response);
+	Broker::auto_publish(agent_topic, ClusterAgent::API::agent_welcome_response);
+	Broker::auto_publish(agent_topic, ClusterAgent::API::agent_standby_response);
+
 	Broker::auto_publish(agent_topic, ClusterAgent::API::notify_agent_hello);
 	Broker::auto_publish(agent_topic, ClusterAgent::API::notify_change);
 	Broker::auto_publish(agent_topic, ClusterAgent::API::notify_error);
diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index a774bba119..c9df650e4c 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -12,23 +12,36 @@ module ClusterController::Runtime;
 
 redef ClusterController::role = ClusterController::Types::CONTROLLER;
 
-global check_instances_ready: function(insts: set[string], tc: TableChange, inst: string);
+global check_instances_ready: function();
 global add_instance: function(inst: ClusterController::Types::Instance);
 global drop_instance: function(inst: ClusterController::Types::Instance);
 
 global null_config: function(): ClusterController::Types::Configuration;
 global is_null_config: function(config: ClusterController::Types::Configuration): bool;
 
-# The desired set of agents the controller interact with, as provided by the
-# most recent config update sent by the client. They key is a name of each
-# instance. This should match the $name member of the instance records.
+# Checks whether the given instance is one that we know with different
+# communication settings: a a different peering direction, a different listening
+# port, etc. Used as a predicate to indicate when we need to drop the existing
+# one from our internal state.
+global is_instance_connectivity_change: function
+    (inst: ClusterController::Types::Instance): bool;
+
+# The set of agents the controller interacts with to manage to currently
+# configured cluster. This may be a subset of all the agents known to the
+# controller, as tracked by the g_instances_known set. They key is the instance
+# name and should match the $name member of the corresponding instance record.
 global g_instances: table[string] of ClusterController::Types::Instance = table();
 
+# The set of instances that have checked in with the controller. This is a
+# superset of g_instances, since it covers any agent that has sent us a
+# notify_agent_hello event.
+global g_instances_known: set[string] = set();
+
 # A corresponding set of instances/agents that we track in order to understand
-# when all of the above instances have checked in with a notify_agent_hello
-# event. (An alternative would be to use a record that adds a single state bit
-# for each instance, and store that above.)
-global g_instances_ready: set[string] = set() &on_change=check_instances_ready;
+# when all of the above instances have sent agent_welcome_response events. (An
+# alternative would be to use a record that adds a single state bit for each
+# instance, and store that above.)
+global g_instances_ready: set[string] = set();
 
 # The request ID of the most recent configuration update that's come in from
 # a client. We track it here until we know we are ready to communicate with all
@@ -44,6 +57,9 @@ function send_config_to_agents(req: ClusterController::Request::Request,
 	{
 	for ( name in g_instances )
 		{
+		if ( name !in g_instances_ready )
+			next;
+
 		local agent_topic = ClusterAgent::topic_prefix + "/" + name;
 		local areq = ClusterController::Request::create();
 		areq$parent_id = req$id;
@@ -60,23 +76,17 @@ function send_config_to_agents(req: ClusterController::Request::Request,
 		}
 	}
 
-# This is the &on_change handler for the g_instances_ready set.
-function check_instances_ready(insts: set[string], tc: TableChange, inst: string)
+# This is the &on_change handler for the g_instances_ready set, meaning
+# it runs whenever a required agent has confirmed it's ready.
+function check_instances_ready()
 	{
 	local cur_instances: set[string];
 
-	# See if the new update to the readiness set makes it match the current
-	# instances. If so, trigger the notify_agents_ready event.
-	if ( tc == TABLE_ELEMENT_NEW || tc == TABLE_ELEMENT_REMOVED )
-		{
-		for ( inst in g_instances )
-			add cur_instances[inst];
+	for ( inst in g_instances )
+		add cur_instances[inst];
 
-		if ( cur_instances == g_instances_ready )
-			{
-			event ClusterController::API::notify_agents_ready(cur_instances);
-			}
-		}
+	if ( cur_instances == g_instances_ready )
+		event ClusterController::API::notify_agents_ready(cur_instances);
 	}
 
 function add_instance(inst: ClusterController::Types::Instance)
@@ -86,6 +96,20 @@ function add_instance(inst: ClusterController::Types::Instance)
 	if ( inst?$listen_port )
 		Broker::peer(cat(inst$host), inst$listen_port,
 		             ClusterController::connect_retry);
+
+	if ( inst$name in g_instances_known )
+		{
+		# The agent has already peered with us. Send welcome to indicate
+		# it's part of cluster management. Once it responds, we update
+		# the set of ready instances and proceed as feasible with config
+		# deployments.
+
+		local req = ClusterController::Request::create();
+
+		ClusterController::Log::info(fmt("tx ClusterAgent::API::agent_welcome_request to %s", inst$name));
+		Broker::publish(ClusterAgent::topic_prefix + "/" + inst$name,
+		                ClusterAgent::API::agent_welcome_request, req$id);
+		}
 	}
 
 function drop_instance(inst: ClusterController::Types::Instance)
@@ -93,22 +117,19 @@ function drop_instance(inst: ClusterController::Types::Instance)
 	if ( inst$name !in g_instances )
 		return;
 
-	# Send this agent a config that will terminate any data cluster
-	# nodes it might have. This is "fire and forget" -- there will
-	# not be a response.
+	# Send the agent a standby so it shuts down its cluster nodes & state
+	ClusterController::Log::info(fmt("tx ClusterAgent::API::agent_standby_request to %s", inst$name));
 	Broker::publish(ClusterAgent::topic_prefix + "/" + inst$name,
-	                ClusterAgent::API::set_configuration_request,
-	                "", ClusterController::Types::Configuration());
-
-	# If the instance has a port, we peered with it, so now unpeer.
-	if ( inst?$listen_port )
-		Broker::unpeer(cat(inst$host), inst$listen_port );
+	                ClusterAgent::API::agent_standby_request, "");
 
 	delete g_instances[inst$name];
 
 	if ( inst$name in g_instances_ready )
 		delete g_instances_ready[inst$name];
 
+	# The agent remains in g_instances_known, to track that we're able
+	# to communicate with it in case it's required again.
+
 	ClusterController::Log::info(fmt("dropped instance %s", inst$name));
 	}
 
@@ -122,69 +143,113 @@ function is_null_config(config: ClusterController::Types::Configuration): bool
 	return config$id == "";
 	}
 
+function is_instance_connectivity_change(inst: ClusterController::Types::Instance): bool
+	{
+	# If we're not tracking this instance as part of a cluster config, it's
+	# not a change. (More precisely: we cannot say whether it's changed.)
+	if ( inst$name !in g_instances )
+		return F;
+
+	# The agent has peered with us and now uses a different host.
+	# XXX 0.0.0.0 is a workaround until we've resolved how agents that peer
+	# with us obtain their identity. Broker ID?
+	if ( inst$host != 0.0.0.0 && inst$host != g_instances[inst$name]$host )
+		return T;
+
+	# The agent has a listening port and the one we know does not, or vice
+	# versa. I.e., this is a change in the intended peering direction.
+	if ( inst?$listen_port != g_instances[inst$name]?$listen_port )
+		return T;
+
+	# Both have listening ports, but they differ.
+	if ( inst?$listen_port && g_instances[inst$name]?$listen_port &&
+	     inst$listen_port != g_instances[inst$name]$listen_port )
+		return T;
+
+	return F;
+	}
+
 event ClusterController::API::notify_agents_ready(instances: set[string])
 	{
 	local insts = ClusterController::Util::set_to_vector(instances);
 
 	ClusterController::Log::info(fmt("rx ClusterController::API:notify_agents_ready %s", join_string_vec(insts, ",")));
 
-	# When all agents are ready, send them the pending config update.
 	local req = ClusterController::Request::lookup(g_config_reqid_pending);
 
-	# If the request isn't available or doesn't have config state, we just
-	# clear it out and stop.
+	# If there's no pending request, when it's no longer available, or it
+	# doesn't have config state, don't do anything else.
 	if ( ClusterController::Request::is_null(req) || ! req?$set_configuration_state )
-		{
-		g_config_reqid_pending = "";
 		return;
-		}
 
 	# All instances requested in the pending configuration update are now
 	# known to us. Send them the config. As they send their response events
 	# we update the client's request state and eventually send the response
 	# event to the it.
 	send_config_to_agents(req, req$set_configuration_state$config);
-
-	# The request object continues to exist and will be referenced by the
-	# responses coming in, but there's no longer a pending config update to
-	# track.
-	g_config_reqid_pending = "";
 	}
 
 event ClusterAgent::API::notify_agent_hello(instance: string, host: addr, api_version: count)
 	{
-	if ( instance !in g_instances )
-		{
-		# An unknown agent has checked in. This can happen with agentsthat aren't yet
-		# showing in a configuration received by the client. We log at debug level only.
-		ClusterController::Log::debug(
-		    fmt("unknown instance %s/%s has checked in, ignoring", instance, host));
-		return;
-		}
-
 	ClusterController::Log::info(fmt("rx ClusterAgent::API::notify_agent_hello %s %s", instance, host));
 
-	local inst = g_instances[instance];
-
-	# When a known agent checks in with a mismatching API version we kick it out.
+	# When an agent checks in with a mismatching API version, we log the
+	# fact and drop its state, if any.
 	if ( api_version != ClusterController::API::version )
 		{
 		ClusterController::Log::warning(
-		    fmt("instance %s/%s has checked in with incompatible API version %s, dropping",
+		    fmt("instance %s/%s has checked in with incompatible API version %s",
 		        instance, host, api_version));
-		drop_instance(inst);
+
+		if ( instance in g_instances )
+			drop_instance(g_instances[instance]);
+		if ( instance in g_instances_known )
+			delete g_instances_known[instance];
+
 		return;
 		}
 
-	if ( instance !in g_instances_ready )
+	add g_instances_known[instance];
+
+	if ( instance in g_instances && instance !in g_instances_ready )
 		{
-		ClusterController::Log::info(fmt("instance %s/%s has checked in", instance, host));
-		add g_instances_ready[instance];
+		# We need this instance for our cluster and have full context for
+		# it from the configuration. Tell agent.
+		local req = ClusterController::Request::create();
+
+		ClusterController::Log::info(fmt("tx ClusterAgent::API::agent_welcome_request to %s", instance));
+		Broker::publish(ClusterAgent::topic_prefix + "/" + instance,
+		                ClusterAgent::API::agent_welcome_request, req$id);
+		}
+	}
+
+event ClusterAgent::API::agent_welcome_response(reqid: string, result: ClusterController::Types::Result)
+	{
+	ClusterController::Log::info(fmt("rx ClusterAgent::API::agent_welcome_response %s", reqid));
+
+	local req = ClusterController::Request::lookup(reqid);
+
+	if ( ClusterController::Request::is_null(req) )
+		return;
+
+	ClusterController::Request::finish(req$id);
+
+	# An agent we've been waiting to hear back from is ready for cluster
+	# work. Double-check we still want it, otherwise drop it.
+
+	if ( ! result$success || result$instance !in g_instances )
+		{
+		ClusterController::Log::info(fmt(
+		    "tx ClusterAgent::API::agent_standby_request to %s", result$instance));
+		Broker::publish(ClusterAgent::topic_prefix + "/" + result$instance,
+		                ClusterAgent::API::agent_standby_request, "");
+		return;
 		}
 
-	Broker::publish(ClusterAgent::topic_prefix + "/" + instance,
-	                ClusterAgent::API::notify_controller_hello, ClusterController::name,
-	                to_addr(ClusterController::network_info()$address));
+	add g_instances_ready[result$instance];
+	ClusterController::Log::info(fmt("instance %s ready", result$instance));
+
+	check_instances_ready();
 	}
 
 event ClusterAgent::API::notify_change(instance: string, n: ClusterController::Types::Node,
@@ -267,10 +332,10 @@ event ClusterAgent::API::set_configuration_response(reqid: string, result: Clust
 		ClusterController::Request::finish(r$id);
 		}
 
-	# This is the point where we're really done with the original
-	# set_configuration request. We adopt the configuration as the current
-	# one.
+	# We're now done with the original set_configuration request.
+	# Adopt the configuration as the current one.
 	g_config_current = req$set_configuration_state$config;
+	g_config_reqid_pending = "";
 
 	ClusterController::Log::info(fmt("tx ClusterController::API::set_configuration_response %s",
 	                                 ClusterController::Request::to_string(req)));
@@ -302,6 +367,18 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 		return;
 		}
 
+	# XXX validate the configuration:
+	# - Are node instances among defined instances?
+	# - Are all names unique?
+	# - Are any node options understood?
+	# - Do node types with optional fields have required values?
+	# ...
+
+	# The incoming request is now the pending one. It gets cleared when all
+	# agents have processed their config updates successfully, or their
+	# responses time out.
+	g_config_reqid_pending = req$id;
+
 	# Compare the instance configuration to our current one. If it matches,
 	# we can proceed to deploying the new data cluster topology. If it does
 	# not, we need to establish connectivity with agents we connect to, or
@@ -354,43 +431,27 @@ event ClusterController::API::set_configuration_request(reqid: string, config: C
 		if ( inst$name !in insts_to_keep )
 			next;
 
-		# XXX 0.0.0.0 is a workaround until we've resolved
-		# how agents that peer with us obtain their identity.
-		# Broker ID?
-		if ( ( inst$host != 0.0.0.0 && inst$host != g_instances[inst$name]$host ) ||
-		     inst?$listen_port != g_instances[inst$name]?$listen_port ||
-		     ( inst?$listen_port && g_instances[inst$name]?$listen_port &&
-		       inst$listen_port != g_instances[inst$name]$listen_port ) )
+		if ( is_instance_connectivity_change(inst) )
 			{
 			# The endpoint looks different. We drop the current one
-			# and need to re-establish connectivity.
+			# and need to re-establish connectivity with the new
+			# one.
 			add insts_to_drop[inst$name];
+			add insts_to_add[inst$name];
 			}
 		}
 
-	# Process our TODO lists.
+	# Process our TODO lists. Handle drops first, then additions, in
+	# case we need to re-establish connectivity with an agent.
+
 	for ( inst_name in insts_to_drop )
 		drop_instance(g_instances[inst_name]);
-
 	for ( inst_name in insts_to_peer )
 		add_instance(insts_to_peer[inst_name]);
 
-	# XXX validate the configuration:
-	# - Are node instances among defined instances?
-	# - Are all names unique?
-	# - Are any node options understood?
-	# - Do node types with optional fields have required values?
-	# ...
-
-	# Track this config request globally until all of the agents required
-	# for it have checked in.  It gets cleared in the notify_agents_ready
-	# event handler.
-	g_config_reqid_pending = req$id;
-
-	# Special case: if the new request kept the set of instances identical,
-	# trigger notify_agents_ready explicitly so we transmit the new config.
-	if ( |insts_to_drop| == 0 && |insts_to_add| == 0 && |insts_to_keep| > 0 )
-		event ClusterController::API::notify_agents_ready(insts_to_keep);
+	# Updates to out instance tables are complete, now check if we're already
+	# able to send the config to the agents:
+	check_instances_ready();
 	}
 
 event ClusterController::API::get_instances_request(reqid: string)
@@ -419,6 +480,9 @@ event ClusterController::Request::request_expired(req: ClusterController::Reques
 
 	if ( req?$set_configuration_state )
 		{
+		# This timeout means we no longer have a pending request.
+		g_config_reqid_pending = "";
+
 		res = ClusterController::Types::Result($reqid=req$id);
 		res$success = F;
 		res$error = "request timed out";

From c2cff6dac78cfbd85d2dc724db1c195e391c1a8e Mon Sep 17 00:00:00 2001
From: Avinal Kumar <avinal.xlvii@gmail.com>
Date: Sat, 13 Nov 2021 13:47:44 +0530
Subject: [PATCH 198/210] Switch BitTorrent analyzer to Zeek's regex engine

- Removes dependency on <regex.h>
- Replaces regex function with Zeek's standard regex functions
- Some replacements are workaround, may be improved later via an
appropiate API
- Update test baseline to fix what seems to be capturing on a bug in the
existing code.

Edit pass by Robin Sommer. Note that our test doesn't cover all the code
paths, but it does go through the one with the most substantial change.
---
 .../protocol/bittorrent/BitTorrentTracker.cc  | 80 ++++++++++++-------
 .../output                                    |  2 +-
 2 files changed, 50 insertions(+), 32 deletions(-)

diff --git a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
index e2a7f8297c..92de0788c8 100644
--- a/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
+++ b/src/analyzer/protocol/bittorrent/BitTorrentTracker.cc
@@ -2,10 +2,10 @@
 
 #include "zeek/analyzer/protocol/bittorrent/BitTorrentTracker.h"
 
-#include <regex.h>
 #include <sys/types.h>
 #include <algorithm>
 
+#include "zeek/RE.h"
 #include "zeek/analyzer/protocol/bittorrent/events.bif.h"
 #include "zeek/analyzer/protocol/tcp/TCP_Reassembler.h"
 
@@ -243,13 +243,23 @@ void BitTorrentTracker_Analyzer::DeliverWeird(const char* msg, bool orig)
 bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 	{
 	static bool initialized = false;
-	static regex_t r_get, r_get_end, r_hdr;
+	static RE_Matcher re_get("^GET[ \t]+");
+	static RE_Matcher re_url("[^ \t]+");
+	static RE_Matcher re_version("[ \t]+HTTP/[0-9.]+$");
+	static RE_Matcher re_hdr("^[^: \t]+:[ ]*");
 
 	if ( ! initialized )
 		{
-		regcomp(&r_get, "^GET[ \t]+", REG_EXTENDED | REG_ICASE);
-		regcomp(&r_get_end, "[ \t]+HTTP/[0123456789.]+$", REG_EXTENDED | REG_ICASE);
-		regcomp(&r_hdr, "^[^: \t]+:[ ]*", REG_EXTENDED | REG_ICASE);
+		re_get.MakeCaseInsensitive();
+		re_url.MakeCaseInsensitive();
+		re_version.MakeCaseInsensitive();
+		re_hdr.MakeCaseInsensitive();
+
+		re_get.Compile();
+		re_url.Compile();
+		re_version.Compile();
+		re_hdr.Compile();
+
 		initialized = true;
 		}
 
@@ -257,29 +267,32 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 		{
 		case detail::BTT_REQ_GET:
 			{
-			regmatch_t match[1];
-			if ( regexec(&r_get, line, 1, match, 0) )
+			char* url_begin = nullptr;
+			char* url_end = nullptr;
+
+			if ( auto len_get = re_get.MatchPrefix(line); len_get > 0 )
+				{
+				url_begin = line + len_get;
+
+				if ( auto len_url = re_url.MatchPrefix(url_begin); len_url > 0 )
+					url_end = url_begin + len_url;
+				}
+
+			if ( ! (url_begin && url_end) )
 				{
 				AnalyzerViolation("BitTorrentTracker: invalid HTTP GET");
 				stop_orig = true;
 				return false;
 				}
 
-			regmatch_t match_end[1];
-			if ( ! regexec(&r_get_end, line, 1, match_end, 0) )
+			if ( auto version_len = re_version.MatchPrefix(url_end); version_len > 0 )
 				{
-				if ( match_end[0].rm_so <= match[0].rm_eo )
-					{
-					AnalyzerViolation("BitTorrentTracker: invalid HTTP GET");
-					stop_orig = true;
-					return false;
-					}
-
-				keep_alive = (line[match_end[0].rm_eo - 1] == '1');
-				line[match_end[0].rm_so] = 0;
+				// For keep_alive, check the last char of the matched string for the HTTP version.
+				keep_alive = (url_end[version_len - 1] == '1');
+				*url_end = 0;
 				}
 
-			RequestGet(&line[match[0].rm_eo]);
+			RequestGet(url_begin);
 
 			req_state = detail::BTT_REQ_HEADER;
 			}
@@ -294,8 +307,8 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 				break;
 				}
 
-			regmatch_t match[1];
-			if ( regexec(&r_hdr, line, 1, match, 0) )
+			int len_hdr = re_hdr.MatchPrefix(line);
+			if ( len_hdr <= 0 )
 				{
 				AnalyzerViolation("BitTorrentTracker: invalid HTTP request header");
 				stop_orig = true;
@@ -303,7 +316,7 @@ bool BitTorrentTracker_Analyzer::ParseRequest(char* line)
 				}
 
 			*strchr(line, ':') = 0; // this cannot fail - see regex_hdr
-			RequestHeader(line, &line[match[0].rm_eo]);
+			RequestHeader(line, line + len_hdr);
 			}
 			break;
 
@@ -344,12 +357,17 @@ void BitTorrentTracker_Analyzer::EmitRequest(void)
 bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 	{
 	static bool initialized = false;
-	static regex_t r_stat, r_hdr;
+	static RE_Matcher re_stat("^HTTP/[0-9.]* ");
+	static RE_Matcher re_hdr("^[^: \t]+:[ ]*");
 
 	if ( ! initialized )
 		{
-		regcomp(&r_stat, "^HTTP/[0123456789.]* ", REG_EXTENDED | REG_ICASE);
-		regcomp(&r_hdr, "^[^: \t]+:[ ]*", REG_EXTENDED | REG_ICASE);
+		re_stat.MakeCaseInsensitive();
+		re_hdr.MakeCaseInsensitive();
+
+		re_stat.Compile();
+		re_hdr.Compile();
+
 		initialized = true;
 		}
 
@@ -366,15 +384,15 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 				break;
 				}
 
-			regmatch_t match[1];
-			if ( regexec(&r_stat, line, 1, match, 0) )
+			int len_stat = re_stat.MatchPrefix(line);
+			if ( len_stat <= 0 )
 				{
 				AnalyzerViolation("BitTorrentTracker: invalid HTTP status");
 				stop_resp = true;
 				return false;
 				}
 
-			ResponseStatus(&line[match[0].rm_eo]);
+			ResponseStatus(line + len_stat);
 			res_state = detail::BTT_RES_HEADER;
 			}
 			break;
@@ -399,8 +417,8 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 				}
 
 				{
-				regmatch_t match[1];
-				if ( regexec(&r_hdr, line, 1, match, 0) )
+				int len_hdr = re_hdr.MatchPrefix(line);
+				if ( len_hdr <= 0 )
 					{
 					AnalyzerViolation("BitTorrentTracker: invalid HTTP response header");
 					stop_resp = true;
@@ -408,7 +426,7 @@ bool BitTorrentTracker_Analyzer::ParseResponse(char* line)
 					}
 
 				*strchr(line, ':') = 0; // this cannot fail - see regex_hdr
-				ResponseHeader(line, &line[match[0].rm_eo]);
+				ResponseHeader(line, line + len_hdr);
 				}
 			break;
 
diff --git a/testing/btest/Baseline/scripts.base.protocols.bittorrent.tracker/output b/testing/btest/Baseline/scripts.base.protocols.bittorrent.tracker/output
index b5fa94bb24..927395085a 100644
--- a/testing/btest/Baseline/scripts.base.protocols.bittorrent.tracker/output
+++ b/testing/btest/Baseline/scripts.base.protocols.bittorrent.tracker/output
@@ -1,4 +1,4 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
-[orig_h=10.0.0.201, orig_p=49842/tcp, resp_h=91.189.95.21, resp_p=6969/tcp],  /announce?info_hash=%e4%be%9eM%b8v%e3%e3%17%97x%b0%3e%90b%97%be%5c%8d%be&peer_id=-DE13F0-VnpZRF8ZP9iv&port=63448&uploaded=0&downloaded=0&left=1921843200&corrupt=0&key=764CA003&event=started&numwant=200&compact=1&no_peer_id=1&supportcrypto=1&redundant=0 HTTP/1., {
+[orig_h=10.0.0.201, orig_p=49842/tcp, resp_h=91.189.95.21, resp_p=6969/tcp], /announce?info_hash=%e4%be%9eM%b8v%e3%e3%17%97x%b0%3e%90b%97%be%5c%8d%be&peer_id=-DE13F0-VnpZRF8ZP9iv&port=63448&uploaded=0&downloaded=0&left=1921843200&corrupt=0&key=764CA003&event=started&numwant=200&compact=1&no_peer_id=1&supportcrypto=1&redundant=0, {
 
 }

From 8d38d5dc7e9d0d14e79bbe0e1431f53eae604332 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Wed, 22 Dec 2021 13:37:25 -0800
Subject: [PATCH 199/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 8c19fb230a..03a7e8f413 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 8c19fb230ae9e1e1ddb6b7e6cafcee9e5415c8c7
+Subproject commit 03a7e8f413702ef638c74a7e43d85bbc6926d86c

From 86aed8c91b763b9dec6f6d66a81b23f3fee3a33d Mon Sep 17 00:00:00 2001
From: zeek-bot <info@zeek.org>
Date: Thu, 23 Dec 2021 00:38:25 +0000
Subject: [PATCH 200/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 03a7e8f413..055ae234e6 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 03a7e8f413702ef638c74a7e43d85bbc6926d86c
+Subproject commit 055ae234e6944a6bc20c3c758ef8442875d5f986

From 9970f45ecbd7f8f77bc5d8a81784f4f6442c5a52 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sat, 25 Dec 2021 16:03:53 -0800
Subject: [PATCH 201/210] deprecation warning on use of out-of-scope local

---
 src/parse.y | 36 ++++++++++++++++++++++++++++++++----
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/src/parse.y b/src/parse.y
index cf60ff58ac..ea3d617d7a 100644
--- a/src/parse.y
+++ b/src/parse.y
@@ -142,6 +142,10 @@ bool resolving_global_ID = false;
 bool defining_global_ID = false;
 std::vector<int> saved_in_init;
 
+std::vector<std::set<const ID*>> locals_at_this_scope;
+static std::unordered_set<const ID*> out_of_scope_locals;
+static std::unordered_set<const ID*> warned_about_locals;
+
 static Location func_hdr_location;
 static int func_hdr_cond_epoch = 0;
 EnumType* cur_enum_type = nullptr;
@@ -557,6 +561,8 @@ expr:
 	|	TOK_LOCAL local_id '=' expr
 			{
 			set_location(@2, @4);
+			if ( ! locals_at_this_scope.empty() )
+			       locals_at_this_scope.back().insert($2);
 			$$ = add_and_assign_local({AdoptRef{}, $2}, {AdoptRef{}, $4},
 			                                        val_mgr->True()).release();
 			}
@@ -797,6 +803,13 @@ expr:
 					}
 				else
 					{
+					if ( out_of_scope_locals.count(id.get()) > 0 &&
+					     warned_about_locals.count(id.get()) == 0 )
+						{
+						reporter->Warning("use of out-of-scope local %s deprecated; move declaration to outer scope", id->Name());
+						warned_about_locals.insert(id.get());
+						}
+
 					$$ = new NameExpr(std::move(id));
 					}
 				}
@@ -1298,6 +1311,10 @@ func_body:
 			{
 			saved_in_init.push_back(in_init);
 			in_init = 0;
+
+			locals_at_this_scope.clear();
+			out_of_scope_locals.clear();
+			warned_about_locals.clear();
 			}
 
 		stmt_list
@@ -1573,11 +1590,20 @@ attr:
 	;
 
 stmt:
-		'{' opt_no_test_block stmt_list '}'
+		'{'
 			{
-			set_location(@1, @4);
-			$$ = $3;
-			if ( $2 )
+			std::set<const ID*> id_set;
+			locals_at_this_scope.emplace_back(id_set);
+			}
+		opt_no_test_block stmt_list '}'
+			{
+			auto& scope_locals = locals_at_this_scope.back();
+			out_of_scope_locals.insert(scope_locals.begin(), scope_locals.end());
+			locals_at_this_scope.pop_back();
+
+			set_location(@1, @5);
+			$$ = $4;
+			if ( $3 )
 			    script_coverage_mgr.DecIgnoreDepth();
 			}
 
@@ -1684,6 +1710,8 @@ stmt:
 	|	TOK_LOCAL local_id opt_type init_class opt_init opt_attr ';' opt_no_test
 			{
 			set_location(@1, @7);
+			if ( ! locals_at_this_scope.empty() )
+			       locals_at_this_scope.back().insert($2);
 			$$ = build_local($2, $3, $4, $5, $6, VAR_REGULAR, ! $8).release();
 			}
 

From 38c6c8f073aa9c62e0e9df6e80e97e3328424bb8 Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Sat, 25 Dec 2021 16:04:08 -0800
Subject: [PATCH 202/210] test suite update

---
 testing/btest/Baseline/language.uninitialized-local2/err | 1 +
 1 file changed, 1 insertion(+)

diff --git a/testing/btest/Baseline/language.uninitialized-local2/err b/testing/btest/Baseline/language.uninitialized-local2/err
index b7c6377f7b..ad64116f3d 100644
--- a/testing/btest/Baseline/language.uninitialized-local2/err
+++ b/testing/btest/Baseline/language.uninitialized-local2/err
@@ -1,2 +1,3 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+warning in <...>/uninitialized-local2.zeek, line 23: use of out-of-scope local var_b deprecated; move declaration to outer scope
 expression error in <...>/uninitialized-local2.zeek, line 23: value used but not set (var_b)

From 5a72864ae8572a80bcf80b24e851309f39bc0086 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Sun, 2 Jan 2022 23:38:25 -0800
Subject: [PATCH 203/210] Docs/comment pass over the cluster controller
 framework

---
 .../frameworks/cluster/agent/__load__.zeek    |  5 +-
 .../policy/frameworks/cluster/agent/api.zeek  | 93 ++++++++++++++++---
 .../policy/frameworks/cluster/agent/boot.zeek |  6 ++
 .../frameworks/cluster/agent/config.zeek      | 76 ++++++++++-----
 .../policy/frameworks/cluster/agent/main.zeek |  5 +
 .../cluster/controller/__load__.zeek          |  5 +-
 .../frameworks/cluster/controller/api.zeek    | 79 ++++++++++++++--
 .../frameworks/cluster/controller/boot.zeek   |  7 ++
 .../frameworks/cluster/controller/config.zeek | 69 +++++++++-----
 .../frameworks/cluster/controller/log.zeek    | 29 +++++-
 .../frameworks/cluster/controller/main.zeek   |  5 +
 .../cluster/controller/request.zeek           | 49 +++++++++-
 .../frameworks/cluster/controller/types.zeek  | 62 +++++++------
 .../frameworks/cluster/controller/util.zeek   |  8 ++
 14 files changed, 395 insertions(+), 103 deletions(-)

diff --git a/scripts/policy/frameworks/cluster/agent/__load__.zeek b/scripts/policy/frameworks/cluster/agent/__load__.zeek
index 1db332f544..f7f36173f3 100644
--- a/scripts/policy/frameworks/cluster/agent/__load__.zeek
+++ b/scripts/policy/frameworks/cluster/agent/__load__.zeek
@@ -1,5 +1,4 @@
-# The entry point for the cluster agent. It only runs bootstrap logic for
-# launching via the Supervisor. If we're not running the Supervisor, this does
-# nothing.
+##! The entry point for the cluster agent. It runs bootstrap logic for launching
+##! the agent process via Zeek's Supervisor.
 
 @load ./boot
diff --git a/scripts/policy/frameworks/cluster/agent/api.zeek b/scripts/policy/frameworks/cluster/agent/api.zeek
index f570a93786..7957677457 100644
--- a/scripts/policy/frameworks/cluster/agent/api.zeek
+++ b/scripts/policy/frameworks/cluster/agent/api.zeek
@@ -1,45 +1,108 @@
+##! The event API of cluster agents. Most endpoints consist of event pairs,
+##! where the agent answers a request event with a corresponding response
+##! event. Such event pairs share the same name prefix and end in "_request" and
+##! "_response", respectively.
+
 @load base/frameworks/supervisor/control
 @load policy/frameworks/cluster/controller/types
 
 module ClusterAgent::API;
 
 export {
+	## A simple versioning scheme, used to track basic compatibility of
+	## controller and agent.
 	const version = 1;
 
+
 	# Agent API events
 
-	# The controller uses this event to convey a new cluster
-	# configuration to the agent. Once processed, the agent
-	# responds with the response event.
+	## The controller sends this event to convey a new cluster configuration
+	## to the agent. Once processed, the agent responds with the response
+	## event.
+	##
+	## reqid: a request identifier string, echoed in the response event.
+	##
+	## config: a :zeek:see:`ClusterController::Types::Configuration` record
+	##     describing the cluster topology. Note that this contains the full
+	##     topology, not just the part pertaining to this agent. That's because
+	##     the cluster framework requires full cluster visibility to establish
+	##     the needed peerings.
+	##
 	global set_configuration_request: event(reqid: string,
 	    config: ClusterController::Types::Configuration);
+
+	## Response to a set_configuration_request event. The agent sends
+	## this back to the controller.
+	##
+	## reqid: the request identifier used in the request event.
+	##
+	## result: the result record.
+	##
 	global set_configuration_response: event(reqid: string,
 	    result: ClusterController::Types::Result);
 
-	# The controller uses this event to confirm to the agent
-	# that it is part of the current cluster. The agent
-	# acknowledges with the response event.
+
+	## The controller sends this event to confirm to the agent that it is
+	## part of the current cluster topology. The agent acknowledges with the
+	## corresponding response event.
+	##
+	## reqid: a request identifier string, echoed in the response event.
+	##
 	global agent_welcome_request: event(reqid: string);
+
+	## Response to an agent_welcome_request event. The agent sends this
+	## back to the controller.
+	##
+	## reqid: the request identifier used in the request event.
+	##
+	## result: the result record.
+	##
 	global agent_welcome_response: event(reqid: string,
 	    result: ClusterController::Types::Result);
 
-	# The controller sends this event to convey that the agent is not
-	# currently required. This status may later change, depending on
-	# updates from the client, so the peering can remain active. The
-	# agent releases any cluster-related resources when processing the
-	# request.
+
+	## The controller sends this event to convey that the agent is not
+	## currently required. This status may later change, depending on
+	## updates from the client, so the Broker-level peering can remain
+	## active. The agent releases any cluster-related resources (including
+	## shutdown of existing Zeek cluster nodes) when processing the request,
+	## and confirms via the response event. Shutting down an agent at this
+	## point has no operational impact on the running cluster.
+	##
+	## reqid: a request identifier string, echoed in the response event.
+	##
 	global agent_standby_request: event(reqid: string);
+
+	## Response to an agent_standby_request event. The agent sends this
+	## back to the controller.
+	##
+	## reqid: the request identifier used in the request event.
+	##
+	## result: the result record.
+	##
 	global agent_standby_response: event(reqid: string,
 	    result: ClusterController::Types::Result);
 
+
 	# Notification events, agent -> controller
 
-	# The agent sends this upon peering as a "check in", informing the
-	# controller that an agent of the given name is now available to
-	# communicate with.
+	## The agent sends this event upon peering as a "check-in", informing
+	## the controller that an agent of the given name is now available to
+	## communicate with. It is a controller-level equivalent of
+	## `:zeek:see:`Broker::peer_added`.
+	##
+	## instance: an instance name, really the agent's name as per :zeek:see:`ClusterAgent::name`.
+	##
+	## host: the IP address of the agent. (This may change in the future.)
+	##
+	## api_version: the API version of this agent.
+	##
 	global notify_agent_hello: event(instance: string, host: addr,
 	    api_version: count);
 
+
+	# The following are not yet implemented.
+
 	# Report node state changes.
 	global notify_change: event(instance: string,
 	    n: ClusterController::Types::Node,
@@ -51,4 +114,4 @@ export {
 
 	# Report informational message.
 	global notify_log: event(instance: string, msg: string, node: string &default="");
-}
+	}
diff --git a/scripts/policy/frameworks/cluster/agent/boot.zeek b/scripts/policy/frameworks/cluster/agent/boot.zeek
index 3eed5f6dd9..daff5b2d24 100644
--- a/scripts/policy/frameworks/cluster/agent/boot.zeek
+++ b/scripts/policy/frameworks/cluster/agent/boot.zeek
@@ -1,3 +1,9 @@
+##! The cluster agent boot logic runs in Zeek's supervisor and instructs it to
+##! launch an agent process. The agent's main logic resides in main.zeek,
+##! similarly to other frameworks. The new process will execute that script.
+##!
+##! If the current process is not the Zeek supervisor, this does nothing.
+
 @load ./config
 
 # The agent needs the supervisor to listen for node management requests.  We
diff --git a/scripts/policy/frameworks/cluster/agent/config.zeek b/scripts/policy/frameworks/cluster/agent/config.zeek
index 464f1e485c..732dc39450 100644
--- a/scripts/policy/frameworks/cluster/agent/config.zeek
+++ b/scripts/policy/frameworks/cluster/agent/config.zeek
@@ -1,51 +1,83 @@
+##! Configuration settings for a cluster agent.
+
 @load policy/frameworks/cluster/controller/types
 
 module ClusterAgent;
 
 export {
-	# The name this agent uses to represent the cluster instance
-	# it manages. When the environment variable isn't set and there's,
-	# no redef, this falls back to "agent-<hostname>".
+	## The name this agent uses to represent the cluster instance it
+	## manages. Defaults to the value of the ZEEK_AGENT_NAME environment
+	## variable. When that is unset and you don't redef the value,
+	## the implementation defaults to "agent-<hostname>".
 	const name = getenv("ZEEK_AGENT_NAME") &redef;
 
-	# Agent stdout/stderr log files to produce in Zeek's working
-	# directory. If empty, no such logs will result. The actual
-	# log files have the agent's name (as per above) dot-prefixed.
+	## Agent stdout log configuration. If the string is non-empty, Zeek will
+	## produce a free-form log (i.e., not one governed by Zeek's logging
+	## framework) in Zeek's working directory. The final log's name is
+	## "<name>.<suffix>", where the name is taken from :zeek:see:`ClusterAgent::name`,
+	## and the suffix is defined by the following variable. If left empty,
+	## no such log results.
+	##
+	## Note that the agent also establishes a "proper" Zeek log via the
+	## :zeek:see:`ClusterController::Log` module.
 	const stdout_file_suffix = "agent.stdout" &redef;
+
+	## Agent stderr log configuration. Like :zeek:see:`ClusterAgent::stdout_file_suffix`,
+	## but for the stderr stream.
 	const stderr_file_suffix = "agent.stderr" &redef;
 
-	# The address and port the agent listens on. When
-	# undefined, falls back to configurable default values.
+	## The network address the agent listens on. This only takes effect if
+	## the agent isn't configured to connect to the controller (see
+	## :zeek:see:`ClusterAgent::controller`). By default this uses the value of the
+	## ZEEK_AGENT_ADDR environment variable, but you may also redef to
+	## a specific value. When empty, the implementation falls back to
+	## :zeek:see:`ClusterAgent::default_address`.
 	const listen_address = getenv("ZEEK_AGENT_ADDR") &redef;
+
+	## The fallback listen address if :zeek:see:`ClusterAgent::listen_address`
+	## remains empty. Unless redefined, this uses Broker's own default listen
+	## address.
 	const default_address = Broker::default_listen_address &redef;
 
+	## The network port the agent listens on. Counterpart to
+	## :zeek:see:`ClusterAgent::listen_address`, defaulting to the ZEEK_AGENT_PORT
+	## environment variable.
 	const listen_port = getenv("ZEEK_AGENT_PORT") &redef;
+
+	## The fallback listen port if :zeek:see:`ClusterAgent::listen_port` remains empty.
 	const default_port = 2151/tcp &redef;
 
-	# The agent communicates under to following topic prefix,
-	# suffixed with "/<name>" (see above):
+	## The agent's Broker topic prefix. For its own communication, the agent
+	## suffixes this with "/<name>", based on :zeek:see:`ClusterAgent::name`.
 	const topic_prefix = "zeek/cluster-control/agent" &redef;
 
-	# The coordinates of the controller. When defined, it means
-	# agents peer with (connect to) the controller; otherwise the
-	# controller knows all agents and peers with them.
+	## The network coordinates of the controller. When defined, the agent
+	## peers with (and connects to) the controller; otherwise the controller
+	## will peer (and connect to) the agent, listening as defined by
+	## :zeek:see:`ClusterAgent::listen_address` and :zeek:see:`ClusterAgent::listen_port`.
 	const controller: Broker::NetworkInfo = [
 		$address="0.0.0.0", $bound_port=0/unknown] &redef;
 
-	# Agent and controller currently log only, not via the data cluster's
-	# logger. (This might get added later.) For now, this means that
-	# if both write to the same log file, it gets garbled. The following
-	# lets you specify the working directory specifically for the agent.
+	## An optional custom output directory for the agent's stdout and stderr
+	## logs. Agent and controller currently only log locally, not via the
+	## data cluster's logger node. (This might change in the future.) This
+	## means that if both write to the same log file, the output gets
+	## garbled.
 	const directory = "" &redef;
 
-	# Working directory for data cluster nodes. When relative, note
-	# that this will apply from the working directory of the agent,
-	# since it creates data cluster nodes.
+	## The working directory for data cluster nodes created by this
+	## agent. If you make this a relative path, note that the path is
+	## relative to the agent's working directory, since it creates data
+	## cluster nodes.
 	const cluster_directory = "" &redef;
 
-	# The following functions return the effective network endpoint
-	# information for this agent, in two related forms.
+	## Returns a :zeek:see:`ClusterController::Types::Instance` describing this
+	## instance (its agent name plus listening address/port, as applicable).
 	global instance: function(): ClusterController::Types::Instance;
+
+	## Returns a :zeek:see:`Broker::EndpointInfo` record for this instance.
+	## Similar to :zeek:see:`ClusterAgent::instance`, but with slightly different
+	## data format.
 	global endpoint_info: function(): Broker::EndpointInfo;
 }
 
diff --git a/scripts/policy/frameworks/cluster/agent/main.zeek b/scripts/policy/frameworks/cluster/agent/main.zeek
index fd0bee533e..f545186304 100644
--- a/scripts/policy/frameworks/cluster/agent/main.zeek
+++ b/scripts/policy/frameworks/cluster/agent/main.zeek
@@ -1,3 +1,8 @@
+##! This is the main "runtime" of a cluster agent. Zeek does not load this
+##! directly; rather, the agent's bootstrapping module (in ./boot.zeek)
+##! specifies it as the script to run in the node newly created via Zeek's
+##! supervisor.
+
 @load base/frameworks/broker
 
 @load policy/frameworks/cluster/controller/config
diff --git a/scripts/policy/frameworks/cluster/controller/__load__.zeek b/scripts/policy/frameworks/cluster/controller/__load__.zeek
index c88fde804b..6cd1dc789d 100644
--- a/scripts/policy/frameworks/cluster/controller/__load__.zeek
+++ b/scripts/policy/frameworks/cluster/controller/__load__.zeek
@@ -1,5 +1,4 @@
-# The entry point for the cluster controller. It only runs bootstrap logic for
-# launching via the Supervisor. If we're not running the Supervisor, this does
-# nothing.
+##! The entry point for the cluster controller. It runs bootstrap logic for
+##! launching the controller process via Zeek's Supervisor.
 
 @load ./boot
diff --git a/scripts/policy/frameworks/cluster/controller/api.zeek b/scripts/policy/frameworks/cluster/controller/api.zeek
index 0cd1f49558..27c41d33ff 100644
--- a/scripts/policy/frameworks/cluster/controller/api.zeek
+++ b/scripts/policy/frameworks/cluster/controller/api.zeek
@@ -1,31 +1,96 @@
+##! The event API of cluster controllers. Most endpoints consist of event pairs,
+##! where the controller answers a zeek-client request event with a
+##! corresponding response event. Such event pairs share the same name prefix
+##! and end in "_request" and "_response", respectively.
+
 @load ./types
 
 module ClusterController::API;
 
 export {
+	## A simple versioning scheme, used to track basic compatibility of
+	## controller, agents, and zeek-client.
 	const version = 1;
 
-	# Triggered when the operational instances align with desired ones, as
-	# defined by the latest cluster config sent by the client.
-	global notify_agents_ready: event(instances: set[string]);
 
+	## zeek-client sends this event to request a list of the currently
+	## peered agents/instances.
+	##
+	## reqid: a request identifier string, echoed in the response event.
+	##
 	global get_instances_request: event(reqid: string);
+
+	## Response to a get_instances_request event. The controller sends
+	## this back to the client.
+	##
+	## reqid: the request identifier used in the request event.
+	##
+	## result: the result record. Its data member is a
+	##     :zeek:see:`ClusterController::Types::Instance` record.
+	##
 	global get_instances_response: event(reqid: string,
 	    result: ClusterController::Types::Result);
 
+
+	## zeek-client sends this event to establish a new cluster configuration,
+	## including the full cluster topology. The controller processes the update
+	## and relays it to the agents. Once each has responded (or a timeout occurs)
+	## the controller sends a corresponding response event back to the client.
+	##
+	## reqid: a request identifier string, echoed in the response event.
+	##
+	## config: a :zeek:see:`ClusterController::Types::Configuration` record
+	##     specifying the cluster configuration.
+	##
 	global set_configuration_request: event(reqid: string,
 	    config: ClusterController::Types::Configuration);
+
+	## Response to a set_configuration_request event. The controller sends
+	## this back to the client.
+	##
+	## reqid: the request identifier used in the request event.
+	##
+	## result: a vector of :zeek:see:`ClusterController::Types::Result` records.
+	##     Each member captures one agent's response.
+	##
 	global set_configuration_response: event(reqid: string,
 	    result: ClusterController::Types::ResultVec);
 
+
 	# Testing events. These don't provide operational value but expose
 	# internal functionality, triggered by test cases.
 
-	# This event causes no further action (other than getting logged) if
-	# set_state is F. When T, the controller establishes request state. The
-	# conroller only ever sends the response event when this state times
-	# out.
+	## This event causes no further action (other than getting logged) if
+	## with_state is F. When T, the controller establishes request state, and
+	## the controller only ever sends the response event when this state times
+	## out.
+	##
+	## reqid: a request identifier string, echoed in the response event when
+	##     with_state is T.
+	##
+	## with_state: flag indicating whether the controller should keep (and
+	##     time out) request state for this request.
+	##
 	global test_timeout_request: event(reqid: string, with_state: bool);
+
+	## Response to a test_timeout_request event. The controller sends this
+	## back to the client if the original request had the with_state flag.
+	##
+	## reqid: the request identifier used in the request event.
+	##
 	global test_timeout_response: event(reqid: string,
 	    result: ClusterController::Types::Result);
+
+
+	# Notification events, agent -> controller
+
+	## The controller triggers this event when the operational cluster
+	## instances align with the ones desired by the cluster
+	## configuration. It's essentially a cluster management readiness
+	## event. This event is currently only used by the controller and not
+	## published to other topics.
+	##
+	## instances: the set of instance names now ready.
+	##
+	global notify_agents_ready: event(instances: set[string]);
 	}
diff --git a/scripts/policy/frameworks/cluster/controller/boot.zeek b/scripts/policy/frameworks/cluster/controller/boot.zeek
index 9d23731946..f06a560760 100644
--- a/scripts/policy/frameworks/cluster/controller/boot.zeek
+++ b/scripts/policy/frameworks/cluster/controller/boot.zeek
@@ -1,3 +1,10 @@
+##! The cluster controller's boot logic runs in Zeek's supervisor and instructs
+##! it to launch the controller process. The controller's main logic resides in
+##! main.zeek, similarly to other frameworks. The new process will execute that
+##! script.
+##!
+##! If the current process is not the Zeek supervisor, this does nothing.
+
 @load ./config
 
 event zeek_init()
diff --git a/scripts/policy/frameworks/cluster/controller/config.zeek b/scripts/policy/frameworks/cluster/controller/config.zeek
index 0d559b0b64..de4e570115 100644
--- a/scripts/policy/frameworks/cluster/controller/config.zeek
+++ b/scripts/policy/frameworks/cluster/controller/config.zeek
@@ -1,51 +1,78 @@
+##! Configuration settings for the cluster controller.
+
 @load policy/frameworks/cluster/agent/config
 
 module ClusterController;
 
 export {
-	# The name of this controller in the cluster.
-	# Without the environment variable and no redef, this
-	# falls back to "controller-<hostname>".
+	## The name of this controller. Defaults to the value of the
+	## ZEEK_CONTROLLER_NAME environment variable. When that is unset and the
+	## user doesn't redef the value, the implementation defaults to
+	## "controller-<hostname>".
 	const name = getenv("ZEEK_CONTROLLER_NAME") &redef;
 
-	# Controller stdout/stderr log files to produce in Zeek's
-	# working directory. If empty, no such logs will result.
+	## The controller's stdout log name. If the string is non-empty, Zeek will
+	## produce a free-form log (i.e., not one governed by Zeek's logging
+	## framework) in Zeek's working directory. If left empty, no such log
+	## results.
+	##
+	## Note that the controller also establishes a "proper" Zeek log via the
+	## :zeek:see:`ClusterController::Log` module.
 	const stdout_file = "controller.stdout" &redef;
+
+	## The controller's stderr log name. Like :zeek:see:`ClusterController::stdout_file`,
+	## but for the stderr stream.
 	const stderr_file = "controller.stderr" &redef;
 
-	# The address and port the controller listens on. When
-	# undefined, falls back to the default_address, which you can
-	# likewise customize.
+	## The network address the controller listens on. By default this uses
+	## the value of the ZEEK_CONTROLLER_ADDR environment variable, but you
+	## may also redef to a specific value. When empty, the implementation
+	## falls back to :zeek:see:`ClusterController::default_address`.
 	const listen_address = getenv("ZEEK_CONTROLLER_ADDR") &redef;
+
+	## The fallback listen address if :zeek:see:`ClusterController::listen_address`
+	## remains empty. Unless redefined, this uses Broker's own default
+	## listen address.
 	const default_address = Broker::default_listen_address &redef;
 
+	## The network port the controller listens on. Counterpart to
+	## :zeek:see:`ClusterController::listen_address`, defaulting to the
+	## ZEEK_CONTROLLER_PORT environment variable.
 	const listen_port = getenv("ZEEK_CONTROLLER_PORT") &redef;
+
+	## The fallback listen port if :zeek:see:`ClusterController::listen_port`
+	## remains empty.
 	const default_port = 2150/tcp &redef;
 
-	# A more aggressive default retry interval (vs default 30s)
+	## The controller's connect retry interval. Defaults to a more
+	## aggressive value compared to Broker's 30s.
 	const connect_retry = 1sec &redef;
 
-	# The controller listens for messages on this topic:
+	## The controller's Broker topic. Clients send requests to this topic.
 	const topic = "zeek/cluster-control/controller" &redef;
 
-	# The role of this node in cluster management. Agent and
-	# controller both redef this. Used during logging.
+	## The role of this process in cluster management. Agent and controller
+	## both redefine this. Used during logging.
 	const role = ClusterController::Types::NONE &redef;
 
-	# The timeout for request state. Applies both to state kept for client
-	# requests, as well as state in the agents for requests to the
-	# supervisor.
+	## The timeout for request state. Such state (see the :zeek:see:`ClusterController::Request`
+	## module) ties together request and response event pairs. The timeout causes
+	## its cleanup in the absence of a timely response. It applies both to
+	## state kept for client requests, as well as state in the agents for
+	## requests to the supervisor.
 	const request_timeout = 10sec &redef;
 
-	# Agent and controller currently log only, not via the data cluster's
-	# logger. (This might get added later.) For now, this means that
-	# if both write to the same log file, it gets garbled. The following
-	# lets you specify the working directory specifically for the agent.
+	## An optional custom output directory for the controller's stdout and
+	## stderr logs. Agent and controller currently only log locally, not via
+	## the data cluster's logger node. (This might change in the future.)
+	## This means that if both write to the same log file, the output gets
+	## garbled.
 	const directory = "" &redef;
 
-	# The following functions return the effective network endpoint
-	# information for this controller, in two related forms.
+	## Returns a :zeek:see:`Broker::NetworkInfo` record describing the controller.
 	global network_info: function(): Broker::NetworkInfo;
+
+	## Returns a :zeek:see:`Broker::EndpointInfo` record describing the controller.
 	global endpoint_info: function(): Broker::EndpointInfo;
 }
 
diff --git a/scripts/policy/frameworks/cluster/controller/log.zeek b/scripts/policy/frameworks/cluster/controller/log.zeek
index a0970728e8..a7525dec0c 100644
--- a/scripts/policy/frameworks/cluster/controller/log.zeek
+++ b/scripts/policy/frameworks/cluster/controller/log.zeek
@@ -1,3 +1,8 @@
+##! This module implements straightforward logging abilities for cluster
+##! controller and agent. It uses Zeek's logging framework, and works only for
+##! nodes managed by the supervisor. In this setting Zeek's logging framework
+##! operates locally, i.e., this logging does not involve any logger nodes.
+
 @load ./config
 
 module ClusterController::Log;
@@ -9,6 +14,7 @@ export {
 	## A default logging policy hook for the stream.
 	global log_policy: Log::PolicyHook;
 
+	## The controller/agent log supports four different log levels.
 	type Level: enum {
 		DEBUG,
 		INFO,
@@ -16,7 +22,7 @@ export {
 		ERROR,
 	};
 
-	## The record type which contains the column fields of the cluster log.
+	## The record type containing the column fields of the agent/controller log.
 	type Info: record {
 		## The time at which a cluster message was generated.
 		ts:       time;
@@ -30,11 +36,32 @@ export {
 		message:  string;
 	} &log;
 
+	## The log level in use for this node.
 	global log_level = DEBUG &redef;
 
+	## A debug-level log message writer.
+	##
+	## message: the message to log.
+	##
 	global debug: function(message: string);
+
+	## An info-level log message writer.
+	##
+	## message: the message to log.
+	##
 	global info: function(message: string);
+
+	## A warning-level log message writer.
+	##
+	## message: the message to log.
+	##
 	global warning: function(message: string);
+
+	## An error-level log message writer. (This only logs a message, it does not
+	## terminate Zeek or have other runtime effects.)
+	##
+	## message: the message to log.
+	##
 	global error: function(message: string);
 }
 
diff --git a/scripts/policy/frameworks/cluster/controller/main.zeek b/scripts/policy/frameworks/cluster/controller/main.zeek
index c9df650e4c..33e0456049 100644
--- a/scripts/policy/frameworks/cluster/controller/main.zeek
+++ b/scripts/policy/frameworks/cluster/controller/main.zeek
@@ -1,3 +1,8 @@
+##! This is the main "runtime" of the cluster controller. Zeek does not load
+##! this directly; rather, the controller's bootstrapping module (in ./boot.zeek)
+##! specifies it as the script to run in the node newly created via Zeek's
+##! supervisor.
+
 @load base/frameworks/broker
 
 @load policy/frameworks/cluster/agent/config
diff --git a/scripts/policy/frameworks/cluster/controller/request.zeek b/scripts/policy/frameworks/cluster/controller/request.zeek
index b6735d79ba..202a615e6b 100644
--- a/scripts/policy/frameworks/cluster/controller/request.zeek
+++ b/scripts/policy/frameworks/cluster/controller/request.zeek
@@ -1,11 +1,22 @@
+##! This module implements a request state abstraction that both cluster
+##! controller and agent use to tie responses to received request events and be
+##! able to time-out such requests.
+
 @load ./types
 @load ./config
 
 module ClusterController::Request;
 
 export {
+	## Request records track each request's state.
 	type Request: record {
+		## Each request has a hopfully unique ID provided by the requester.
 		id: string;
+
+		## For requests that result based upon another request (such as when
+		## the controller sends requests to agents based on a request it
+		## received by the client), this specifies that original, "parent"
+		## request.
 		parent_id: string &optional;
 	};
 
@@ -30,7 +41,7 @@ export {
 	};
 
 	# The redef is a workaround so we can use the Request type
-	# while it is still being defined
+	# while it is still being defined.
 	redef record Request += {
 		results: ClusterController::Types::ResultVec &default=vector();
 		finished: bool &default=F;
@@ -40,15 +51,51 @@ export {
 		test_state: TestState &optional;
 	};
 
+	## A token request that serves as a null/nonexistant request.
 	global null_req = Request($id="", $finished=T);
 
+	## This function establishes request state.
+	##
+	## reqid: the identifier to use for the request.
+	##
 	global create: function(reqid: string &default=unique_id("")): Request;
+
+	## This function looks up the request for a given request ID and returns
+	## it. When no such request exists, returns ClusterController::Request::null_req.
+	##
+	## reqid: the ID of the request state to retrieve.
+	##
 	global lookup: function(reqid: string): Request;
+
+	## This function marks a request as complete and causes Zeek to release
+	## its internal state. When the request does not exist, this does
+	## nothing.
+	##
+	## reqid: the ID of the request state to releaase.
+	##
 	global finish: function(reqid: string): bool;
 
+	## This event fires when a request times out (as per the
+	## ClusterController::request_timeout) before it has been finished via
+	## ClusterController::Request::finish().
+	##
+	## req: the request state that is expiring.
+	##
 	global request_expired: event(req: Request);
 
+	## This function is a helper predicate to indicate whether a given
+	## request is null.
+	##
+	## request: a Request record to check.
+	##
+	## Returns: T if the given request matches the null_req instance, F otherwise.
+	##
 	global is_null: function(request: Request): bool;
+
+	## For troubleshooting, this function renders a request record to a string.
+	##
+	## request: the request to render.
+	##
 	global to_string: function(request: Request): string;
 }
 
diff --git a/scripts/policy/frameworks/cluster/controller/types.zeek b/scripts/policy/frameworks/cluster/controller/types.zeek
index a54f6069ed..9d7bc82e3c 100644
--- a/scripts/policy/frameworks/cluster/controller/types.zeek
+++ b/scripts/policy/frameworks/cluster/controller/types.zeek
@@ -1,4 +1,6 @@
-# Types for the Cluster Controller framework. These are used by both agent and controller.
+##! This module holds the basic types needed for the Cluster Controller
+##! framework. These are used by both agent and controller, and several
+##! have corresponding equals in the zeek-client implementation.
 
 module ClusterController::Types;
 
@@ -14,19 +16,19 @@ export {
 
 	## A Zeek-side option with value.
 	type Option: record {
-		name: string;  # Name of option
-		value: string; # Value of option
+		name: string;  ##< Name of option
+		value: string; ##< Value of option
 	};
 
 	## Configuration describing a Zeek instance running a Cluster
 	## Agent. Normally, there'll be one instance per cluster
 	## system: a single physical system.
 	type Instance: record {
-		# Unique, human-readable instance name
+		## Unique, human-readable instance name
 		name: string;
-		# IP address of system
+		## IP address of system
 		host: addr;
-		# Agent listening port. Not needed if agents connect to controller.
+		## Agent listening port. Not needed if agents connect to controller.
 		listen_port: port &optional;
 	};
 
@@ -35,30 +37,30 @@ export {
 	## State that a Cluster Node can be in. State changes trigger an
 	## API notification (see notify_change()).
 	type State: enum {
-		Running,  # Running and operating normally
-		Stopped,  # Explicitly stopped
-		Failed,   # Failed to start; and permanently halted
-		Crashed,  # Crashed, will be restarted,
-		Unknown,  # State not known currently (e.g., because of lost connectivity)
+		Running,  ##< Running and operating normally
+		Stopped,  ##< Explicitly stopped
+		Failed,   ##< Failed to start; and permanently halted
+		Crashed,  ##< Crashed, will be restarted,
+		Unknown,  ##< State not known currently (e.g., because of lost connectivity)
 	};
 
 	## Configuration describing a Cluster Node process.
 	type Node: record {
-		name: string;                        # Cluster-unique, human-readable node name
-		instance: string;                    # Name of instance where node is to run
-		p: port;                             # Port on which this node will listen
-		role: Supervisor::ClusterRole;       # Role of the node.
-		state: State;                        # Desired, or current, run state.
-		scripts: vector of string &optional; # Additional Zeek scripts for node
-		options: set[Option] &optional;      # Zeek options for node
-		interface: string &optional;         # Interface to sniff
-		cpu_affinity: int &optional;         # CPU/core number to pin to
-		env: table[string] of string &default=table(); # Custom environment vars
+		name: string;                        ##< Cluster-unique, human-readable node name
+		instance: string;                    ##< Name of instance where node is to run
+		p: port;                             ##< Port on which this node will listen
+		role: Supervisor::ClusterRole;       ##< Role of the node.
+		state: State;                        ##< Desired, or current, run state.
+		scripts: vector of string &optional; ##< Additional Zeek scripts for node
+		options: set[Option] &optional;      ##< Zeek options for node
+		interface: string &optional;         ##< Interface to sniff
+		cpu_affinity: int &optional;         ##< CPU/core number to pin to
+		env: table[string] of string &default=table(); ##< Custom environment vars
 	};
 
-	# Data structure capturing a cluster's complete configuration.
+	## Data structure capturing a cluster's complete configuration.
 	type Configuration: record {
-		id: string &default=unique_id(""); # Unique identifier for a particular configuration
+		id: string &default=unique_id(""); ##< Unique identifier for a particular configuration
 
 		## The instances in the cluster.
 		instances: set[Instance] &default=set();
@@ -67,14 +69,14 @@ export {
 		nodes: set[Node] &default=set();
 	};
 
-	# Return value for request-response API event pairs
+	## Return value for request-response API event pairs
 	type Result: record {
-		reqid: string;                # Request ID of operation this result refers to
-		instance: string &default=""; # Name of associated instance (for context)
-		success: bool &default=T;     # True if successful
-		data: any &optional;          # Addl data returned for successful operation
-		error: string &default="";    # Descriptive error on failure
-		node: string &optional;       # Name of associated node (for context)
+		reqid: string;                ##< Request ID of operation this result refers to
+		instance: string &default=""; ##< Name of associated instance (for context)
+		success: bool &default=T;     ##< True if successful
+		data: any &optional;          ##< Addl data returned for successful operation
+		error: string &default="";    ##< Descriptive error on failure
+		node: string &optional;       ##< Name of associated node (for context)
 	};
 
 	type ResultVec: vector of Result;
diff --git a/scripts/policy/frameworks/cluster/controller/util.zeek b/scripts/policy/frameworks/cluster/controller/util.zeek
index cfc87d6b63..0329438f2f 100644
--- a/scripts/policy/frameworks/cluster/controller/util.zeek
+++ b/scripts/policy/frameworks/cluster/controller/util.zeek
@@ -1,6 +1,14 @@
+##! Utility functions for the cluster controller framework, available to agent
+##! and controller.
+
 module ClusterController::Util;
 
 export {
+	## Renders a set of strings to an alphabetically sorted vector.
+	##
+	## ss: the string set to convert.
+	##
+	## Returns: the vector of all strings in ss.
 	global set_to_vector: function(ss: set[string]): vector of string;
 }
 

From aee333cc6244c30f4473ad82728b5b33c070bbef Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Mon, 3 Jan 2022 11:24:18 -0800
Subject: [PATCH 204/210] added notice of deprecation to NEWS

---
 NEWS | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/NEWS b/NEWS
index 06c03755ca..7be70ac69b 100644
--- a/NEWS
+++ b/NEWS
@@ -159,6 +159,27 @@ Deprecated Functionality
   replaced by ``analyzer_confirmation`` and ``analyzer_violation`` which can
   also now be implemented in packet analyzers.
 
+- Declaring a local variable in an inner scope and then accessing it in an
+  outer scope is now deprecated.  For example,
+
+	if ( foo() )
+		{
+		local a = 5;
+		...
+		}
+	print a;
+
+  is deprecated.  You can address the issue by hoisting the declaration
+  to the outer scope, such as:
+
+	local a: count;
+	if ( foo() )
+		{
+		a = 5;
+		...
+		}
+	print a;
+
 Zeek 4.1.0
 ==========
 

From 8a61a3689e70228aabf99ce52dc73d95cd546033 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 3 Jan 2022 11:54:53 -0800
Subject: [PATCH 205/210] Updating CHANGES, VERSION, and NEWS.

---
 CHANGES | 18 ++++++++++++++++++
 NEWS    | 18 ++++++++++++++++++
 VERSION |  2 +-
 3 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 02bcc297d3..e16f836de0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,21 @@
+4.2.0-dev.506 | 2022-01-03 09:33:43 -0800
+
+  * Expansion of the emerging cluster controller framework (Christian Kreibich, Corelight)
+
+    - Controller/agent connectivity is now controlled by pushed configurations
+    - The Request module now supports state timeouts
+    - Use Result records consistently for responses to the client
+    - Track successful config deployment in cluster controller
+    - Add ClusterController::API::notify_agents_ready event
+    - Make all globals start with a "g_" prefix
+    - Add missing debug() log function to log module's API
+    - Add separate utility module for controller and agent
+    - Additional infrastructure for printing types
+    - Bump zeek-client to v0.2.0
+    - Add Github action job for cluster tests
+    - Tweak Docker image configure invocation to include zeek-client
+    - Zeekygen documentation pass
+
 4.2.0-dev.477 | 2021-12-14 16:53:57 -0700
 
   * fixes for double-delete and reducing '?' operator with constant alternatives (Vern Paxson, Corelight)
diff --git a/NEWS b/NEWS
index 06c03755ca..bca990b9b9 100644
--- a/NEWS
+++ b/NEWS
@@ -112,6 +112,12 @@ New Functionality
   fields, with a "null" value. This simplifies data import use cases that
   require fields to be present at all times, regardless of their value.
 
+- A new external testsuite, https://github.com/zeek/zeek-testing-cluster,
+  focuses on testing the emerging controller framework. It leverages the new
+  official Zeek Docker image for building docker-compose test setups, driven via
+  btest. The Github CI setup now includes a workflow that deploys and runs this
+  testsuite.
+
 Changed Functionality
 ---------------------
 
@@ -147,6 +153,18 @@ Changed Functionality
   --enable-cpp-tests configure flag. Unit tests now also work in (static and
   dynamic) Zeek plugins.
 
+- This release expands the emerging cluster controller framework. Most changes
+  concern internals of the framework. Agent/controller connectivity management
+  has become more flexible: configuration updates pushed by the client can now
+  convey the agent topology, removing the need to hardwire/redef settings
+  in the controller. The new ClusterController::API::notify_agents_ready event
+  declares the management infrastructure ready for use. zeek-client's CLI has
+  expanded to support the new functionality.
+
+  The framework is still experimental and provides only a small subset of
+  ZeekControl's functionality. ZeekControl remains the recommended tool for
+  maintaining your cluster.
+
 Removed Functionality
 ---------------------
 
diff --git a/VERSION b/VERSION
index b0dcd5d6b8..5295d20f31 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-4.2.0-dev.477
+4.2.0-dev.506

From 326ea471588e861b6256391ce2c423518f333471 Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Mon, 3 Jan 2022 12:59:21 -0800
Subject: [PATCH 206/210] Update doc submodule [nomail] [skip ci]

---
 doc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc b/doc
index 055ae234e6..b8ae1f3362 160000
--- a/doc
+++ b/doc
@@ -1 +1 @@
-Subproject commit 055ae234e6944a6bc20c3c758ef8442875d5f986
+Subproject commit b8ae1f336272371d6c46fda133e472a075f69e3d

From 078d58e17a567afb57efbbb5c3352d9334158cff Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 4 Jan 2022 09:42:50 -0700
Subject: [PATCH 207/210] Update NEWS prior to 4.2 branching [skip ci] [nomail]

---
 NEWS | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index f40bec8061..49f003d071 100644
--- a/NEWS
+++ b/NEWS
@@ -33,13 +33,9 @@ New Functionality
   example to build a Zeek plugin. You can add any required system packages in a
   derived image, or install them directly in the running container.
 
-- Zeek now supports formatting the C++ code using clang-format. It requires at
-  least clang-format 12.0.1 due to some additions that were made in that version
-  to better support the Whitesmiths style. Zeek also includes a set of python
-  scripts to more easily reformat in the auxil/run-clang-format directory. An
-  example command to reformat the code:
-
-  `python3 auxil/run-clang-format/run-clang-format.py --clang-format-executable `which clang-format-12` -r src -i`
+- Zeek now supports formatting the C++ code using clang-format. Also provided is
+  a configuration for ``pre-commit`` to run clang-format when add new commits via
+  ``git``. More details can be found at https://github.com/zeek/zeek/wiki/Coding-Style-and-Conventions#clang-format.
 
 - Experimental support for speeding up Zeek script execution by compiling
   scripts to a low-level form called "ZAM".  You activate this feature by
@@ -118,6 +114,8 @@ New Functionality
   btest. The Github CI setup now includes a workflow that deploys and runs this
   testsuite.
 
+- The GRE analyzer now supports the Aruba WLAN protocol type.
+
 Changed Functionality
 ---------------------
 
@@ -165,9 +163,6 @@ Changed Functionality
   ZeekControl's functionality. ZeekControl remains the recommended tool for
   maintaining your cluster.
 
-Removed Functionality
----------------------
-
 Deprecated Functionality
 ------------------------
 

From e58696483731d0f90fcabbfd939151ff3f7a19d0 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 4 Jan 2022 10:10:12 -0700
Subject: [PATCH 208/210] Update submodules to latest (new) release tags [skip
 ci] [nomail]

---
 auxil/bifcl    | 2 +-
 auxil/broker   | 2 +-
 auxil/zeek-aux | 2 +-
 auxil/zeekctl  | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/auxil/bifcl b/auxil/bifcl
index 5738d319c1..a7d9233b37 160000
--- a/auxil/bifcl
+++ b/auxil/bifcl
@@ -1 +1 @@
-Subproject commit 5738d319c180fbfc9e910b6d52a47e61a0354be5
+Subproject commit a7d9233b37daac558314625566bb8c8a993f2904
diff --git a/auxil/broker b/auxil/broker
index 07f42c7c77..d9e8440053 160000
--- a/auxil/broker
+++ b/auxil/broker
@@ -1 +1 @@
-Subproject commit 07f42c7c772b1fd79385466584f8322905f981d8
+Subproject commit d9e84400534b968e33ab01cfadfb569c0d7b2929
diff --git a/auxil/zeek-aux b/auxil/zeek-aux
index b727e896a7..12be5e3e51 160000
--- a/auxil/zeek-aux
+++ b/auxil/zeek-aux
@@ -1 +1 @@
-Subproject commit b727e896a78e7bab6a8b02951a72b21450c3b450
+Subproject commit 12be5e3e51a4a97ab3aa0fa4a02da194a83c7f24
diff --git a/auxil/zeekctl b/auxil/zeekctl
index f02f0c452c..95b048298a 160000
--- a/auxil/zeekctl
+++ b/auxil/zeekctl
@@ -1 +1 @@
-Subproject commit f02f0c452c3efedc848ad48effbbe400daf1f6f7
+Subproject commit 95b048298a77bb14d2c54dcca8bb549c86eb96b9

From b56f1ab86123d622d805adfdd5421cdd00aeaf73 Mon Sep 17 00:00:00 2001
From: Tim Wojtulewicz <tim@corelight.com>
Date: Tue, 4 Jan 2022 12:11:24 -0700
Subject: [PATCH 209/210] Update rapidjson submodule to latest upstream master

---
 auxil/rapidjson | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auxil/rapidjson b/auxil/rapidjson
index dfbe1db9da..fd3dc29a5c 160000
--- a/auxil/rapidjson
+++ b/auxil/rapidjson
@@ -1 +1 @@
-Subproject commit dfbe1db9da455552f7a9ad5d2aea17dd9d832ac1
+Subproject commit fd3dc29a5c2852df569e1ea81dbde2c412ac5051

From e0e779ade16e229b2b776e49a24fa83f103e3cdb Mon Sep 17 00:00:00 2001
From: Christian Kreibich <christian@corelight.com>
Date: Tue, 4 Jan 2022 16:17:33 -0800
Subject: [PATCH 210/210] Bump the zeek-testing-cluster testsuite

---
 testing/external/commit-hash.zeek-testing-cluster | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/external/commit-hash.zeek-testing-cluster b/testing/external/commit-hash.zeek-testing-cluster
index 42d09860d4..93a321a305 100644
--- a/testing/external/commit-hash.zeek-testing-cluster
+++ b/testing/external/commit-hash.zeek-testing-cluster
@@ -1 +1 @@
-cc4e2ad8b24015849043b523f0aef00acf41d602
+a2b3414ff6cf7cc3141c11849519c58fe15727ec